For most of the recorded history of malware, viruses, Trojans and other malicious software have been specialists. Each piece of malware typically targeted one platform, be it Windows, OS X or now, one of the mobile platforms. But the last few months have seen the rise of cross-platform malware that have the ability to infect several different kinds of machines with small variations to their code.
Attackers, like people in other walks of life, tend to specialize. They find something that they’re good at, say, writing Windows rootkits or creating OS X Trojans, and they often will stick with that. There’s not much reason to branch out if they’re having success with something already. For a long time, most malware was written for Windows, because that’s where most of the users are. Going after OS X or Linux didn’t make a lot of sense.
But that’s begun to change lately. One recent example is the Crisis Trojan, which has the ability to infect both Windows and Mac OS X machines. The first version of Crisis that researchers discovered targeted various versions of OS X, and it was a typical data-stealing Trojan, listening in on email and instant messenger communications. The interesting thing about Crisis is not only that there are versions for multiple platforms, but also that the installer for the malware, which masquerades as an Adobe Flash installer, checks to see what operating system it’s on and then installs the appropriate version.
The malware also has a function that looks for VMWare images stored on the infected machine, and if it finds one, it will mount the image and then copy itself to the virtual machine image.
Researchers found a similar piece of malware back in April. That one was disguised as a Java applet that would install different payloads depending upon what OS the target machine was running. So, attackers have decided that more is better when it comes to platforms. Why restrict your creation to just Windows or OS X when you can have both?
Microsoft researchers looked at a recent attack that involved a piece of malware using similar techniques and found that the attackers have been honing their skills.
“In the case of a cross-platform offering, the attacker utilizes a decision agent to recognize the appropriate package or software for its target. When the victim pulls pages or content from the attacker’s distribution channel, an agent (often referred to as the browser’s user-agent) provides information, and a decision is made on behalf of the victim – that is, it automatically identifies the appropriate package or software without asking the user,” Methusela Cebrian Ferrer of Microsoft’s malware Protection Center wrote in an analysis of the techniques used by cross-platform malware.
“However, in the recent event described, we observed that the delivery of malicious code through vulnerabilities in Java employs a decision agent as part of a cross-platform attack. As shown in the timeline below, we first noticed this feature used in a Java vulnerability referred to as CVE-2011-3544. It was followed last month by the use of a Java Signed Applet attack – a form of social engineering where the user is lured to accept a signed Java applet and thereafter allows the attacker to run any payload.”
One thing that’s helping drive this trend is the existence of vulnerabilities in apps such as Java that are installed on several platforms, giving attackers the ability to use one vulnerability to get their malware on more than one platform. That’s a key advantage for the attackers, and highlights the importance of keeping third-party apps patched and up to date.