The Register® — Biting the hand that feeds IT

Feeds

Multi-platform exploit sniffs your OS, penetrates your back door

Offers tasty applet to fanbois, beardies, Win users alike

By John Leyden, 11th July 2012
  • print
  • alert

Agentless Backup is Not a Myth

Cybercrooks have begun deploying a web exploit which detects whether the victim is running Windows, Mac OS or Linux before firing an appropriate Trojan.

The multi-platform backdoor was found on a Colombian Transport site by security researchers at F-Secure. The backdoor uses a JAR (Java ARchive file) to figure out if a user's machine is running Windows, Mac OS or Linux before downloading the appropriate files for the platform.

Surfers are tricked into agreeing to accept a malicious file under the guise that it is merely a benign applet.

All three malicious files are programmed to connect to a server in order to download additional components. No additional components were actually downloaded at the time F-Secure warned of the attack in a blog post on Monday afternoon.

F-Secure has reported both the command-and-control server and the hacked website to the appropriate authorities.

Attacks that attempt to figure out whether a surfer is using a Mac or a Windows machine before slinging exploits have been seen in a few cases in the past, mostly in association with scareware scams. Such dual-platform attacks remain rare. Multi-platform attacks are rarer still, hence the significance of F-Secure's find. ®

Steps to Take Before Choosing a Business Continuity Partner

COMMENTS

House Rules Send Corrections
All Reader Comments (45)
Highly Rated
Peter Gathercole
Reply Icon

Re: @Mr Torx

Linux, by it's very nature, is open to inspection by anybody who wants. Whether this is done is a moot point, but at least you can do it. Previous Linux exploits (like buffer overruns) certainly have been discovered before being found in the wild (you can tell these because they are normally published as 'potential' buffer overruns). Windows does not have this level of openess, so although there are more systems to attack, there is less chance to spot an exploit before it is actually used (which is why zero-day exploits are so damaging to Windows).

The autorun is another matter entirely. If the underlying OS was secure, and the default user was not privileged, then it would be relatively safe (but of course, personal information would be available even if they were not privileged). But Windows has a reputation of being unsafe, and certainly in XP and earlier, most systems were configured so that the default user was an administrator. This make autorun almost suicidal if users put untrusted media in their systems. I does not take a genius to see this.

Users on Linux and other UNIX-like operating systems can still be affected without privilege (I can think of several ways to add key-loggers to sessions on systems running X-Windows, for example), but in general, this is likely to affect the user and only that user, and the underlying OS and other users will be safe (significant, but less so if a Linux system is 'personal', i.e. only one user ever uses it - this is the problem Android has).

Because many users of commodity OSs do not really understand the differences in the security models and practice between different OSs, I see many challenges to Linux that are unfounded, and really should never be voiced if the person doing the challenging actually knew. I judge this to be one of them.

7
0
Kiwi
Reply Icon

Re: @Mr Torx

I run Linux mainly because I'm lazy. Things work out of the box without hunting for drivers, few security risks, and generally a much easier life. I work with repairing broken computers, and we can have all sorts of fun with security flaws and driver issues with MS products. I spend more time each week fixing friends machines then I have fixing all my linux installs in the last 3 years.

As a real test of how hard or easy Windows and Linux can be by comparison, might I suggest you install each in one machine, then move your hdd to a very different machine? Chances are very good that the Linux system will just run, happily, without needing any driver changes (although if you use AMD in one and NVidia in another, you might have to download or activate something due to licensing issues). All your files, settings, and programs working without any changes, and without activation issues. Try doing that with Windows, even going to a machine with identical hardware.

(Yes, I have seen machines which don't like one version or another of Linux, and have in the past experienced major driver issues - but they are actually very rare these days, and I do play with a hell of a lot of different hardware)

As to people looking for these things - er, how many millions of eyes look at Linux code? How many dozens look at Windows code? More likely someone is going to spot something shifty with Linux code than with Windows code. Where malware and exploits are concerned, there's more Linux people paying a lot of attention to their systems then there are Windows users paying attention to theirs.

Autorun.. I love it! It really does pay a significant portion of my wages. All that malware that so quickly jumps onto Windows machines when they take a USB stick from one machine to another.. Some of it jumps even when AR is turned off because of something in the way Windows processes the autorun.inf files. One of the greatest features in any Microsoft product!

(I use it on Linux as well - but then I don't need to worry about malware there :) )

Yeah yeah, I know.. Don't feed the trolls... Now, where'd I leave that rat poison...

7
1
Peter Gathercole
Reply Icon

Re: I forgot to mention

There is a distinction between an administrator account, an account that can run commands using something like UAC, and one who can log in, but cannot even run UAC.

Up to and including XP, most default users on Windows were in the first category. Windows Vista on later, the default is in the second category, as are most Linuxes. But it is possible to configure Linux users in the third category (i.e. they are not allowed to run anything using sudo or it's ilk). Most UNIX systems are configured like this, and ordinary users do not have any abillity to do anything damaging to the OS unless there is an actual defect in the security system (and note I am not saying that there are no defects in any OS).

I find it funny how UNIX, the oldest of all of the OS's mentioned, is the one that implements, the least-risk model. Just shows that people don't learn from history.

6
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
136
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
60
Internet fraud still stings suckers
Australians twice as gullible as Americans
36
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17