Wazoo Posted May 21, 2007 Share Posted May 21, 2007 As caught in the Sophos RSS feed porvided in the Wiki, yet another (apparenly experimental) virus / worm that is branching out from the typical Microsoft Windows / Office focus, going for alternative applications and coded to try to replicate and spread, no matter the platform .... http://forum.spamcop.net/scwik/SophosSecurityNews -=-=-=-=- http://www.sophos.com/pressoffice/news/art...5/badbunny.html The SB/BadBunny-A worm first infects you when you open an OpenOffice Draw file called badbunny.odg. A macro included in the file performs different functions depending on whether you are running Windows, MacOS or Linux. Windows: The worm drops a file called drop.bad which is then moved to system.ini in your mIRC folder (if you have one) and also drops and executes badbunny.js which is a java scri_pt virus that replicates to other files in the folder. MacOS: The worm drops one of two Ruby scri_pt viruses (in files called badbunny.rb or badbunnya.rb) Linux: The worm drops badbunny.py as an XChat scri_pt and also drops badbunny.pl which is a tiny Perl virus infecting other Perl files. The dropped XChat and mIRC scripts are used to replicate and distribute the virus, and they initiate DCC transfers to others of the original badbunny.odg OpenOffice file. The worm, which has not been reported at any customer sites, also downloads and displays a pornographic picture of a scantily clad woman with a man dressed as a rabbit. "The group responsible for writing the BadBunny malware don't seem to have much confidence in it spreading as they have sent it directly to our labs. The hackers have written plenty of StarBasic malware in the past, but the most 'in the wild' this one is likely to get is by displaying a picture of a furvert in the woods," said Graham Cluley, senior technology consultant for Sophos. "This is old-school malware - seemingly written to show off a proof of concept rather than a serious attempt to spy on and steal from computer users. A financially motivated hacker would have targeted more widely used software and not incorporated such a bizarre image. This is not a piece of malware which we expect to see spreading in the wild, despite its use of a photograph of unusual wildlife." -=-=-=-=- Link to comment Share on other sites More sharing options...
rconner Posted May 22, 2007 Share Posted May 22, 2007 (snip) MacOS: The worm drops one of two Ruby scri_pt viruses (in files called badbunny.rb or badbunnya.rb) (snip again)) "This is old-school malware - seemingly written to show off a proof of concept rather than a serious attempt to spy on and steal from computer users..." -=-=-=-=- Ah, yes, another "proof of concept" virus for MacOS X. They had one of these a year or two back, it got a lot of press at the time but never materialized as a threat (OS X threats, I hear, are more often inetd-based probe/crack attacks, just like for other *nix systems). Still, given Apple's aggressive touting of the security of OS X, I guess even theoretical threats will get big play in the papers (or 'blogs). The report you quoted says that the malware "drops" the scripts on OS X and Linux; the author failed to indicate whether the scripts were then actually executed (as he did for Windows). Of course, if you open the attached OpenOffice document, then these scripts may in fact be run on any system, and very possibly without any warning. And, even if you aren't so unwise as to be running as root (which is pretty close to impossible on MacOS X), the privileges associated with the standard user account are sufficient to make trouble if you should invite this malware in for a visit. The Sophos blog contains some pithy comments as to the effectiveness of this particular malware (and the skill set of its authors). -- rick Link to comment Share on other sites More sharing options...
Farelf Posted May 22, 2007 Share Posted May 22, 2007 ... The Sophos blog contains some pithy comments as to the effectiveness of this particular malware (and the skill set of its authors).A mere coincidence, I am sure, but at the moment that link returnsInternal server error There was a problem with the Sophos web server. The Sophos webmaster has been notified of the problem. Please try again later. Well, I thought it amusing ... [Ah, it is back now.] Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.