Malware is getting more and more sophisticated as the days goes by. Windows platform is the usual target for infection of malware authors but this time they add one more target platform, Mac OSX.
Recently, another Tibetan-themed malware has been discovered which takes advantage of a patched Java Vulnerability (CVE-2011-3544).
When a user unknowingly visits malicious website, the attack will start by a script loading the malicious Java applet exploiting (CVE-2011-3544) then it will determine the malicious payload depending on what Operating System the user is using. Using the new variant samples, as you can see in Figure 1, if your OS is Windows the file “img.jar” will be executed and if your OS is Mac OSX the file “ref.jar” will be executed.
[Figure 1 – Source Code of Malicious Java Applet]
The file “img.jar” will drop and execute its payload “file.tmp”. Total Defense detects the payload as Win32/Sasfis.ODF.
The file “ref.jar” will drop and execute its payload “file.tmp”. Total Defense detects the payload as OSX/Olyx.B. Upon execution, it drops a copy of itself as “AudioServer” in /Library/Audio/Plug-Ins/. It then creates “com.apple.DockActions.plist” in the /Library/LaunchAgents/, to ensure that the backdoor is active on the system.
It contacts the remote server “avira.suroot.com”, and it is capable of performing the following commands:
• Download/Upload files to Command and Center
• Execute a command using /bin/sh
Ensure that your Java and Total Defense Products are updated with the latest updates at all times.