If allowed to run, the applet checks which operating system is running on the user's computer -- Windows, Mac OS X or Linux -- and drops a malicious binary file for the corresponding platform.
The JAR file checks if the user's
machine is running in Windows, Mac or Linux then downloads the
appropriate files for the platform. All three files for the three
different platforms behave the same way. They all connect to 186.87.69.249 to get additional code to execute. The ports are 8080, 8081, and 8082 for OSX, Linux, and Windows respectively.
The files are detected as:Trojan-Downloader:Java/GetShell.A (sha1: 4a52bb43ff4ae19816e1b97453835da3565387b7)
Backdoor:OSX/GetShell.A (sha1: b05b11bc8520e73a9d62a3dc1d5854d3b4a52cef)
Backdoor:Linux/GetShell.A (sha1: 359a996b841bc02d339279d29112fe980637bf88)
Backdoor:W32/GetShell.A (sha1: 26fcc7d3106ab231ba0ed2cba34b7611dcf5fc0a)
However, since F-Secure researchers
began monitoring the attack, the remote control server hasn't pushed any
additional code. It appears that the attack uses the Social Engineer Toolkit (SET),
a publicly available tool designed for penetration testers, Aquino said
Tuesday via email. However, the chances of this being a penetration
test sanctioned by the website's owner are relatively low.
Kaspersky's
researchers are in the process of analyzing the backdoor-type malware
downloaded by the malicious shell code on Windows and Linux. "The Win32
backdoor is large, about 600KB; the Linux backdoor is over 1MB in size,
both appear to contact very complex code which communicates encrypted
with other servers."
0 komentar:
Posting Komentar