Platform-Specific Java Attack

Tuesday, July 17, 2012 @ 04:07 PM gHale

There is a new Web-based malware attack that uses Java to identify and distribute platform-specific malware binaries to OS X, Windows, and Linux installations.

The malware issued for OS X was a PowerPC binary, which prevented it from running on Macs using Snow Leopard and Lion; however, new developments have unveiled an x86 binary for the malware, said researchers at F-Secure.

Exploit Determines OS, then Attacks
Trojan Tricks Routers to Spread Malware
Remote Malware on Google Play
Trojan Forces Printers to Run Amuck

This new variant of the malware is essentially the same as the previous findings, with the exception it will run on Lion and Snow Leopard systems without the need for Rosetta. As with the previous findings, the new malware installs by visiting a rogue Web site that runs a small Java applet. This applet first checks the system for the platform the user is working on, and then connects to a remote server using port 8080 for OS X, 8081 for Linux, and this time port 443 for Windows (previously it used port 8082), and downloads a platform-specific malware binary. This binary then sets up a backdoor in the system that allows remote access from a hacker.

Overall the attack method is the same, but the approach is slightly different. In the attack found earlier this week the downloaded binaries would need to continue downloading more components in order to work properly, but in the more recent findings these steps packaged together so once downloaded the binary is able to immediately function as a backdoor.

While this development slightly increases the chance of this malware affecting more Mac systems, overall the threat is still relatively low for Mac users. The threat ultimately requires a working installation of Java in order to execute, and also still makes use of self-signed certificates that can flag a warning to the user when the Java applet executes. Since Apple removed Java from OS X in Lion, these users will not suffer from the malware should they run into it. Additionally, in Apple’s latest updates to Java it implemented an automatic-disabling routine that turns off the Java Internet plug-in after about 30 days of no use. Therefore, unless you use Java regularly, if you happen to run into this malware you will get additional warnings the Java applet is running on your system.

While this threat is still low for most people, the server being used to issue the malware is a different one from its previous findings, and there may be even more out there, F-Secure said. In short, though this threat has the potential to become a larger issue, for now it is a low-key affair that security companies are keeping an eye on.

Leave a Reply

You must be logged in to post a comment.