It is a common belief that Macs are virus free and not affected by Virus at all, but it seems like all those myths have been proven wrong by a new variety of Trojan. Security scientists working at F-Secure have discovered a web exploit which apparently detects the operating system of the target computer and installs different Trojan specially tailored for that operating system.
Such a kind of attack was first seen on a Columbian transport website which was hacked. The malware is called as GetShell.A and works by asking the user to install a Java applet. Once the user authorizes the Java applet installation, Trojan downloader checks the user’s operating system so that it can pick the corresponding malware. The Java applet which you will be asked to download unsurprisingly won’t signed with a certificate.
F-Secure, which discovered the exploit first said that first, a Trojan-Downloader called Java/GetShell.A will be downloaded which runs a test to find out the particular operating system. The Trojan then proceeds to download the respective payloads for Windows, Mac or Linux. For Windows, the payload is Backdoor:W32/TES.A, for Mac it is Backdoor:OSX/TESrel.A, and for Linux it is found to be Backdoor:Linux/GetShell.A. The Trojan downloader has apparently been written using Social Engineer Toolkit (SET), an open-source and freely available Python tool that has been designed for penetration testing.
Talking of the nature of payloads, the Windows payload comes in the form of a shell code which then executes using shellcodeexec.binary, a SET module. For Mac, instead of connecting to a remote server in order to retrieve further shell code so that it opens up a reverse shell, the OS X binary file instantly opens up a reverse shell, and this is exploited by the attackers. For linux, the binaries remain same as OS X, however, it uses a different server to get the additional codes.
Karmina Aquino, a senior analyst with F-Secure said “All three files for the three different platforms behave the same way. They all connect to 126.96.36.199 to get additional code to execute. The ports are 8080, 8081, and 8082 for OSX, Linux and Windows, respectively.”
Though the script is built using Social Engineer Toolkit, its purpose doesn’t have anything to do with penetration testing remotely. All the three payloads serve the same purpose, connect to a Command and Control (C&C) server, which is localized at 188.8.131.52, and await further instructions. This process is typically found in situations where the hacker tries to download additional malware and execute it locally. According to F-Secure, which is monitoring the Comand and Control server, it hasn’t been serving any additional codes, however, the hacker can do that at any given time. It is amazing how the hackers have used Java, a platform which is known to have several loopholes, to create a cross platform bug.
On 29th July 2012, The Hackers Conference 2012 is going to take place where security Researchers namely Sina Hatef Matbue and Arash Shirkhorshidi are going to showcase a malware called “Graviton Malware” which they developed. They claim it to be a cross platform malware, similar to the one we are dealing with in this story. According to them, the purpose of Graviton is to become an artificial creature that can move between windows, mac and linux, while maintaining stealth all the time.
Graviton has been built using just C and assembly language. From Windows, it is able to transmit details like CPU details, Disk details, Memory usage, OS version, and user name back to the attacker. Also, it is able to download a file and execute, or open launch a shell to receive further commands in order to incur further damage. With these kinds of viruses being designed and spread, the fight against computer viruses seems to be only getting tougher every day.