Remember the cross-platform malware that exploited Java to attack both PCs and Macs? Well here's a better one for you: a Trojan downloader that checks your operating system so it can pick which malware to download onto your computer.
The new Web-based social engineering attack, first detected on a compromised website in Colombia, relies on a malicious Java applet to install backdoors on Windows, Mac, and Linux computers. When you first visit such a compromised site, you are prompted to install the Java applet, which unsurprisingly hasn't been signed with a certificate. If you do so, the applet checks which operating system you have (Windows, Mac OS X, or Linux) and then drops a corresponding Trojan for your platform.
F-Secure, which first found the Web exploit, detects the initial malware as Trojan-Downloader:Java/GetShell.A. The respective payloads for Windows, Mac, and Linux are detected as follows: Backdoor:W32/GetShell.A, Backdoor:OSX/GetShell.A (PowerPC binary, requires Rosetta on an Intel-based platform), and Backdoor:Linux/GetShell.A.
All three of them have one purpose: to connect to a Command and Control (C&C) server and await further instructions. These typically include downloading additional malware and executing it. The security company did note, however, that ever since it began monitoring this particular attack, the C&C server hasn't pushed any additional code. That being said, it could technically do so at any time.
It appears that the Trojan downloader was written using the Social-Engineer Toolkit (SET), an open-source and publicly-available Python tool designed for penetration testing. It is very unlikely that this is a penetration test.
Malware writers love using a cross-platform plugin as an attack vector because it allows them to target more than one operating system, and thus more potential users. It shouldn't surprise you that Java is being used: the platform has loads of security holes, and it runs on all the major operating systems.
- Malicious Chrome extensions hijack Facebook accounts
- Malware tricks Facebook users into exposing credit cards
- Up to 1.5 million Visa, MasterCard credit card numbers stolen
- New Flashback variant silently infects Macs
- Wikipedia: If you see ads on our site, you have malware
- New targeted Mac OS X Trojan requires no user interaction
- Over 600,000 Macs infected with Flashback Trojan