Forgot your password?
typodupeerror
Security Windows Linux

Web Exploit Found That Customizes Attack For Windows, Mac, and Linux 204

Posted by Soulskill
from the making-everyone-feel-special dept.
phaedrus5001 writes with this quote from Ars: "Security researchers have found a live Web exploit that detects if the target is running Windows, Mac OS X, or Linux and drops a different trojan for each platform. The attack was spotted by researchers from antivirus provider F-Secure on a Columbian transport website, presumably after third-party attackers compromised it. The unidentified site then displayed a signed Java applet that checked if the user's computer is running Windows, Mac OS X, or Linux. Based on the outcome, the attack then downloads the appropriate files for each platform."
This discussion has been archived. No new comments can be posted.

Web Exploit Found That Customizes Attack For Windows, Mac, and Linux

Comments Filter:
  • by Kenja (541830) on Tuesday July 10, 2012 @02:25PM (#40605121)
    Is that where the "domestic pharmaceutical procurement facilitators" meet?
    • Re: (Score:2, Informative)

      by Anonymous Coward

      This is an open source tool called SET its used for penetration testers -- Applet code here -- https://svn.secmaniac.com/social_engineering_toolkit/src/webattack/java_applet/

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Yep, just more hype and FUD clickbait.

        It's an ordinary Java applet, with all the rights and controls of every other Java applet, except this applet was a pen-tester written by TrustedSec, then found by "researchers" from F-Secure. It downloads a file specific to the OS it's running on and....
        ...no more information from F-Sec

        This has beat up written all over it.

  • Blah (Score:5, Funny)

    by mystikkman (1487801) on Tuesday July 10, 2012 @02:25PM (#40605125)

    When are the malware writers going to support BSD?

    • by leaen (987954)
      They do not support HURD
      • Re:Blah (Score:5, Informative)

        by AliasMarlowe (1042386) on Tuesday July 10, 2012 @03:55PM (#40606365) Journal

        They don't even support Linux properly. Even if it's actually effective on Linux, you'd have to explicitly agree to run the exploit and then type in your password to install the stupid thing. And that would only work if you're in the sudoers group or logged in as root; otherwise, it's no go. What kind of malware is that???

        Interesting note: although example screenshots were given for the malware on Windows and OSX, there were none for Linux. Maybe it does not work at all on Linux, and the code people are foaming over is just a leftover fragment for identifying the client OS.

        • Re:Blah (Score:5, Insightful)

          by Compaqt (1758360) on Tuesday July 10, 2012 @04:21PM (#40606735) Homepage

          I haven't tried the exploit, but again:

          On my machine, all the important stuff is in the /home directory.

          There's nothing really interesting in the "system". I don't even really care about the system. It's just an ISO download away from reinstall.

          My files, on the other hand, are what's important.

        • Re:Blah (Score:4, Insightful)

          by Em Adespoton (792954) <slashdotonly.1.adespoton@spamgourmet.com> on Tuesday July 10, 2012 @04:25PM (#40606797) Homepage Journal

          They don't even support Linux properly. Even if it's actually effective on Linux, you'd have to explicitly agree to run the exploit and then type in your password to install the stupid thing. And that would only work if you're in the sudoers group or logged in as root; otherwise, it's no go. What kind of malware is that???

          Interesting note: although example screenshots were given for the malware on Windows and OSX, there were none for Linux. Maybe it does not work at all on Linux, and the code people are foaming over is just a leftover fragment for identifying the client OS.

          Same argument goes for Windows and OS X -- and the argument is wrong. You can have software that happily installs in your home directory and has full access to userland files -- which to be honest is everything that's actually important on your computer; non-userland stuff can just be re-installed from scratch if needed.

          From what I've seen, the stuff normally dropped on Linux systems tends to be shell scripts and the like, and they don't tend to look like much in screen shots.

          • Re:Blah (Score:4, Interesting)

            by strikethree (811449) on Tuesday July 10, 2012 @07:34PM (#40608833) Journal

            which to be honest is everything that's actually important on your computer; non-userland stuff can just be re-installed from scratch if needed.

            I keep seeing this meme which seems to be promoting the idea that userland infection >= system level infection by claiming (mostly correctly) that the only important files to the user are in the users own directory.

            You have backups of /home right? So what is the problem with restoring it. Losing /home is NOT the worst thing that can happen to you. Having a virus that you can not detect is. Let's see how happy you are when your files start getting corrupted and keep getting corrupted and you have no idea why. System level infection is far worse than userland so can we let this meme die now please?

            • ~ or %HomePath% is where people keep their documents - including things such as, say, filled out tax returns, and other things that have tons of personally identifying information in them that is quite valuable for the kind of people that tend to run malware. Also, a lot of people either use webmail with saved password (or "stay logged in"), or a mail client configured to fetch everything by default with no password prompt, which again makes the contents of your emails directly accessible to any malware ru

            • which to be honest is everything that's actually important on your computer; non-userland stuff can just be re-installed from scratch if needed.

              I keep seeing this meme which seems to be promoting the idea that userland infection >= system level infection by claiming (mostly correctly) that the only important files to the user are in the users own directory.

              You have backups of /home right? So what is the problem with restoring it. Losing /home is NOT the worst thing that can happen to you. Having a virus that you can not detect is. Let's see how happy you are when your files start getting corrupted and keep getting corrupted and you have no idea why. System level infection is far worse than userland so can we let this meme die now please?

              OK, now let's look at what I said and what you said.

              Me: Most of what is actually important to you is accessible from userland
              You: There's a meme right now about how the only important files to the user are in the user's own directory

              See the difference?

              What I was pointing out is that malware can do most of what it needs to do these days without ever leaving userland. For those tasks like setting up a rootkit, hosts poisoning, cross-user spreading, etc. that DO require more privileges (but which are a small

    • Re: (Score:1, Offtopic)

      by sconeu (64226)

      Never. Netcraft has confirmed it... BSD is dead.

    • They don't support Plan 9? What BS.

    • Re: (Score:3, Informative)

      by kiriath (2670145)

      Well, OS X is built on BSD so technically they kinda do?

    • Re:Blah (Score:5, Interesting)

      by hairyfeet (841228) <{bassbeast1968} {at} {gmail.com}> on Tuesday July 10, 2012 @03:36PM (#40606119) Journal

      The sad part is the BSD guys would write them a thank you note for bothering to remember them.

      So can we ALL just accept now there is no "Magical OS" that makes one immune from malware please? All OSes are EXTREMELY complex piles of code, having to support tens of thousands of drivers, scheduling and tasking, hell I doubt even Linus can tell you when you launch program Foo every single interaction that is taking place in the system, there is simply more there than any one person can know.

      Now that the retard that made XP run by default as admin has been sent packing on the short bus all three major OSes have limited users, hell Windows even has the browser run as a low rights entity to help lower the risk. Now that all three major OSes have common sense defaults ultimately it all comes down to the USER and whether they will take the time to actually think or will simply allow anything to run. I've seen it a billion times in the shop, a fully patched and AVed machine get infected NOT because of the OS but because it was the USER that refused to listen to the warnings being given him/her and choosing instead to run it anyway.

      At the end of the day the only foolproof way to get rid of malware is to take away the user's right to control their own machine, to instead stick them in a walled garden where only approved apps get run. i think we can all agree having some corporation own our machines would be a BAD thing so all we can do is warn users, try to make ever hardened systems, and be ready to clean up the messes when they happen. After Android became a hit it was only a matter of time before Linux got put in the crosshairs and now that day appears to be here and I for one will be interested to see how the community reacts.

      • by Compaqt (1758360)

        What should desktop Linux users do to avoid the malware from the article?

        • Re:Blah (Score:5, Insightful)

          by wmbetts (1306001) on Tuesday July 10, 2012 @06:00PM (#40607955)

          1) Disable Java by default. I have yet to have a website that I use regularly not work, because Java doesn't run. Whitelist the sites you want to Java on.

          2) Don't blindly click and enter your password at every prompt

          Those two things alone would make you immune to this.

          • by hairyfeet (841228)

            And that exact same advice frankly works just as well on Windows but if the user doesn't follow it you are screwed.

            Ultimately there is only so much you can do technically against the dancing bunny problem [codinghorror.com] because if the user WANTS to see the bunnies, and you try to stop the user from getting to the bunnies? they will happily thwart any and ALL security measures you put in their way to see the bunnies. Again I've seen this with my very own two eyes, i even had to throw a guy out of the shop once when he rem

        • by Baseclass (785652)
          NoScript [noscript.net]
      • Now that all three major OSes have common sense defaults ultimately it all comes down to the USER [...] and I for one will be interested to see how the community reacts.

        Pah... We'll just patch the user each first tuesday of the month. No big difference...

      • it was only a matter of time before Linux got put in the crosshairs and now that day appears to be here

        Perhaps.

        But being in the crosshairs isn't the same as being hit. I haven't seen any evidence this "exploit" actually works on Linux.

        For a start, there's only this one article with almost no real information, repeated all over the web. There are no Linux screenshots, and all I can glean from the text is that the malware is actually an open-source pen-testing tool called the Social-Engineer Toolkit (SET), which has always included the Linux compatibility code. In fact, it's no different from any other self-si

        • by npsimons (32752) *

          I keep hoping people here would be a little more informed than average

          Ah, see there's your mistake: not in assuming that the general crowd at slashdot is smarter than average (they are); you are overestimating the average level of intelligence.

      • by r_naked (150044)

        "At the end of the day the only foolproof way to get rid of malware is to take away the user's right to control their own machine, to instead stick them in a walled garden where only approved apps get run."

        That is exactly what I had to do for my parents. I created four non-admin accounts:

        1 - Games (this is for my mom to play online games)
        2 - Mom (This is the account my mom uses for email (whitelisted), and dumping pics, etc). This account has no access to a web browser.
        3 - Dad (ditto for this account).
        4 - B

        • by hairyfeet (841228)
          I do something similar for my customers, I always make them a low rights account for any friends/kids/etc that come over and when the owner is in their account while i can't lock them down as well as you can I give them Comodo Dragon with ABP, since Dragon runs in low rights mode, and on top of that I give them Comodo CIS AV which has sandboxing and scan before load on web pages. Both are free and since doing so my customers getting nasty bugs has frankly dropped right off the chart. You'd be surprised how
  • by Anonymous Coward

    Please learn how to spell.

  • if (linux) (Score:5, Funny)

    by Ynot_82 (1023749) on Tuesday July 10, 2012 @02:32PM (#40605243)

    if(linux) { exec 'su - root' || die 'shit, I had to try something...'; }

  • Now if only the major business software companies were this considerate...

  • by Anonymous Coward

    "java applet".

    So in other words, if you VOLUNTEER to run their malware, their malware runs. Wow. Whoda thunk it.

    Java = security nightmare. javascript not much less so. Anyone halfway security conscious only runs scripts based on a whitelist of trusted sites.

  • by Anonymous Coward

    Oh noze... a web exploit for Linux! That asks you if you want to install it from within your web web browser. Yeah, your average Linux user will surely fall for that, even though it's not how we ever install software. Does it even work on Linux? The article had no screenshots of it running there, nor what version of Java (if any) it exploits.

    • by smash (1351)
      Because of course all of your personal infromation is stored under your non-user account? Err... nope. Identity theft is far more useful these days than simply trying to own your machine. Who cares about owning the machine when they can own your personal data?
  • Well, at least they made it run on Linux. Most software writers just don't bother to put in that kind of effort. Must be one classy virus writing operation over there to not leave any of the major OSes out lol.
  • Only older Macs. (Score:4, Informative)

    by used2win32 (531824) on Tuesday July 10, 2012 @02:40PM (#40605353)
    Quoted: "Surprisingly for such an advanced exploit, it was unable to infect modern Macs unless they were modified to run software known as Rosetta. The software allows Macs using Intel processors to run applications written for Macs using PowerPC processors, which were phased out about five years ago. Rosetta is no longer even supported on Lion, the most recent version of OS X."

    Rosetta not supported on Lion and not installed by default in Snow Leopard.

    So no current Macs and only older Macs that use Rosetta risk infection. That number has to be pretty low...

    I don't any *nix user has much to worry about either...
  • So, if I haven't ordered any cocaine in the last couple of weeks, I should be okay?
    • "So, if I haven't ordered any cocaine in the last couple of weeks, I should be okay?"

      If your stash isn't getting low, you should be fine for a while, but if it is then you're headed for big trouble bud. I recommend you stock up on some serious opiates post haste!

  • by sl4shd0rk (755837) on Tuesday July 10, 2012 @02:49PM (#40605497)

    If you google getParameter( "ILIKEHUGS" ); from the screen shot in TFA, you can find a java file which looks suspiciously like the one in TFA. I lold at the header comment. I don't think this is a 'new' exploit:
    /**
      * Original Author: Thomas Werth
      * Modifications By: Dave Kennedy, Kevin Mitnick
      * This is a universal Applet which determintes Running OS
      * ...

    • The exploit isn't determining which OS they are running. The dropper determines the OS and then delivers the payload for that OS. The exploit in the payload may be new, or it may be exploiting unpatched JREs.

  • by Anonymous Coward on Tuesday July 10, 2012 @03:06PM (#40605733)

    The year of the Linux desktop has arrived!

  • by Cyko_01 (1092499) on Tuesday July 10, 2012 @03:39PM (#40606165) Homepage
    On linux you need to download the source code from the repository and compile it yourself
  • "a live Web exploit that detects if the target is running Windows, Mac OS X, or Linux and drops a different trojan for each platform".

    I typed 186.87.69.249:8081 into the address bar and this came up [postimage.org]. Besides which, explain to me again why I would run a Java Applet from an unknown source and give it my root password?
    • well the greater concern is what the virus is and intends to do. Something doesn't need a root password to say, run an individual keylogger for what that user types, ftp that log file in addition to everything in ~/Documents to a server in sealand, or whatever. If just ruining someones day is the goal rm -rf ~ would pretty much be the kiss of death. Linux's greater strength in the more robust, harder to break root privileges compared to windows, actually doesn't really come into play until linux hits a poin
  • To becoming relevant enough to malware authors.
  • There is a way with a browser identification script on the server side, to then realize a redirect based on the type of browser....that would be a very mundane thing for any adept web developer to do.... in any language.

"Only the hypocrite is really rotten to the core." -- Hannah Arendt.

Working...