Cross-Platform Flaws a Boon For Attackers

Author: Dennis Fisher

July 31, 2012 1:46 pm

Attackers and malware writers, like many other people, tend to specialize, honing their skills in one particular discipline in order to maximize their chances for success. But Microsoft researchers have come across a series of malware samples and exploits that show that some attackers are beginning to target the same vulnerability across multiple platforms as a way to make the most out of their efforts.

Even though Windows and Mac are still pretty well separated as platforms, there are a number of applications that run on both operating systems, including things such as Adobe Flash, Reader and Java. Attackers, not wanting to waste any time on small target bases and looking to maximize their profits, are focusing their efforts on vulnerabilities in these applications.

Microsoft researchers looked at a specific set of vulnerabilities that are found in applications on both Windows and Mac OS X and found that some attackers are going after flaws from as far back as 2009 in Office documents, and 2010 in Flash and Java and Reader.

“This observation is limited and based on the samples we identified, acquired and processed, however, this understanding provides us with an opportunity to recognize a trend we can describe as economies of scale in cross-platform vulnerabilities. This method of distribution allows the attacker to maximize their capability on multiple platforms. Thus, regardless of a particular attacker’s motive, the value and demand for these vulnerabilities is likely to persist – we know for a fact that Java vulnerabilities CVE-2011-3544 and CVE-2012-0507 are widely used by cybercriminals’ in exploit kits, such as Blacole/Blackhole,” Methusela Cebrian Ferrer of the Microsoft Malware Protection Center wrote.

Microsoft’s investigation of the way that attackers are using cross-platform vulnerabilities began about a year ago when the company’s researchers came across a backdoor aimed at Mac users. The malware disguised itself as a Google app on the infected machine and then initiated a remote connection to a command-and-control server.

“Once connected, the remote attacker may take advantage of the backdoor file management feature which allows it to upload, download and navigate through files and directory. For more detail, have a look at the Backdoor:MacOS_X/Olyx.A description in our encyclopedia,” Ferrer wrote at the time.

“Furthermore, another interesting observation here is that the feature set and the code found in this backdoor appear to be similar to that of Gh0st RAT 3.6, also known as ‘Ghostnet’.”

The backdoor included both a Mac and Windows executable in the files it installed on infected machines, an unusual behavior for a piece of malware. That got the researchers thinking about what might be going on and whether there were other attackers employing the same strategy and going after bugs on both Windows and OS X.

This highlights the importance of keeping security software up-to-date, and ensuring operating system and 3rd party security patches are installed (soon after they become available) in order to reduce the risk of malware infection. And, this best practice should extend to all devices and platforms, especially those in large enterprise networks,” Ferrer wrote.