A year ago, we published a blog post titled 'Backdoor Olyx - is it malware on a mission for Mac?'. It explored the intriguing questions that lay behind this backdoor's discovery, delivery and targets. We provided our observations and analysis, and suggested that this threat was used in a targeted attack against unknown victims. However, we found no clue at that time as to 'how' the threat was installed to its targets - an important missing piece that we've continued to investigate over time.
As shown in the timeline below, a succeeding variation of threats can be identified with the same suggested attack tactic – exploiting known vulnerabilities in software to install a backdoor to its target.
Upon closer inspection of this event, we observed that this malicious code may be delivered via the Web by exploiting Java vulnerabilities (referred to in CVE-2011-3544 and CVE-2012-0507). The second form of delivery we observed was via email attachment, where the malware distributors may attempt to take advantage of known Word document vulnerabilities (referred to in CVE-2010-3333) and the vulnerabilities resolved with the release of Microsoft Security Bulletin MS09-027. It is also important to point out that these vulnerabilities affect multiple platforms, and in this case, affect both Windows and Mac.
This observation is limited and based on the samples we identified, acquired and processed, however, this understanding provides us with an opportunity to recognize a trend we can describe as economies of scale in cross-platform vulnerabilities. This method of distribution allows the attacker to maximize their capability on multiple platforms. Thus, regardless of a particular attacker's motive, the value and demand for these vulnerabilities is likely to persist – we know for a fact that Java vulnerabilities CVE-2011-3544 and CVE-2012-0507 are widely used by cybercriminals' in exploit kits, such as Blacole/Blackhole.
If we look at this trend, then we start to notice that the following vulnerabilities in Java, Adobe PDF and Flash, and Microsoft Office documents, listed in the table below, may be used to target and attack multiple platforms. Note that these vulnerabilities have been patched; appropriate security updates for them have been released.
This highlights the importance of keeping security software up-to-date, and ensuring operating system and 3rd party security patches are installed (soon after they become available) in order to reduce the risk of malware infection. And, this best practice should extend to all devices and platforms, especially those in large enterprise networks.
Methusela Cebrian Ferrer