Cross-platform Trojan checks your OS: Attacks Windows, Mac, Linux

A new cross-platform Trojan downloader has been discovered. It detects if you're running Windows, Mac OS X, or Linux, and then downloads the corresponding malware for your platform.
Written by Emil Protalinski, Contributor

Update - Cross-platform Trojan attacks Windows, Intel Macs, Linux

Cross-platform Trojan checks your OS: Attacks Windows, Mac, Linux

Remember the cross-platform malware that exploited Java to attack both PCs and Macs? Well here's a better one for you: a Trojan downloader that checks your operating system so it can pick which malware to download onto your computer.

The new Web-based social engineering attack, first detected on a compromised website in Colombia, relies on a malicious Java applet to install backdoors on Windows, Mac, and Linux computers. When you first visit such a compromised site, you are prompted to install the Java applet, which unsurprisingly hasn't been signed with a certificate. If you do so, the applet checks which operating system you have (Windows, Mac OS X, or Linux) and then drops a corresponding Trojan for your platform.

F-Secure, which first found the Web exploit, detects the initial malware as Trojan-Downloader:Java/GetShell.A. The respective payloads for Windows, Mac, and Linux are detected as follows: Backdoor:W32/GetShell.A, Backdoor:OSX/GetShell.A (PowerPC binary, requires Rosetta on an Intel-based platform), and Backdoor:Linux/GetShell.A.

All three of them have one purpose: to connect to a Command and Control (C&C) server and await further instructions. These typically include downloading additional malware and executing it. The security company did note, however, that ever since it began monitoring this particular attack, the C&C server hasn't pushed any additional code. That being said, it could technically do so at any time.

It appears that the Trojan downloader was written using the Social-Engineer Toolkit (SET), an open-source and publicly-available Python tool designed for penetration testing. It is very unlikely that this is a penetration test.

Malware writers love using a cross-platform plugin as an attack vector because it allows them to target more than one operating system, and thus more potential users. It shouldn't surprise you that Java is being used: the platform has loads of security holes, and it runs on all the major operating systems.

Update - Cross-platform Trojan attacks Windows, Intel Macs, Linux

See also:

Editorial standards