Both Mac and Windows are Targeted at Once

Symantec Security Response, along with some other security vendors, reported the discovery of the OSX.Flashback malware recently patched by Apple. Many people may be surprised to learn the infection volume is reported at over 600,000 computers.

On a new front, we have recently identified new Java Applet malware, which uses the Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507) to download its payload. This attack vector is the same as the older one, but in this case the Java Applet checks which OS it is running on and downloads a suitable malware for the OS. This is explained further in the following illustration:


When a victim loads the Java Applet malware, it breaks the Java Applet sandbox by using the CVE-2012-0507 vulnerability. This vulnerability is effective for both Mac and Windows operating systems. Then, if the threat is running on a Mac operating system, it downloads a dropper type malware written in Python. However, if the threat is running on a Windows operating system, it downloads a standard Windows executable file dropper. Both droppers drop a Trojan horse program that opens a back door on the compromised computer.

The following Java code illustrates how the Java Applet malware checks which OS it is running on, downloads the dropper, and executes it:


The Trojan only checks whether it is a Windows operating system or not in this code, but the downloaded Python dropper checks again whether it is a Mac operating system or not. If it is running on Linux or some other operating system, the threat does nothing. Python is not a popular script to write malware in, but it works fine on a Mac operating system because Python has already been installed by default.

Finally, one of two back door Trojans is dropped on to the computer. These two Trojans are downloaded from the same server, but are a little bit different from each other.

The back door Trojan for the Mac operating system written in Python can control the “polling times”, which is related to how many times it gets commands from the server at certain time intervals. The author has done this in order to avoid IDS or IPS detection by reducing network communication. The network connection is also encrypted by RC4 or compressed by Zlib.

Currently, the main function is only to get a Python script and execute it. The threat also has the following functions, but these are currently disabled:

  • Download files
  • List files and folders
  • Open a remote shell
  • Sleep
  • Upload files

On the other hand, the back door Trojan for the Windows operating system is written in C++. This Trojan sends the following information back to the remote attacker:

  • CPU details
  • Disk details
  • Memory usage
  • OS version
  • User name

The Trojan may also download a file and execute it, or open a shell to receive commands.

Recently, malware that targets Mac computers, such as OSX.Flashback and OSX.Sabpab, are increasing. This recent increase provides evidence that malware authors now consider Mac computers a viable battleground along with the Windows platform. Certainly it is now time for you to arm your Mac computer with a good security product.

Symantec detects the Java Applet malware as Trojan.Maljava, the droppers as Trojan.Dropper, and the back door Trojans as Backdoor.Trojan. We continue to watch out for both Mac and Windows malware in order to protect our customers.

To stay safe, please ensure that you have the latest patches installed on your system and keep your antivirus definitions up to date.