Windows, Linux and Mac OS X are being targeted in a cross-platform malware attack, according to security experts.
Researchers at F-Secure spotted the attack on a Colombian transport site. The attack begins with a signed Java applet and a social engineering ploy in the form of a dialog box prompting the user to run an application despite its digital certificate not being verified.
"The JAR file checks if the user's machine is running in Windows, Mac or Linux then downloads the appropriate files for the platform," blogged Karmina Aquino, a senior analyst with F-Secure. "All three files for the three different platforms behave the same way. They all connect to 18.104.22.168 to get additional code to execute. The ports are 8080, 8081, and 8082 for OSX, Linux and Windows, respectively."
While the functionality of the backdoor Trojan is the same regardless of which operating system it is running on, the impact on Mac machines may be limited, noted Lysa Myers, a researcher with Mac-focused security vendor Intego.
"There is one part of the OS X version that is particularly notable: It is a PPC binary only, so it will require Rosetta in order to run on an Intel machine," she blogged. "This is likely to severely limit prevalence of the OS X version."
Rosetta is a dynamic binary translator for Mac OS X that allows PowerPC apps to run on certain Intel-based Macs without modification. It was released by Apple in 2006 when it moved off the PowerPC platform. Mac OS X 10.6, aka Snow Leopard, does not include Rosetta by default but retains an option for the user to include it. Mac OS X 10.7--known as Lion-- does not support or include Rosetta at all.
"It s also interesting to note that the components of this threat are created with readily available hack-tools, namely TrustedSec Social Engineering Toolkit and MetaSploit," Myers said. "This is not something that was cleverly handcrafted, but something that was generated with tools made by other people. And given that the OS X component is not intended for current hardware, it s likely that the person who planted this threat was not especially technically savvy."
Both the command-and-control server and the hacked Colombian site have been reported, F-Secure s Acquino added.
Because of its ubiquity, Java has become a favorite target of attackers. For example, just recently, the notorious Blackhole exploit kit added an exploit for CVE-2012-1723, which was patched by Oracle in June, to its arsenal of weapons.
This article was originally published on 07-12-2012