Hackers have used the well known security issues of Java to develop a cross-platform malware that can affect users of both Windows and Mac OS X. This malware also exploits the vulnerability which was exploited by the infamous Flashback malware. The only difference here is that the vulnerability is employed to download malware that is specific to Mac or Windows from the internet. This Java applet is capable of detecting the operating system on which it is running. It will then use a Trojan dropper to download the operating system specific malicious code to the target and open a back door through which hackers can penetrate your computer.
Platform identification makes this deadlier than the Flashback
The major difference between the infamous Flashback and this malware is the ability to identify the operating system that it is working on. Malware users are inclined towards cross-platform attack vectors since it makes their job that much easier. They do not have to write separate codes for Windows and Mac computers. It is no surprise that they have chosen Java as their preferred platform as Java has been traditionally known to have security issues.
Modus Operandi of the Malware
As mentioned earlier, this malware is initially in the form of a java applet. When it is downloaded on a computer, it will identify the operating system on which it is running. After the identification, the Trojan dropper, a Python file (.py extension) or a C++ file (.exe extension) will download the malware from the internet and install it. Python is generally not used to write malware codes but in this instance, it works fine. This is because Python is installed by default on Macs. The famous CVE-2012-0507 Java vulnerability is used to download this malware. The malware here is a backdoor Trojan called update.py in Macs or ntshrui.dll in windows. Both the codes are downloaded from the same server. This will let hackers access your computer through the backdoor. They can send and run commands, upload code and steal files.
Capability
The Mac malware can controls the number of times it receives the command from the server in order to avoid IPS or IDS detection. The connection between the networks are also compressed with Zlib or encrypted in RC4 standard. It can list files and folders, download files, upload files, put the computer on sleep mode or open a remote shell. The windows version can transmit the details such as memory usage, hard disk capability, user name, OS version and CPU details. It can also download and execute a file.
Remedy
You can manually search and delete this file. For windows, it is /Users/Shared/Update.sh (shell script). For Mac, it is /Users/Shared/update.py (python script). Patches have been available since February 14th. Apple has not released any patch for versions prior to the Snow Leopard as it wants to upgrade them to a newer OS version. If you are not using Java, your best bet is to disable it. Install all the latest patches that your OS vendor releases.
New Cross-Platform Malware Attacking Windows and Mac Users
Hackers have used the well known security issues of Java to develop a cross-platform malware that can affect users of both Windows and Mac OS X. This malware also exploits the vulnerability which was exploited by the infamous Flashback malware. The only difference here is that the vulnerability is employed to download malware that is specific to Mac or Windows from the internet. This Java applet is capable of detecting the operating system on which it is running. It will then use a Trojan dropper to download the operating system specific malicious code to the target and open a back door through which hackers can penetrate your computer.
Platform identification makes this deadlier than the Flashback
The major difference between the infamous Flashback and this malware is the ability to identify the operating system that it is working on. Malware users are inclined towards cross-platform attack vectors since it makes their job that much easier. They do not have to write separate codes for Windows and Mac computers. It is no surprise that they have chosen Java as their preferred platform as Java has been traditionally known to have security issues.
Modus Operandi of the Malware
As mentioned earlier, this malware is initially in the form of a java applet. When it is downloaded on a computer, it will identify the operating system on which it is running. After the identification, the Trojan dropper, a Python file (.py extension) or a C++ file (.exe extension) will download the malware from the internet and install it. Python is generally not used to write malware codes but in this instance, it works fine. This is because Python is installed by default on Macs. The famous CVE-2012-0507 Java vulnerability is used to download this malware. The malware here is a backdoor Trojan called update.py in Macs or ntshrui.dll in windows. Both the codes are downloaded from the same server. This will let hackers access your computer through the backdoor. They can send and run commands, upload code and steal files.
Capability
The Mac malware can controls the number of times it receives the command from the server in order to avoid IPS or IDS detection. The connection between the networks are also compressed with Zlib or encrypted in RC4 standard. It can list files and folders, download files, upload files, put the computer on sleep mode or open a remote shell. The windows version can transmit the details such as memory usage, hard disk capability, user name, OS version and CPU details. It can also download and execute a file.
Remedy
You can manually search and delete this file. For windows, it is /Users/Shared/Update.sh (shell script). For Mac, it is /Users/Shared/update.py (python script). Patches have been available since February 14th. Apple has not released any patch for versions prior to the Snow Leopard as it wants to upgrade them to a newer OS version. If you are not using Java, your best bet is to disable it. Install all the latest patches that your OS vendor releases.