Posted by: David Harley | March 21, 2012

Mac & Windows Targeted Attacks: East of Java

[Update: note that, as indicated in Old Mac’s article here, ESET’s detection name has changed from OSX/Agent.AB to OSX/Lamadai.A.]

(Sorry, but like NCIS’s DiNozzo I can never resist a movie reference.)

While China seems to have problems of its own in terms of attacks from other countries, it’s widely assumed that malware attacks reported by SecureMac on Tibetan NGOs (non-governmental organizations) are directed from inside China’s borders. Chinese action against Tibet is hardly unexpected, as F-Secure’s suggestion of a link to Ghostnet clearly indicates, though governmental involvement with Ghostnet is, if not improbable, not universally accepted as conclusively proven. Least of all in China…  

The attacks are launched by a web-hosted malicious Java applet exploiting CVE-2011-3544 (an elderly, already-patched vulnerability in Java) to download and install a persistent (i.e. remaining active after reboot) backdoor Trojan with botnet-like C&C (command-and-control) capability, connecting to the server dns.assyra.com (100.42.217.73). A comprehensive analysis of the Windows version of the malware has already been published by AlienVaults, which has a particular interest in the case, since the spearphishing emails points to a copy of AlienVaults’ own report on Targeted Attacks against Tibetan organizations,  but located on assyra.com (to which shenhuawg.com also points) and booby-trapped with Javascript. Clearly, such a topic is bound to interest the very same organizations once more under attack.

 However, the interesting feature as far as this blog is concerned is that the malware in question is intended to attack both PC and Mac users. SecureMac points out that the Java vulnerability in question was patched by Apple in November, and in any case Java can be disabled in Safari. (Java comes disabled by default in Lion altogether, which is starting to look like a good way to leave it.)

I presume that SecureMac has incorporated detection into the product: mainstream AV companies that also have detection for Mac versions at the time of writing include:

  • DrWeb: BackDoor.Lamadai.1
  • ESET: OSX/Agent.AB
  • F-Secure: Backdoor:OSX/Olyx.B. F-Secure has published some MD5s as shown below. Note that other vendors may also identify different components or versions using different detection names (especially where they’re for different platforms):
    • Exploit:Java/CVE-2011-3544.E — MD5: 6C8F0C055431808C1DF746F9D4BB8CB5, MD5: 453A3DC32E2FAFD39F837A1EBE62CA80
    • Backdoor:OSX/Olyx.B — MD5: 39084b60790ca3fdebe1cd93a4764819
    • Backdoor:W32/Poison.CE — MD5: 7F7CBC62C56AEC9CB351B6C1B1926265
  • Sophos: OSX/AftDr-B
  • Trend: OSX_Rhino.AE

Like SecureMac, Intego is not represented on VirusTotal, but has announced that it detects the threat as Tibet.A.

MSNBC’s Matt Liebowitz has linked the attack (at any rate by proximity in his article) to Twitter spam waves generated by bots and targeting Tibetan activist conversations by including hashtags,like “#Tibet”, “#freetibet”, presumably in order to drown out political dissent. According to Brian Krebs, such hashtags ‘are now so constantly inundated with junk tweets from apparently automated Twitter accounts that the hashtags have ceased to become a useful way to track the conflict.’

Other reports and resources:

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN/Mac Virus

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: