Web Exploit Found That Customizes Attack For Windows, Mac, and Linux

phaedrus5001 writes with this quote from Ars: "Security researchers have found a live Web exploit that detects if the target is running Windows, Mac OS X, or Linux and drops a different trojan for each platform. The attack was spotted by researchers from antivirus provider F-Secure on a Columbian transport website, presumably after third-party attackers compromised it. The unidentified site then displayed a signed Java applet that checked if the user's computer is running Windows, Mac OS X, or Linux. Based on the outcome, the attack then downloads the appropriate files for each platform."

Columbian transport website?

[Kenja]

Is that where the "domestic pharmaceutical procurement facilitators" meet?

Re:

[Anonymous Coward]

This is an open source tool called SET its used for penetration testers -- Applet code here -- https://svn.secmaniac.com/social_engineering_toolkit/src/webattack/java_applet/

Re:

[Anonymous Coward]

Yep, just more hype and FUD clickbait.

It's an ordinary Java applet, with all the rights and controls of every other Java applet, except this applet was a pen-tester written by TrustedSec, then found by "researchers" from F-Secure. It downloads a file specific to the OS it's running on and....
...no more information from F-Sec

This has beat up written all over it.

Blah

[mystikkman]

When are the malware writers going to support BSD?

Re:

[leaen]

They do not support HURD

Re:Blah

[AliasMarlowe]

They don't even support Linux properly. Even if it's actually effective on Linux, you'd have to explicitly agree to run the exploit and then type in your password to install the stupid thing. And that would only work if you're in the sudoers group or logged in as root; otherwise, it's no go. What kind of malware is that???

Interesting note: although example screenshots were given for the malware on Windows and OSX, there were none for Linux. Maybe it does not work at all on Linux, and the code people are foaming over is just a leftover fragment for identifying the client OS.

Re:Blah

[Compaqt]

I haven't tried the exploit, but again:

On my machine, all the important stuff is in the /home directory.

There's nothing really interesting in the "system". I don't even really care about the system. It's just an ISO download away from reinstall.

My files, on the other hand, are what's important.

Re:Blah

[Em Adespoton]

They don't even support Linux properly. Even if it's actually effective on Linux, you'd have to explicitly agree to run the exploit and then type in your password to install the stupid thing. And that would only work if you're in the sudoers group or logged in as root; otherwise, it's no go. What kind of malware is that???

Interesting note: although example screenshots were given for the malware on Windows and OSX, there were none for Linux. Maybe it does not work at all on Linux, and the code people are foaming over is just a leftover fragment for identifying the client OS.

Same argument goes for Windows and OS X -- and the argument is wrong. You can have software that happily installs in your home directory and has full access to userland files -- which to be honest is everything that's actually important on your computer; non-userland stuff can just be re-installed from scratch if needed.

From what I've seen, the stuff normally dropped on Linux systems tends to be shell scripts and the like, and they don't tend to look like much in screen shots.

Re:Blah

[strikethree]

which to be honest is everything that's actually important on your computer; non-userland stuff can just be re-installed from scratch if needed.

I keep seeing this meme which seems to be promoting the idea that userland infection >= system level infection by claiming (mostly correctly) that the only important files to the user are in the users own directory.

You have backups of /home right? So what is the problem with restoring it. Losing /home is NOT the worst thing that can happen to you. Having a virus that you can not detect is. Let's see how happy you are when your files start getting corrupted and keep getting corrupted and you have no idea why. System level infection is far worse than userland so can we let this meme die now please?

Re:

[shutdown -p now]

~ or %HomePath% is where people keep their documents - including things such as, say, filled out tax returns, and other things that have tons of personally identifying information in them that is quite valuable for the kind of people that tend to run malware. Also, a lot of people either use webmail with saved password (or "stay logged in"), or a mail client configured to fetch everything by default with no password prompt, which again makes the contents of your emails directly accessible to any malware ru

Re:

[Em Adespoton]

which to be honest is everything that's actually important on your computer; non-userland stuff can just be re-installed from scratch if needed.

I keep seeing this meme which seems to be promoting the idea that userland infection >= system level infection by claiming (mostly correctly) that the only important files to the user are in the users own directory.

You have backups of /home right? So what is the problem with restoring it. Losing /home is NOT the worst thing that can happen to you. Having a virus that you can not detect is. Let's see how happy you are when your files start getting corrupted and keep getting corrupted and you have no idea why. System level infection is far worse than userland so can we let this meme die now please?

OK, now let's look at what I said and what you said.

Me: Most of what is actually important to you is accessible from userland
You: There's a meme right now about how the only important files to the user are in the user's own directory

See the difference?

What I was pointing out is that malware can do most of what it needs to do these days without ever leaving userland. For those tasks like setting up a rootkit, hosts poisoning, cross-user spreading, etc. that DO require more privileges (but which are a small

Re:

[sconeu]

Never. Netcraft has confirmed it... BSD is dead.

Re:Blah

[Gerzel]

No it isn't. The largest BSD distro is Machintosh!

Re:

[sconeu]

Whoosh.

Re:

[Em Adespoton]

Never. Netcraft has confirmed it... BSD is dead.

Netcraft still exists?

Re:

[MickyTheIdiot]

They don't support Plan 9? What BS.

Re:

[scialex]

We'll show them; The year of the Plan-9 desktop is at hand.

Re:

[kiriath]

Well, OS X is built on BSD so technically they kinda do?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Compaqt]

What should desktop Linux users do to avoid the malware from the article?

Re:Blah

[wmbetts]

1) Disable Java by default. I have yet to have a website that I use regularly not work, because Java doesn't run. Whitelist the sites you want to Java on.

2) Don't blindly click and enter your password at every prompt

Those two things alone would make you immune to this.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[wmbetts]

I wasn't talking about javascript. He was talking directly about this attack. Disabling Java not Javascript is what would stop it. I just double checked BofA as well. It worked fine with Java and Flash disabled. It is pretty stupid it won't without javascript though. The only thing I can think of is maybe to try and stop bots, but even that is dumb. It's trivial to embed webkit, use the webbrowser object, etc to parse js.

Re:

[Baseclass]

NoScript [noscript.net]

Re:

[logicassasin]

Then don't visit that site. I run noscript on my Windows and Linux desktops, sites that refuse to play nice, don't get my traffic. If more people would stop visiting these sites, their ad revenue will start to be impacted. Once you hurt their bottom line, they will start to wonder why and may stumble across a post like this one and they may get the point.

Then again, they were stupid enough to do this int he first place... Their response might be "WE NEEDS MOAR ADS FOR TEH MONAYS SO I CAN BUY A NEW BENZ!!!"

Re:

[Pf0tzenpfritz]

Now that all three major OSes have common sense defaults ultimately it all comes down to the USER [...] and I for one will be interested to see how the community reacts.

Pah... We'll just patch the user each first tuesday of the month. No big difference...

Re:

[ozmanjusri]

it was only a matter of time before Linux got put in the crosshairs and now that day appears to be here

Perhaps.

But being in the crosshairs isn't the same as being hit. I haven't seen any evidence this "exploit" actually works on Linux.

For a start, there's only this one article with almost no real information, repeated all over the web. There are no Linux screenshots, and all I can glean from the text is that the malware is actually an open-source pen-testing tool called the Social-Engineer Toolkit (SET), which has always included the Linux compatibility code. In fact, it's no different from any other self-si

Re:

[npsimons]

I keep hoping people here would be a little more informed than average

Ah, see there's your mistake: not in assuming that the general crowd at slashdot is smarter than average (they are); you are overestimating the average level of intelligence.

Re:

[r_naked]

"At the end of the day the only foolproof way to get rid of malware is to take away the user's right to control their own machine, to instead stick them in a walled garden where only approved apps get run."

That is exactly what I had to do for my parents. I created four non-admin accounts:

1 - Games (this is for my mom to play online games)
2 - Mom (This is the account my mom uses for email (whitelisted), and dumping pics, etc). This account has no access to a web browser.
3 - Dad (ditto for this account).
4 - B

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[smash]

lol. stating fact = troll :D

COLOMBIAN....not "Columbian"

[Anonymous Coward]

Please learn how to spell.

Re:

[Anonymous Coward]

Maybe it was a website about the bus lines in Columbia, South Carolina.

Re:

[jsepeta]

or run by the dedicated fanbois of Christopher Columbus?

Re:

[Baloroth]

Ironically, "Columbia" is the correct spelling in English (taken from "Columbus"). "Colombia" is the Spanish spelling (taken from "Colón"). Since English doesn't have the "ó", we use a "u" instead. Now, being a proper name you can use either (English is very flexible), but the English spelling is "Columbia".

Re:COLOMBIAN....not "Columbian"

[John Hasler]

Perhaps, but in American "Columbia" refers either to the river or to the district while "Colombia" refers to the nation in South America. "Columbia" is also an archaic term for the USA, as in "Columbia Gem of the Ocean".

Re:

[metrix007]

Technically, North American would also include Mexicans. Something Americans and Canadians seem to forget.

Re:

[sosume]

Wrong. Although both are named after Columbus, the US capital is the District of Columbia, whereas the South American country is Colombia. You have me feeding though.

STOP MAKING SHIT UP

[rgbrenner]

In English, Colombia is spelled with an O. Not a U. SO STOP MAKING SHIT UP.

Here, look it up for yourself:
https://maps.google.com/ [google.com]
https://www.cia.gov/library/publications/the-world-factbook/geos/co.html [cia.gov]
http://en.wikipedia.org/wiki/Colombia [wikipedia.org]
http://www.state.gov/r/pa/ei/bgn/35754.htm [state.gov]
http://www.colombiaemb.org/ [colombiaemb.org]
http://news.bbc.co.uk/2/hi/americas/country_profiles/1212798.stm [bbc.co.uk]

Re:

[Provocateur]

Anybody who watches the Miss Universe Pageant has always known Miss Colombia to at least make it as a semifinalist.

Re:

[Cinder6]

I initially read this as "Coulombian transport website", which had me confused...

Re:

[mcgrew]

Oh? [wikipedia.org]

Re:

[saveferrousoxide]

Because! Damnit. Though I would argue more for spelling proper nouns as the originator would spell them (assuming the phonetics work out -- and the alphabet, but transliteration is a whole different ballgame) since, ya know, it's their name an' all.

Re:

[KhabaLox]

Is that why we call him "Hugo Chavez" instead of "Oogo Shavez"?

Re:

[Schmorgluck]

Duuuh, why bring Hugo Chavez in this discussion? Quite irrelevant.

Re:

[KhabaLox]

He's as relevant as Bush and Washington. ;)

Re:

[gmhowell]

If American can change the name of everything why the rest of the world can't?

I have heard 'Estados Unidos' (sp?) more than once on Univision.

if (linux)

[Ynot_82]

if(linux) { exec 'su - root' || die 'shit, I had to try something...'; }

Re:

[Mr Z]

These days, shouldn't it also try "sudo ./pwn" and/or "sudo -s"?

Re:

[TheGratefulNet]

no conditional checks for arduinos?

for shame! feeling so left out...

Finally some multi-platform support

[GameboyRMH]

Now if only the major business software companies were this considerate...

Re:

[Idbar]

Yay! And they actually have Linux support! How amazing is that!?

Java = security nightmare

[Anonymous Coward]

"java applet".

So in other words, if you VOLUNTEER to run their malware, their malware runs. Wow. Whoda thunk it.

Java = security nightmare. javascript not much less so. Anyone halfway security conscious only runs scripts based on a whitelist of trusted sites.

Re:Java = security nightmare

[amicusNYCL]

You're right, the Java programming language is not a security threat to computers in general. The Java Runtime Environment, and its various browser implementations, however, is definitely a threat. Just like PDF documents are not a threat, but Acrobat Reader is definitely a threat. See here [net-security.org] for proof (spoiler: Java was the #1 infection vector, at 37%; Acrobat #2 at 32%).

Re:

[JonySuede]

The J2SE JVM should ship with a deny by default SecurityManager policies file instead, but it would only add a click between a guy and his purple rabbit...

Re:

[amicusNYCL]

Your link exposes that the browsers and the Java Deployment Toolkit appear to be the culprits, not the JRE itself.

The study specifically calls out the "Java JRE" (that's right, the Java Java Runtime Environment) as the vector for 37% of Windows infections. But I do see that in the partial list of vulnerabilities that some of the ones related to Java (but not all of them) call out the Java DT. As far as browsers go, the only browser listed as an infection vector is IE, and it was only responsible for 10% of infections. 85% of the infections were the "drive-by" variety exploiting JRE, Acrobat, or Flash.

PDFs, IIRC, just recently were a threat in and of themselves. But that's neither here nor there.

The document is

Re:

[amicusNYCL]

Just like the Spanish Inquisition, the list of weapons you see in that study is "amongst" all of their weapons. That's not a complete list of exploits. They claim to have looked at 50 exploit kits. I believe that Metasploit alone contains a database of around 800 exploits. According to Secunia, JRE 1.6.x contains 274 vulnerabilities and 1.7.x contains 53.

Re:

[amicusNYCL]

Exactly how Java ends up executing the malicious code isn't really relevant to end users. I don't have any parts of Java installed because I don't trust that it's going to be secure. I don't care enough about Java to go digging through the individual bits and pieces to identify which things are safer to install. It doesn't matter to me whether the DT is at fault, or the JRE, or J2EE or JDK or whatever else, I don't care. What I care about is avoiding infections, and since Java plays a part in 37% of inf

Re:

[amicusNYCL]

Well, since browsers are responsible for 100% of the infections listed, I expect you don't have them installed, either? And since Windows was also 100% responsible for infections, you don't have that either? For that matter, what are you doing on the internet? It is responsible for 100% of those infections!!!

Don't be obtuse. IE was only responsible for 10% of infections, and I don't use it. Windows help files were the vector less than 5% of the time, and I assume IE was used there as well, because my browser wouldn't automatically launch a Windows help file.

I think you may need to revisit your assumptions

Maybe you misunderstood me. When I referred to "my browser", I was not referring to IE. I don't use IE for the same reason I don't install Java or Acrobat Reader. That's 79% of infections that won't succeed on my machine after very little (or no) effort

Re:

[amicusNYCL]

I'm not being obtuse. You are berating a product for the flaws of a single component that resembles an appendix that 99% of Java users never encounter nor care about.

OK. Since you're the resident Java security expert, then let me ask you a question. Since Java is responsible for 37% of infections to Windows, and since the study specifically calls out the JRE, but you claim that the JRE is not the problem, then answer these two questions: which component is the problem, and why do end users care which component is the problem? The fact remains - Java is the #1 infection vector. You can claim that 99% of users never "encounter" the faulty components, but that leaves a

Re:

[amicusNYCL]

At least that one's done. So you agree the problem is not the JRE, but the plugins/plugin framework.

The problem is that all of the components that people exploit are installed and enabled by default in the download package that Oracle labels the JRE (which is why the report specifically blames "Java JRE").

It's Windows that's the single largest vector for infection.

No, Windows is the target. Java is the hole that attackers go through to get there.

The fact that other systems run fine with Java really points out this glaring omission on MS's part.

OK, then let me ask you a question. Why do you think it's true that Java is used as the infection vector 37% of the time, while Flash is used 16%? Or that IE is used at only 10%? When a Windows machine gets infected, w

Re:

[HarrySquatter]

JRE versions 1.4, 1.5 and 1.6 all have over 260 vulnerabilities listed on Secunia. Each one has more than the last 3 versions of Flash Player and more than any version of IE other than IE 6 which only has about 2 dozen more vulnerabilities. On the other hand if you look at something like .NET there are an average of maybe 40 vulnerabilities for each major version.

Re:

[HarrySquatter]

It's not FUD. The JRE is one of the most vulnerable and exoitable pieces of software on a machine. If you don't believe me see Secunia for the number of vulnerabilities per version. It averages to nearly 200 per major version which is more than the average of the last 3 major versions of Flash Player.

Re:

[HarrySquatter]

Yes, really. Going back over 10 years of the JRE.

JRE 1.7: 53 vulnerabilities [secunia.com]
JRE 1.6: 274 vulnerabilites [secunia.com].
JRE 1.5: 265 vulnerabilities [secunia.com].
JRE 1.4: 264 vulnerabilities [secunia.com].

That's 191 vulnerabilites on average and it's only that low since the 1.7 JRE is only 2 years old. And why did you bring up J2EE? What average user is running J2EE on their desktop?

Re:

[MikeBabcock]

You can run straight up machine language with a stack overflow. Does that make machine language a security nightmare?

Jeez.

Re:

[Goaway]

You can with NaCl on Chrome.

At this point I wouldn't be surprised if it was safer than Java, too.

Web exploit...

[Anonymous Coward]

Oh noze... a web exploit for Linux! That asks you if you want to install it from within your web web browser. Yeah, your average Linux user will surely fall for that, even though it's not how we ever install software. Does it even work on Linux? The article had no screenshots of it running there, nor what version of Java (if any) it exploits.

Re:

[smash]

Because of course all of your personal infromation is stored under your non-user account? Err... nope. Identity theft is far more useful these days than simply trying to own your machine. Who cares about owning the machine when they can own your personal data?

Re:

[jedidiah]

The smug Linux user has likely taken steps to avoid running any random untrusted nonsense in a web browser.

Re:

[drinkypoo]

See that red color ? "Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing."

You can see at a glance that most of these vulnerabilities require javascript. As the GP said, the smug Linux user has probably disabled Javascript from random sites. If not, they have no business being smug.

Re:

[jellomizer]

If someone is feeling smug, it is usually because they have no business feeling smug.

Re:

[Zero__Kelvin]

You don't seem to have a strong grasp of what the word "average" means.

wasn't that nice of them

[slashmydots]

Well, at least they made it run on Linux. Most software writers just don't bother to put in that kind of effort. Must be one classy virus writing operation over there to not leave any of the major OSes out lol.

Only older Macs.

[used2win32]

Quoted: "Surprisingly for such an advanced exploit, it was unable to infect modern Macs unless they were modified to run software known as Rosetta. The software allows Macs using Intel processors to run applications written for Macs using PowerPC processors, which were phased out about five years ago. Rosetta is no longer even supported on Lion, the most recent version of OS X."

Rosetta not supported on Lion and not installed by default in Snow Leopard.

So no current Macs and only older Macs that use Rosetta risk infection. That number has to be pretty low...

I don't any *nix user has much to worry about either...

Just Checking

[carrier lost]

So, if I haven't ordered any cocaine in the last couple of weeks, I should be okay?

Re:

[Zero__Kelvin]

"So, if I haven't ordered any cocaine in the last couple of weeks, I should be okay?"

If your stash isn't getting low, you should be fine for a while, but if it is then you're headed for big trouble bud. I recommend you stock up on some serious opiates post haste!

Interesting author in source code

[sl4shd0rk]

If you google getParameter( "ILIKEHUGS" ); from the screen shot in TFA, you can find a java file which looks suspiciously like the one in TFA. I lold at the header comment. I don't think this is a 'new' exploit:
/**
  * Original Author: Thomas Werth
  * Modifications By: Dave Kennedy, Kevin Mitnick
  * This is a universal Applet which determintes Running OS
  * ...

Re:

[amicusNYCL]

The exploit isn't determining which OS they are running. The dropper determines the OS and then delivers the payload for that OS. The exploit in the payload may be new, or it may be exploiting unpatched JREs.

Malware for Linux?

[Anonymous Coward]

The year of the Linux desktop has arrived!

very convincing

[Cyko_01]

On linux you need to download the source code from the repository and compile it yourself

Web exploit drops a different trojan

[dgharmon]

"a live Web exploit that detects if the target is running Windows, Mac OS X, or Linux and drops a different trojan for each platform".

I typed 186.87.69.249:8081 into the address bar and this came up [postimage.org]. Besides which, explain to me again why I would run a Java Applet from an unknown source and give it my root password?

Re:

[Riceballsan]

well the greater concern is what the virus is and intends to do. Something doesn't need a root password to say, run an individual keylogger for what that user types, ftp that log file in addition to everything in ~/Documents to a server in sealand, or whatever. If just ruining someones day is the goal rm -rf ~ would pretty much be the kiss of death. Linux's greater strength in the more robust, harder to break root privileges compared to windows, actually doesn't really come into play until linux hits a poin

welcome, Linux

[smash]

To becoming relevant enough to malware authors.

not that hard...

[hesaigo999ca]

There is a way with a browser identification script on the server side, to then realize a redirect based on the type of browser....that would be a very mundane thing for any adept web developer to do.... in any language.

Re:

[Gr8Apes]

That'd be news to the millions getting new macs and using Java.

Re:Most Macs are probably immune.

[Yaztromo]

That'd be news to the millions getting new macs and using Java.

The GP is correct. Apple stopped shipping Java with OS X with the release of Lion.

That said, if you try to run something the requires Java, OS X will offer to download and install it for you. However with the latest OS X updates the Java browser plug-in and Java Web Start are now disabled by default, and have to be explicitly enabled by the user in the Java Preferences app. And if they do explicitly enable it, it will auto-disable itself again if it hasn't been used in some time.

That's a lot of extra hoops to jump through to get this to work on a modern, up-to-date Mac. Then again, the people who develop and propagate malware such as this tend to target those who don't keep their systems up-to-date, ensuring it is still a concern for many users (with those at most risk being the ones least knowledgable to do much about it, or even be aware that anything is wrong).

Yaz

Re:

[hobarrera]

Most Linux distros don't ships the java applet thingy either.

Re:

[beelsebob]

Macs do indeed run apple's version of java... If you have jumped through the hoops of clicking the "disabled plugin" button that replaces the applet, then typing in your password. Macs absolutely do not have to be running rosetta (a tech that doesn't even exist any more) to get infected, as neither Java, nor the binary delivered is a PPC binary.

Re:

[Yaztromo]

Eh? How do you figure? Macs run Apple's version of Java...which means, they'd dutifully execute this applet.

With OS X Lion, Apple stopped shipping Java with OS X. And with the latest revision, the ability to run Applets or Java Web Start is disabled by default, and has to be explicitly enabled (and even then will self-disable if you don't use it for some time).

So to amend your statement, Macs run Apple's version of Java -- if you've tried to run something written in Java, responded to the resulting pop-up that you'd like to download and install Java, entered an Admin password (or username and password if you're

Re:

[Ossifer]

More correctly:

1. Macs ship with a hook that offers to install Java if you ever attempt to use it.

2. OSX does not disable Java itself, but the Safari application disables the use of Java applets. If you run Firefox, this doesn't happen at all.

Re:

[benjymouse]

... and on up-to-date systems there won't be any known privilege escalation exploits.

Think again. An attacker following the kernel source tree will be able to figure out when exploitable bugs are being patched. While such bugs/fixes are generally not called out as security fixes at that time, they are nevertheless identifiable given a small investment.

And for many distros it takes weeks (sometimes months) for the fixes to come through to the "consumer". During that time (dubbed "high-risk days" by some researchers) the vulnerability information is in the open but systems have not yet been p

Re:

[jvillain]

I remember when the slammer worm came out. We were all excited that we were finally going to be able to see a real piece of malware on linux. We opened up the apropriate port to a number of test machies to try and get inffected so we could disassemble it. Within a couple of hours there was a patch available for Linux. Every one upgraded (patch fast patch often) and it died out before we could get infected. Open source software is a horrible platform to attack because there are hordes of people who can provi

Re:

[wmbetts]

I had a friend that did a demonstration of just that. He built an exploit while he was up there doing the talk. It took a couple hours, but when he was done he had a functional 0day. Believe it or not people actually do what he's describing. If the good guys are doing it for pentesting I'd guess the bad guys are doing it as well.

Re:

[HarrySquatter]

You mean like the Linux kernel dev who had a trojan installed on his system and subsequently got kernel.org rooted by getting the trojan on two of the servers? Yeah, geeks never get malware on their systems. *rolls eyes*

Re:

[Lorien_the_first_one]

Very interesting analysis.

Re:

[smash]

You don't need to be root to steal someone's shit.

Re:

[marcosdumay]

F-Secure wans't eager to tell us the details. It doesn't work anymore on OSX, no word about Linux.

Anyway, it wasn't a proof of concept. It was found on the wild.

Re:

[jsepeta]

because nobody in the wild tests their proof of concepts. programmers always use a sandbox feature for that.

not.

Re:

[Jeng]

It really is not complicated.

Get up, go to the bathroom, go to a stall, take off your underwear, wipe yourself off, put pants back on without your underwear, get out of the stall, throw away your soiled underwear and get back to work.

Re:

[wmbetts]

They use fake names when getting it signed.