ESET’s Alexis Dorais-Joncas has published some further analysis on the malware also discussed by AlienVault Labs and Intego, among others (including David!), and which ESET detects as OSX/Lamadai.
As Mr. Harley pointed out, this malware is exploiting a somewhat elderly vulnerability: in fact, Apple patched it back in November. Here are the MD5s for the samples analysed by ESET:
MD5 of the files analyzed:
39084b60790ca3fdebe1cd93a4764819 file-mac.tmp (OSX payload)
MD5 of related files
7f7cbc62c56aec9cb351b6c1b1926265 file-win.tmp (Win32 payload)
dd7421fb6ca03c5752a06cffb996285a index.jar (OSX/Linux dropper)
2d86dce83851f76493ba0492d066c095 default.jar (Win32 dropper)
4b6eb782f9d508bbe0e7cfbae1346a43 index.html (HTML serving the droppers)
Dorais-Joncas points out that the code they analysed doesn’t resemble OSX/Olyx, but revisiting the MD5s F-Secure provided for threats related to what it calls OSX/Olyx.B, it looks as if both companies are looking at much the same code and drawing different conclusions in terms of malware families. Which only makes a point we’ve made many times before: when the media try to base their conclusions on malware names by different companies, they’re on a hiding to nothing. In a time of sample glut like the 21st century, arbitrary naming tells you more about the perception and processes of individual labs than it does about the relationship between binaries.
Exploit:Java/CVE-2011-3544.E — MD5: 6C8F0C055431808C1DF746F9D4BB8CB5, MD5: 453A3DC32E2FAFD39F837A1EBE62CA80
- Backdoor:OSX/Olyx.B — MD5: 39084b60790ca3fdebe1cd93a4764819
- Backdoor:W32/Poison.CE — MD5: 7F7CBC62C56AEC9CB351B6C1B1926265
Old ‘What did we tell you?’ Mac
Leave a Reply