Web Exploit Found That Customizes Attack For Windows, Mac, and Linux 204
phaedrus5001 writes with this quote from Ars:
"Security researchers have found a live Web exploit that detects if the target is running Windows, Mac OS X, or Linux and drops a different trojan for each platform. The attack was spotted by researchers from antivirus provider F-Secure on a Columbian transport website, presumably after third-party attackers compromised it. The unidentified site then displayed a signed Java applet that checked if the user's computer is running Windows, Mac OS X, or Linux. Based on the outcome, the attack then downloads the appropriate files for each platform."
lol (Score:0, Informative)
Java !
COLOMBIAN....not "Columbian" (Score:2, Informative)
Please learn how to spell.
Most Macs are probably immune. (Score:0, Informative)
Mac OS X doesn't ship with Java anymore.
Re:COLOMBIAN....not "Columbian" (Score:2, Informative)
Maybe it was a website about the bus lines in Columbia, South Carolina.
Only older Macs. (Score:4, Informative)
Rosetta not supported on Lion and not installed by default in Snow Leopard.
So no current Macs and only older Macs that use Rosetta risk infection. That number has to be pretty low...
I don't any *nix user has much to worry about either...
Interesting author in source code (Score:5, Informative)
If you google getParameter( "ILIKEHUGS" ); from the screen shot in TFA, you can find a java file which looks suspiciously like the one in TFA. I lold at the header comment. I don't think this is a 'new' exploit:
/** ...
* Original Author: Thomas Werth
* Modifications By: Dave Kennedy, Kevin Mitnick
* This is a universal Applet which determintes Running OS
*
Re:Most Macs are probably immune. (Score:1, Informative)
Re:Blah (Score:3, Informative)
Well, OS X is built on BSD so technically they kinda do?
Re:COLOMBIAN....not "Columbian" (Score:3, Informative)
Ironically, "Columbia" is the correct spelling in English (taken from "Columbus"). "Colombia" is the Spanish spelling (taken from "Colón"). Since English doesn't have the "ó", we use a "u" instead. Now, being a proper name you can use either (English is very flexible), but the English spelling is "Columbia".
Re:Most Macs are probably immune. (Score:5, Informative)
That'd be news to the millions getting new macs and using Java.
The GP is correct. Apple stopped shipping Java with OS X with the release of Lion.
That said, if you try to run something the requires Java, OS X will offer to download and install it for you. However with the latest OS X updates the Java browser plug-in and Java Web Start are now disabled by default, and have to be explicitly enabled by the user in the Java Preferences app. And if they do explicitly enable it, it will auto-disable itself again if it hasn't been used in some time.
That's a lot of extra hoops to jump through to get this to work on a modern, up-to-date Mac. Then again, the people who develop and propagate malware such as this tend to target those who don't keep their systems up-to-date, ensuring it is still a concern for many users (with those at most risk being the ones least knowledgable to do much about it, or even be aware that anything is wrong).
Yaz
Re:COLOMBIAN....not "Columbian" (Score:5, Informative)
Perhaps, but in American "Columbia" refers either to the river or to the district while "Colombia" refers to the nation in South America. "Columbia" is also an archaic term for the USA, as in "Columbia Gem of the Ocean".
Re:Blah (Score:5, Informative)
They don't even support Linux properly. Even if it's actually effective on Linux, you'd have to explicitly agree to run the exploit and then type in your password to install the stupid thing. And that would only work if you're in the sudoers group or logged in as root; otherwise, it's no go. What kind of malware is that???
Interesting note: although example screenshots were given for the malware on Windows and OSX, there were none for Linux. Maybe it does not work at all on Linux, and the code people are foaming over is just a leftover fragment for identifying the client OS.
Re:Columbian transport website? (Score:2, Informative)
This is an open source tool called SET its used for penetration testers -- Applet code here -- https://svn.secmaniac.com/social_engineering_toolkit/src/webattack/java_applet/