New Java malware attacks Apple's OS X along with Windows, Linux

Posted:
in macOS edited January 2014
A new form of browser-based cross-platform malware can give hackers remote access to computers running Apple's OS X, Microsoft's Windows, and even Linux.

The multi-platform backdoor malware was disclosed this week by security firm F-Secure. It was originally discovered on a Colombian Transport website, and relies on social engineering to trick users into running a Java Archive file, meaning it is not likely to be a major threat.

However, its cross-platform design is unique. If users grant permission to the Java Archive, the malware will secretly determine whether the user is running a Mac, a Windows PC, or a Linux machine. When running on a Mac, the malware will remotely connect to an IP address through port 8080 to obtain additional code to execute.

Anti-virus maker Sophos said on Wednesday that the new malware has the potential to affect a higher number of people because of its multi-platform strategy. Typically, malware and viruses target Windows PCs, as they represent the overwhelming majority of computers.

"Once it has found out which operating system you are running, the Java class file will download the appropriate flavor of malware, with the intention of opening a backdoor that will give hackers remote access to your computer," explained Graham Cluley, senior technology consultant with Sophos.

Malware


On a Mac, the new malware is defined as "Backdoor:OSX/GetShell.A. According to F-Secure, it is a PowerPC binary, which means users running a modern, Intel-based Mac must also have Rosetta installed.

While rare, cross-platform malware attacks are not unheard of. In 2010, a Trojan known as "trojan.osx.boonana.a" was a Java-based exploit that affected both Macs running OS X, as well as Windows PCs.

As Apple's Mac platform has grown in popularity and outpaced the PC market as a whole, the OS X platform has become a bigger target for hackers. Last month, Apple opted to tone down promotional language on its website that once claimed the Mac "doesn't get PC viruses." Apple's website now says that OS X is "built to be safe."

That change was made just a few months after more than 600,000 Macs were estimated to have been infected by a trojan horse named "Flashback." More than half of the Macs believed to be infected by the botnet were found in the U.S. alone before Apple aggressively released a series of software updates to quash the malware.
«134

Comments

  • Reply 1 of 67
    tallest skiltallest skil Posts: 43,236member
    First Flash, now Java… what else is total crap that we can get rid of?

    OS X shouldn't have to suffer this nonsense.
  • Reply 2 of 67
    MacProMacPro Posts: 17,378member
    I'm surprised the 'Continue' button is shown as the default on the Mac dialog. The default is usually the safest option in my experience.
  • Reply 3 of 67


    Never accept self-trusted certs, or certs with issues of any kind, like having untrusted root CAs. Even if you trust the hosting website, which can be hacked.

  • Reply 4 of 67
    gazoobeegazoobee Posts: 3,754member

    Quote:

    Originally Posted by Tallest Skil View Post



    First Flash, now Java… what else is total crap that we can get rid of?

    OS X shouldn't have to suffer this nonsense.


     


    Yep, unless you bare in business, you shouldn't even have Java installed, or turned on.  The average user doesn't need it for squat.  

  • Reply 5 of 67
    gazoobeegazoobee Posts: 3,754member

    Quote:

    Originally Posted by Suddenly Newton View Post


    Never accept self-trusted certs, or certs with issues of any kind, like having untrusted root CAs. Even if you trust the hosting website, which can be hacked.



     


    Except every University or large corporation I've ever visited or worked for has self-trusted and sometimes unsigned certificates from time to time.  The reality is that you just have to trust sometimes.  


     


    I think the real problem here is Java.  

  • Reply 6 of 67
    apple ][apple ][ Posts: 8,360member


    These social engineering tricks and malware scams are targeting dumb people, because that's what somebody has to be, in order to get tricked by this.


     


    ComuTV? And it says right there in very red letters, "This root certificate is not to be trusted". If somebody clicks "continue", then they only have themselves to blame.

  • Reply 7 of 67
    jragostajragosta Posts: 10,473member
    I'm surprised the 'Continue' button is shown as the default on the Mac dialog. The default is usually the safest option in my experience.

    It should be, but is often neglected. I would suggest submitting a bug report to Apple if you observe that in real life.

    Meanwhile, it's a common failing. For example, on this site, when you log in, the 'remember ID and password' is checked by default and shouldn't be.
  • Reply 8 of 67


    Since it is PowerPC code for Macs, it shouldn't affect anyone running Lion (since Rosetta was removed) and only people who opted to install Rosetta on Snow Leopard.

  • Reply 9 of 67
    lkrupplkrupp Posts: 6,073member
    So let me get this straight. In order for a Mac to get infected you A) must have Java installed AND active and B) you must have Rosetta installed and C) you have to fall for the malware social engineering ploy.

    I'm running Lion with Java installed but not turned on. Since The latest Java update turns Java off by default and will turn it off if inactive after a period of time I wonder how many Macs will be vulnerable.
  • Reply 10 of 67
    lkrupplkrupp Posts: 6,073member
    "Apple wrote:
    [" url="/t/151217/new-java-malware-attacks-apples-os-x-along-with-windows-linux#post_2144766"]These social engineering tricks and malware scams are targeting dumb people, because that's what somebody has to be, in order to get tricked by this.

    ComuTV? And it says right there in very red letters, "This root certificate is not to be trusted". If somebody clicks "continue", then they only have themselves to blame.

    If there were no "dumb" people in the world we wouldn't need a GUI would we. The whole idea of personal computing is to make the technology useable by all. The "smart" people in some ways are responsible for keeping the "dumb" people safe in spite of themselves.
  • Reply 11 of 67
    aaarrrggghaaarrrgggh Posts: 1,558member
    Never accept self-trusted certs, or certs with issues of any kind, like having untrusted root CAs. Even if you trust the hosting website, which can be hacked.

    That doesn't even help you. There are plenty of less reputable CA's that might sign a certificate for something that isn't above-board. Hopefully bank0famerica.com wouldn't get through any more, or other similar typo-squats, but have you ever looked at the list of default root CAs installed on your machine? It is a trust chain, and if you don't trust the people at the top.

    Then there is the problem of appliances with self-signed certs, like routers and VOIP phones. What if someone placed malware on them-- to administer you need to trust the cert.

    About all you can do is compartmentalize risk. That is getting harder and harder to do when companies track not only cookies and IP addresses but linked behavior with other sites. I can't find a practical solution for that yet other than using an untrusted account on a non-critical server with a different user and password database than the critical servers for VNC/ssh access.
  • Reply 12 of 67

    Quote:

    Originally Posted by Tallest Skil View Post



    First Flash, now Java… what else is total crap that we can get rid of?

    OS X shouldn't have to suffer this nonsense.


     


    To be fair, this is not exploiting a security weakness in Java. It's exploiting a weakness in users. If you're dumb enough to download a random file from the internet, and run it despite security warnings, then it doesn't matter what language it's written it.

  • Reply 13 of 67
    apple ][apple ][ Posts: 8,360member

    Quote:

    Originally Posted by lkrupp View Post





    If there were no "dumb" people in the world we wouldn't need a GUI would we. The whole idea of personal computing is to make the technology useable by all. The "smart" people in some ways are responsible for keeping the "dumb" people safe in spite of themselves.


    Sure, I don't disagree, but there are limits as to how much technology can protect a person. At the end of the day, each person has to be responsible for what they do.


     


    If a person is likely to get scammed through the telephone or by a door salesman or by an email from Nigeria, then they are a likely candidate to also get scammed by this malware.

  • Reply 14 of 67

    Quote:

    Originally Posted by Suddenly Newton View Post


    Never accept self-trusted certs, or certs with issues of any kind, like having untrusted root CAs. Even if you trust the hosting website, which can be hacked.



    That's exactly right, no offense but if you fall victim to this ploy it isn't like there weren't signs something was up.  Does "not trusted" mean anything to anyone?  


     


    Considering Java also isn't installed by default on new Macs this is really a non-issue.  Linux is actually more at risk than OS X here since java is installed by default on most Linux distros.


     


    10.8 will bring welcome features for personal & corporate alike since it will let you restrict not only to the app store but also to external developers so long as they have a valid developer cert from Apple.

  • Reply 15 of 67
    povilaspovilas Posts: 473member
    lkrupp wrote: »
    If there were no "dumb" people in the world we wouldn't need a GUI would we. The whole idea of personal computing is to make the technology useable by all. The "smart" people in some ways are responsible for keeping the "dumb" people safe in spite of themselves.

    Really. I don’t care how smart you are it’s just simply less protuctive to try working in a command line world. Please don’t make stuff up. Thank you.
  • Reply 16 of 67
    anonymouseanonymouse Posts: 6,558member

    Quote:

    Originally Posted by Rennaisance View Post


     


    To be fair, this is not exploiting a security weakness in Java. It's exploiting a weakness in users. If you're dumb enough to download a random file from the internet, and run it despite security warnings, then it doesn't matter what language it's written it.



     


    There's a tendency to assume an attitude of arrogance in fields where one has a degree of expertise. This isn't about being dumb, it's about exploiting lack of knowledge and bad habits instilled by daily work with computers. People get conditioned into clicking OK or Continue (especially on Windows) just to be able to get work done. After a while all those permissions dialogs just become noise that most people don't even read, mainly because even when they do, they don't understand what the dialogs are saying. (This is the fundamental flaw in, say, Android's permissions system. I'll bet most Android users have no idea what they are granting apps access to, all they know is that they have to allow stuff if they want it to run.)


     


    I think this points out the advantages of iOS and the direction Apple is going with sandboxing on OS X. The operating system does need to protect users from these sorts of exploits.

  • Reply 17 of 67
    elrothelroth Posts: 1,201member

    Quote:

    Originally Posted by hezetation View Post


    Considering Java also isn't installed by default on new Macs this is really a non-issue.  Linux is actually more at risk than OS X here since java is installed by default on most Linux distros.


     


    10.8 will bring welcome features for personal & corporate alike since it will let you restrict not only to the app store but also to external developers so long as they have a valid developer cert from Apple.



    There are still a LOT of people on Snow Leopard (with Rosetta installed), and will be for some time. The direction Lion and ML have gone has stopped many people from upgrading, at least for now.

  • Reply 18 of 67
    wizard69wizard69 Posts: 12,466member
    ++++++++

    Exactly! This could just as well be a nicely compiled Mac binary file.

    As a side note people seem to want to resist some of Mountain Lions new security features but yet we see here clear reasons for Apple to tighten up on security. As incentives increase for people to exploit weaknesses in the OS we will see more security issues. We can all be thankful that this one requires the user to make a few mistakes to execute.
    To be fair, this is not exploiting a security weakness in Java. It's exploiting a weakness in users. If you're dumb enough to download a random file from the internet, and run it despite security warnings, then it doesn't matter what language it's written it.
  • Reply 19 of 67
    pxtpxt Posts: 683member


    Deleted by self.


     


    And no that's not an object oriented post.  Sheesh!

  • Reply 20 of 67
    pxtpxt Posts: 683member

    Quote:

    Originally Posted by Apple ][ View Post


    These social engineering tricks and malware scams are targeting dumb people, because that's what somebody has to be, in order to get tricked by this.


     


    ComuTV? And it says right there in very red letters, "This root certificate is not to be trusted". If somebody clicks "continue", then they only have themselves to blame.



    You don't have to be dumb.


     


    You just have to be someone that doesn't work in tech and doesn't spend their spare time on sites like AppleInsider.


     


    Statistically, that's everyone.

Sign In or Register to comment.