Malware sniffs for Windows, Mac OS X or Linux
A new piece of malware has been detected that uses a self-signed JAR file as part of a social engineering attack to get its backdoor installed. The JAR file, which appears to have been generated with TrustedSec's Social Engineer Toolkit, is deploying malware on Windows, Mac OS X and Linux; when a user has allowed it to run, it downloads an appropriate backdoor shell for the platform. The malware was found by F-Secure on a "compromised Columbian Transport site".
Each of the different versions of the shell behaves the same, connecting back to a port (8080 for Mac OS X, 8081 for Linux and 8082 for Windows) at IP address 220.127.116.11 (which appears to be a dynamically allocated IP belonging to a cable company) to request a payload. F-Secure initially said that no commands or code had been sent to the shells but it appears to have withdrawn that statement. The Mac OS X shell appears to be quite out of date, being a Power PC binary, and requires that the user install Apple's Rosetta PowerPC translation application to run it.
Linux-targeted malware is not new, but has typically been exclusively targeted at Linux; in this case though, the criminals deploying the malware thought it was worthwhile to ensure their social engineering and malware for Windows and Mac OS X also worked on Linux. F-Secure says it has reported the original infected site and the command & control (C&C) site.