F-Secure found Web Exploit in Mac OS X , Windows and Linux
Please take note
Monday, July 9, 2012
|Multi-platform Backdoor Lurks in Colombian Transport Site||Posted by Karmina @ 16:06 GMT | Comments|
We recently came across a compromised Colombian Transport website where the malware author utilizes social engineering by displaying a signed applet upon visiting the page.
Here is what is shown if visited using Windows:
And using MacOS:
The JAR file checks if the user's machine is running in Windows, Mac or Linux then downloads the appropriate files for the platform.
All three files for the three different platforms behave the same way. They all connect to 184.108.40.206 to get additional code to execute. The ports are 8080, 8081, and 8082 for OSX, Linux, and Windows respectively.
The files are detected as:
Trojan-Downloader:Java/GetShell.A (sha1: 4a52bb43ff4ae19816e1b97453835da3565387b7)
BackdoorSX/GetShell.A (sha1: b05b11bc8520e73a9d62a3dc1d5854d3b4a52cef)
Backdoor:Linux/GetShell.A (sha1: 359a996b841bc02d339279d29112fe980637bf88)
Backdoor:W32/GetShell.A (sha1: 26fcc7d3106ab231ba0ed2cba34b7611dcf5fc0a)
The MacOSX sample is a PowerPC binary, as such, executing the file in an Intel-based platform will require Rosetta:
The C&C and hacked website have been reported.
Thanks to Brod for the payload analysis.
Changed typo error on IP address (from 220.127.116.11 to 18.104.22.168). Thanks Costin for spotting this!
The JAR file appears to be generated using the Social-Engineer Toolkit.
New Web exploit targets multiple platforms
While Windows, OS X, and Linux platforms may be affected, this effort is a crude and easily detectable attempt.
Researchers at F-Secure have uncovered a new exploit that attempts to install a backdoor malware program on Windows, Linux, and OS X machines. As with other malware, this uses social engineering approaches to try tricking users, but in addition it runs a check to see what operating system the user is running and then issues a malware installer for that platform.
The attack was found on a Columbian transport Web site, where once visited, a Java applet would run using a self-signed certificate. On all platforms this certificate will flag a warning that notifies the user it is not from an authorized signing agency, but if the user continues to execute the Java applet then it will download a binary for the respective platform, which will connect to a server and download additional components of the attach, using TCP ports 8080 for OS X, 8081 for Linux, and 8082 for Windows.
A valid certificate such as this one from Bank of America will have indications of a valid signature, which can be investigated by clicking the secure connection indicator in Safari's address bar (or that of Firefox, Opera, or other Web browser you may be using).(Credit: Screenshot by Topher Kessler/CNET)
While this type of approach is nothing new, the malware developers in this case have been rather careless, especially with regard to the OS X component of the attack. While the Windows and Linux binaries that are downloaded will run on those platforms, the OS X version is a PowerPC binary so it will not run on any Intel-based Mac without Rosetta. While Apple included Rosetta in OS X Leopard, it is an optional download for Snow Leopard, and was removed entirely in Lion. Therefore, this malware will not run on systems with Lion or Snow Leopard without Rosetta.
Mac security company Intego also notes that the malware was thrown together with readily available tools such as MetaSploit, which indicates the attack authors are not particularly technically savvy individuals.
Overall, this threat is of very low concern, especially for Mac users who keep their systems up to date. However, it does serve as a reminder to only use services that you personally trust or that use a legitimate certificate signing authority. If at any point you see a program, applet, or other resource attempt to use a self-signed certificate, then be sure you personally trust the source before using it (i.e., it is from a server you own or manage). Legitimate commercial vendors will use certificates signed by an authority like VeriSign, which authenticates to the root certificates in your system to ensure applets and other transactions with the service are legitimate and secure.
To check any certificate, you can click on the secure connection indicator that will appear in or near your Web browser's address bar (and should appear green in color for valid certificates). Clicking this indicator will display information about the certificate, including an indicator that it is valid (such as a green check and a note stating the certificate is valid). A valid certificate means that the signing authority has confirmed that the company or service is the original one that was verified and issued a certificate. If you see an invalid or self-signed certificate, then consider avoiding the service until the authentication problem has been resolved.