No matter what people think about it, the increasing exposure of Linux and OS X to malicious code is strictly related to the worldwide exposure of those operating systems on desktops and laptops. In the last couple of years, more and more home users decided to switch to Linux (e.g. Ubuntu Linux, just to name one of the best known Linux distributions) or OS X. Most of these users, when questioned about why they switched from Windows to another operating system, usually answer by blaming Windows’ critical exposure to malware. Read More ..
However, this increasing trend has been followed by many virus writers as well, who started writing malicious code able to target these alternative operating systems. This shouldn’t be a surprise though, as it’s the expected response of cybercrime: the more users there are using Linux and OS X, the more virus writers are interested in infecting them as well.
This is the main reason why the security industry in the last year saw a rising trend of malware attacks involving OSX. Apple also chose to include a basic malware scanner in their operating system, turned on by default and regularly updated by Apple through the system update mechanism. To be fair, we are not yet seeing the same complexity level already reached by Windows-based malware – which clearly is a good thing. On the other hand it means that malware writers have plenty of room to improve their malware capabilities on such operating systems. Things are actually quickly changing, as trojan Wirenet may show us.
First isolated by Russian security company Dr.Web, Wirenet is a trojan with backdoor features able to hit Linux and Mac users in a way that looks way similar to what trojans are currently doing on Windows. Wirenet is among the first cross-platform password stealing trojans, able to steal sensitive data from Linux and Mac environments as well as from Windows and Solaris.
How the infection reaches the operating system is still unknown, though it’s easy to assume that social engineering and unpatched flaws in Java and/or Flash plugins could have played a key role in its spreading.
When executed, the infection runs as a standard executable (ELF on Linux and Solaris, Mach-O on OSX, PE on Windows) located in the current user session. It’s easy to spot the infection (if you know what to look for) though. It’s behavior allows the infection to get access to all the user’s sensitive data it wants. Don’t forget that even ZeuS and SpyEye infections on Windows-based environments are pure user-mode infections, though they have been able to steal a critical amount of sensitive data worldwide and they are still among the most common banking infections.