Cross-platform Trojan checks your OS: Attacks Windows, Mac, Linux

Cross-platform Trojan checks your OS: Attacks Windows, Mac, Linux

Summary: A new cross-platform Trojan downloader has been discovered. It detects if you're running Windows, Mac OS X, or Linux, and then downloads the corresponding malware for your platform.

SHARE:

Update - Cross-platform Trojan attacks Windows, Intel Macs, Linux

Cross-platform Trojan checks your OS: Attacks Windows, Mac, Linux

Remember the cross-platform malware that exploited Java to attack both PCs and Macs? Well here's a better one for you: a Trojan downloader that checks your operating system so it can pick which malware to download onto your computer.

The new Web-based social engineering attack, first detected on a compromised website in Colombia, relies on a malicious Java applet to install backdoors on Windows, Mac, and Linux computers. When you first visit such a compromised site, you are prompted to install the Java applet, which unsurprisingly hasn't been signed with a certificate. If you do so, the applet checks which operating system you have (Windows, Mac OS X, or Linux) and then drops a corresponding Trojan for your platform.

F-Secure, which first found the Web exploit, detects the initial malware as Trojan-Downloader:Java/GetShell.A. The respective payloads for Windows, Mac, and Linux are detected as follows: Backdoor:W32/GetShell.A, Backdoor:OSX/GetShell.A (PowerPC binary, requires Rosetta on an Intel-based platform), and Backdoor:Linux/GetShell.A.

All three of them have one purpose: to connect to a Command and Control (C&C) server and await further instructions. These typically include downloading additional malware and executing it. The security company did note, however, that ever since it began monitoring this particular attack, the C&C server hasn't pushed any additional code. That being said, it could technically do so at any time.

It appears that the Trojan downloader was written using the Social-Engineer Toolkit (SET), an open-source and publicly-available Python tool designed for penetration testing. It is very unlikely that this is a penetration test.

Malware writers love using a cross-platform plugin as an attack vector because it allows them to target more than one operating system, and thus more potential users. It shouldn't surprise you that Java is being used: the platform has loads of security holes, and it runs on all the major operating systems.

Update - Cross-platform Trojan attacks Windows, Intel Macs, Linux

See also:

Topics: Security, Apple, Linux, Malware, Microsoft, Operating Systems, Windows

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

64 comments
Log in or register to join the discussion
  • Rule 1

    If you didn’t go looking for it, don’t install it!
    daikon
    • Rule 2

      If you don't absolutely need it, don't install Java. If it is installed, uninstall it.

      Unfortunately, too many programs still use Java....
      Splork
      • Maybe in the enterprise...

        Very few consumer apps use Java anymore, except the malware hole that is Linux, er, Android, and maybe a few Facebook spyware games. On consumer systems - the systems that are less likely to be locked down, but still are often not up-to-date for third-party utilities like this - Java should be removed.
        Joe_Raby
        • ....and I forgot to include.

          Java ads.

          This is where a lot of legitimate websites get poisoned, and CBS isn't immune either. Over the last year, I've recorded at least 7 times that CBS has had poisoned ads. As far as which ones were Java, I can't say for certain, but some sites like Facebook, and Google's ad network still allow Java ads.
          Joe_Raby
          • Java is defintely not the problem here

            Unfortunately too many programs still use C... which is FAR more problematic than Java to to its inherently unsafe programming model, and the way programs written in C are installed.

            The Java VM machine is rock solid. The problem here is unrelated : people accept to run programs that are not even signed by any author. The problem is social, not technical, because Java properly reports that the Java applet is not signed and may be unsafe.

            Do you remember what your banks are saying when navigating the internet : look for the keylock icon. Becaues it uses strong digital signatures that prevents someone of pretending he is safe or is the real person he advertizes when trying to socialize with you.

            There is aboslutely NO technical solution to prevent malwares trying to convince users with social tricks. The unsafe part of any system is always the human. Education can help. Technical ools can help you too, provided that users follow the indications given by their platform.

            Java has MUCH less problem as a platform than any other technical platform. And even if you look at the code above, what does it do ? Just trying to guess which kind of platform you have. It is not dangerous by itself because that detected platform will be the real target and must be protected too, also by technical barriers, but also by the same education of users to NOT trust software that are not identifiable to a precise source.

            This does not mean that softwares won't have security holes. But Java is certainly the platform that is the most immune to these holes. And where security has always been part of its core design (it's definitely not the case with C, wherre the security is only dependant on the skills and knowledge of a programmer, which may no longer be available, and where he was never helped to secure his programs to detect and close the security holes).

            Flash (Macromedia/Adobe) is also nother compouting platform that is full of bugs and security holes since always. It is also a vector of many attacks, and still many people want it (and they refuse to buy a smartphone that does not have it builtin). Who is to complain ? Users certainly, because whatever we can explain them, they always think that nothing will happen to them, or they think they are protected only because they use an antivirus.

            Users refuse to see that they are highly vulnerable to socialization technics (see by yourself how they accept to publish everything about their private life in Facebook : this is dramatic ! And malware authors perfectly know that fact).

            If you don't trust Java, you should not even trust any PC or smartphone and return to the age of paper and pen. And still with this method, you'll still be exposed to abuses by people stealing you by forcing you to sign abusive contracts, or paying for a service without knowing with who they are signing, or not reading the contracts, or acceptingf contracts that are completely unreadable. They also leave their door open, only because they trust their neighbors without questioning. They leave their home or car keys under the carpet (they think that nobody will look there or will never see them "hiding" their keys below the carpet).

            Java is not a problem, in fact it helps securing a lot of things with minimal efforts (both from the programmers and from the final user). But it cannot solve humane problems.
            PhilippeV
          • Java isn't rock solid

            Although it's also not full of holes in the way Flash is.

            Preferably people would use click-to-play options like that which NoScript and Adblock for Firefox provides, and most Android browsers.

            And never click something you weten't looking for!
            Natanael_L
          • Nothing is Rock Solid

            but in this case as in most cases of Web based attacks Java cannot code for carelessness. It can only advise you that what you are doing is stupid it can't stop you from doing stupid things.
            Chris Powers
        • @the hole specialist

          >>except the malware hole that is Linux, er, Android
          Is it the same malware hole where unlike very secure and user friendly every app is run with a unique uid and manifests all its permissions to be examined prior to installation?
          eulampius
        • Android has no Java Runtime Environment

          Nor does it support Java ME. Google used Apache Harmony (now dead) for Dalvik.

          This is strictly a desktop Linux issue. And only if one's system has a JRE installed and Java plug-in enabled in one's web browser.
          Rabid Howler Monkey
          • doesn't run by any number of clicks

            Most of distros are not set up to run an app by double-clicking on an executable (esp. out of email client, for a web browser an enforced apparmor profile would make it very hard) . As for java plugins and jre, these should not be on the grandpa-grandma's computers in the first place (an appromor profile will mitigate the risk again).
            You can also install flash blocker noscript plugins (to not make them suffer from someone's poor javascript code consuming the machine's resources and ads), forbid the users to use anything outside of the applications. At the same time a minimum apparmor profile would be a nice double check.
            eulampius
          • Grandpa bought the Linux PC as a result of reading Parade magazine

            And grandpa really doesn't know much more about Linux than what the Parade magazine article stated.

            Just extract a zip archive and the perl script will be marked as an executable. And it really doesn't matter as the first of two clicks will do the trick. It worked fine for me using Debian stable, Xfce4, Squeeze and Thunar.

            As for Java, some distros (e.g., Ubuntu, Linux Mint) ship with a JRE installed and the Java plug-in enabled in the default web browser. Why? Some web sites still require Java on the client.

            The Firefox browser, the most common default for Linux distros, does not come with the add-ons you mention (i.e., FlashBlock, NoScript) installed. And Grandpa doesn't know anything about them anyway. Nor does Grandpa know anything about AppArmor.
            Rabid Howler Monkey
          • Then Grandpa needs to be better educated

            ^^this isn't as valid an excuse anymore. Many seniors are beginning to become aware that they just can't blindly click when using computers. My mom, who is in her mid 60s and who is becoming more and more security-savvy each year, knows not to blindly trust something like that. How? I taught her to not fall for such tricks. Ignorance can be fought by educating the users, no matter how old they are. So, if your grandfather will fall for this trick, tell him about the flash- and java-blocking browser apps so that he'll know (and if he has issues, do it for him).
            unixfool@...
          • ZDNET is defenitely NOT secure... but you trust it anyway in this forum.

            If you have successfully posted a message here on ZDNET, it means that you have accepted to be tracked by a dozen of external companies (most of them not saying to you they they are tracking you and what they will do with the collected data; notably Facebook that constantly opens the Pandora box to everyone, even if you have never subscribed to them with a Facebook account !).

            These companies or system invited here without your consent are :

            3 social networks:
            - Facebook Connect
            - Twitter Badge
            - LinkedIn

            2 ad network tracking (trying to profile you, in order to better trick you in socialization schemes):
            - AudienceScience
            - Nielsen

            7 other companies (for absolutely unknown reason)
            - CNET Tracking (Wasn't there a divorce between ZDNET and CNET ??? Why do they strill track the clients of each other ???)
            - Omniture
            - Revenue Science
            - BlueKai
            - Comscore Beacon
            - Netratings Site Census
            - CrowdScience

            If we block all those spiers here, you can't even interact with this site by using a local login to your registered account. You can't post anything. You can't even login here without unblocking ALL these external spiers that are tracking you everywhere you go !

            Nothing is explained : may be you know a few of them, but for most of them you have absolutely no idea they are involved here. When you look an ad on TV, normally you are not tracked, not profiled personnally. You can stop at any time, and change your mind and no one will ever notice your change.

            But here you authorize (without explicit consent) any one of these companies to resell your personnal information to anyone that will just pay a few dollars for it. Including abusers becaue you absolutely never know how your information will be disseminated : it is fully out of control.

            Why does ZDNET uses so many trackers ? Only one would be needed. But hey! we're are the victims of socialization tricks, exactly the same kind as the tricks used by malware authors.

            Spiers are everywhere here on this forum ! One day some of those spiers will abuse you as they don"t care about your security.

            So ZDNET is also lying to us, when they attempt to "educate us". If you're not aware of that, try using the "Do not track plus" addon for your browser (See www(DOT)abine(DOT)com for the free download), you'll see the millions of sites and spiers counting EVERYWHERE you go without informing you at an incredible rate.
            PhilippeV
          • ZDNEt and CNet

            are both owned by CBS Interactive, as are all the other CNet sites.
            NickNielsen
        • Android - Java?!

          Android doesn't use Java. It uses Dalvik, now the language is Java but it isn't compiled into Java Bytecodes (hence the big Oracle Lawsuit) it creates Dalvik Bytecodes. So the runtime won't have the same exploits as the Java runtime, it might have DIFFERENT exploits... but it won't have the exploits Java has.
          jeremychappell
      • Minecraft

        Minecraft. Played by millions of users worldwide. Uses frigging JAVA.
        Death to Stupid
    • RE: Rule 1

      daikon wrote:
      "If you didn’t go looking for it, don’t install it!

      Good advice, but will Grandpa and Grandma know what you are talking about. After all, they might be bored and, therefore, are curious about the applet. Let's have a look!

      Or they receive an email with a zip file attached, DancingKittens.zip, open the zip file and double click SeeTheDancingKittens.pl as instructed in the body of the email. That's all it would take. Would Grandma or Grandpa notice the new startup application placed in /var/tmp and referenced in $HOME/.config/autostart? Plus, every Linux distro I have ever used has wget installed by default. Let's bring in some reinforcements. And iptables, *IF* enabled for one's distro, is not an application firewall and is all about keeping the miscreants OUT of one's system. Too bad they're already inside.
      Rabid Howler Monkey
      • Grandma and Grandpa will know what he's talking about if he educates them. Anyone can be bored and click something they shouldn't, no matter their age.

        You're trivializing things a bit. And the problem you're describing is OS-agnostic. An ignorant user will not understand, even when using an MS or Mac operating system. But personally, I don't believe that a common user that doesn't know Linux should be expected to know Linux or *nix in general as a sysadmin would, just as they wouldn't know how to administer an MS or Mac system professionally.

        If they're not willing to learn their system at a basic level, then maybe they shouldn't be computing at all. And everyone should be backing up their data anyways. I informed my 65-year-old mom that if she kept having such issues with malware, to either get software that images her drive so that she can reinstall without issues (and this is in addition to recommending that she purchase a good AV suite). That's not always going to help, but in cases such as the current topic of discussion, it will definitely help to be able to go back to before they unintentionally installed a trojan. Remember, most seniors aren't as in a rush of things as the average user...they're not stupid, they're just older. There are some very smart older people out there and some of them are actually computer-savvy or have the potential to be.
        unixfool@...
  • The ultimate answer : NORTON

    One basic rule : install Norton and you will enjoy having the feeling to be immune.
    Oh you're running Linux ? Hmm format your disk, install Windows and then install Norton.
    How about that ?
    Now happy safe browsing lol
    neeeko
    • Norton sucks

      Nothing more needs to be said.
      Joe_Raby