Earlier this week security company F-Secure uncovered a new Web-based malware attack that uses Java to identify and distribute platform-specific malware binaries to OS X, Windows, and Linux installations. In the company's first findings, the malware being issued for OS X was a PowerPC binary, which prevented it from running on many Macs using Snow Leopard and Lion; however, new developments have unveiled an x86 binary for the malware.
This new variant of the malware is essentially the same as the previous findings, with the exception that it will run on Lion and Snow Leopard systems without the need for Rosetta. As with the previous findings, the new malware is installed by visiting a rogue Web site that runs a small Java applet. This applet first checks the system for the platform being used, and then connects to a remote server using port 8080 for OS X, 8081 for Linux, and this time port 443 for Windows (previously it used port 8082), and downloads a platform-specific malware binary. This binary then sets up a backdoor in the system that allows remote access from a hacker.
Overall the attack method is the same, but the approach is slightly different. In the attack found earlier this week the downloaded binaries would need to continue downloading more components in order to work properly, but in the more recent findings these steps have been packaged together so once downloaded the binary is able to immediately function as a backdoor.
While this development slightly increases the chance of this malware affecting more Mac systems, overall the threat is still relatively low for Mac users. The threat ultimately requires a working installation of Java in order to execute, and also still makes use of self-signed certificates that will flag a warning to the user when the Java applet is executed. Since Apple has removed Java from OS X in Lion, these users will not be affected by the malware should they run into it. Additionally, in Apple's latest updates to Java it implemented an automatic-disabling routine that turns off the Java Internet plug-in after about 30 days of no use. Therefore, unless you use Java regularly, if you happen to run into this malware you will be given additional warnings that the Java applet is being run on your system.
F-Secure notes that while this threat is still considered low for most people, the server being used to issue the malware is a different one from its previous findings, and there may be even more out there. In short, though this threat has the potential to become a larger issue, for now it is a low-key affair that security companies are keeping an eye on.