Attackers and malware writers, like many other people, tend to specialize, honing their skills in one particular discipline in order to maximize their chances for success. But Microsoft researchers have come across a series of malware samples and exploits that show that some attackers are beginning to target the same vulnerability across multiple platforms as a way to make the most out of their efforts.
Even though Windows and Mac are still pretty well separated as platforms, there are a number of applications that run on both operating systems, including things such as Adobe Flash, Reader and Java. Attackers, not wanting to waste any time on small target bases and looking to maximize their profits, are focusing their efforts on vulnerabilities in these applications.
Microsoft researchers looked at a specific set of vulnerabilities that are found in applications on both Windows and Mac OS X and found that some attackers are going after flaws from as far back as 2009 in Office documents, and 2010 in Flash and Java and Reader.
“This observation is limited and based on the samples we identified, acquired and processed, however, this understanding provides us with an opportunity to recognize a trend we can describe as economies of scale in cross-platform vulnerabilities. This method of distribution allows the attacker to maximize their capability on multiple platforms. Thus, regardless of a particular attacker’s motive, the value and demand for these vulnerabilities is likely to persist – we know for a fact that Java vulnerabilities CVE-2011-3544 and CVE-2012-0507 are widely used by cybercriminals’ in exploit kits, such as Blacole/Blackhole,” Methusela Cebrian Ferrer of the Microsoft Malware Protection Center wrote.
Microsoft’s investigation of the way that attackers are using cross-platform vulnerabilities began about a year ago when the company’s researchers came across a backdoor aimed at Mac users. The malware disguised itself as a Google app on the infected machine and then initiated a remote connection to a command-and-control server.
“Once connected, the remote attacker may take advantage of the backdoor file management feature which allows it to upload, download and navigate through files and directory. For more detail, have a look at the Backdoor:MacOS_X/Olyx.A description in our encyclopedia,” Ferrer wrote at the time.