Friday, 30 March 2012

Malware attacks both PC and Mac

This month security companies discovered a threat that attacks both Windows PCs and Macs running OS X.

The threat, called JAVA_RHINO.AE by Trend Micro, arrives via infected websites, which means that potential victims won't notice anything amiss unless their security software detects it. It exploits a vulnerability in Java*.

Java is commonly found on both types of computer, which is interesting in itself. Its presence reduces the difference between a PC and a Mac by some way. There are, of course, other very significant similarities that I've mentioned before.

Here is the really interesting part, though. When it runs the threat determines whether it is running on a Mac or a PC and behaves differently depending on what it finds.

In the words of Trend Micro:

"Once it successfully exploits the said vulnerability, it drops and executes the following file:
  • On Windows: %User Temp%\file.tmp - detected as TROJ_RHINO.AE
  • On Mac OS X: /tmp/file.tmp - detected as OSX_RHINO.AE"
-----
Related news: Security company AlienVault, which is investigating Mac malware at the moment, has found a new Trojan containing a relatively ancient Linux backdoor from 1999.
-----

* UPDATE: I have just noticed that this vulnerability has been included in the Metasploit Framework since November 2011.

Ranked as 'Excellent' (which means that it works very reliably), the exploit is described thus:
"This module exploits a vulnerability in the Rhino Script Engine that can be used by a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects version 7 and version 6 update 27 and earlier, and should work on any browser that supports Java (for example: IE, Firefox, Google Chrome, etc)"