Malware that targets multiple operating systems is not necessarily complex, however up until now Windows has tended to be a primary target due to, at least partially, a larger user base. [1] Perhaps due to the popularity of the iPhone and iPad, other Apple products, such as the Mac, have enjoyed increased sales in the last few years. [2] Increased sales, however, has resulted in increased malware. The prevalence of Flashback is one indicator. [3] [4] Another is the emergence of malware that targets multiple operating systems at once. Back door trojans exploiting Java vulnerabilities are becoming particularly commonplace, most likely because Java is platform independent, meaning that a single vulnerability can be exploited on multiple operating systems. [4]

Earlier this year for example, Trend Micro documented several email campaigns that exploited Java vulnerabilities. The first round targeted Windows users, but later emails contained malware that checked the operating system before loading a back door trojan for either Mac or Windows. The trojan is then used to send and receive information between the infected host and server(s) under the control of the bad guys. [5]

In another similar case, users were prompted to click on a link promoting a Tibetan festival. Again the malware checks the operating system. Once loaded, both versions report to the same server, allowing the possibility of transferring files, and browsing directories on the compromised machines. [6]

Symantec have more recently discovered Java Applet malware that also targets Windows and Mac. The malware checks if the operating system is Windows and if so, loads an executable which then drops a back door trojan. If the system is not Windows, the malware loads a python script instead which then checks for a Mac operating system, loading a different back door trojan if the check is positive. The Mac and Windows versions of the malware differ in functionality slightly, with some features being present but disabled in the Mac version whereas the Windows version appears to send information about the host back to the controlling server. Symantec believes the trojan could possibly download and execute files or open a shell on the host in order to receive commands. [7]

The examples described above, along with the large number of Macs infected with Flashback, demonstrate how using a non-Windows operating system is not a security measure. "Running away to a more obscure, less targeted platform is only a viable solution as long as the platform remains more obscure and less targeted." says Tom Bradley of PC World. Instead, everyone should follow good security practices and not rely on security through obscurity. [1] [8]

Olivia Swann
Information Security Analyst
AusCERT

[1] Protection for Mac and Linux Computers

[2] Once Wary, Apple Warms Up to Business Market

[3] OSX_FLASHBCK: A Backlash to Apple's Popularity?

[4] Flashback the largest Mac malware threat yet, experts say

[5] News of Malicious Email Campaign Used as Social Engineering Bait

[6] Another Tibetan-Themed Malware Email Campaign Targeting Windows and Macs

[7] Both Mac and Windows are Targeted at Once

[8] Why switching OS platforms is not a security fix