Ask almost any Linux or Mac user and they will tell you that they are much better protected against viruses and online threats. But is this really true?
Not necessarily so.
Sure, most malware writers target Windows based systems due to the large volume of potential targets. But, malicious executables and scripts work just as well against Linux and Mac systems.
I have recently been working on a video showing Backtrack 5 in action against a Windows 7 target and wondered, ‘How well would some of the same attacks work against a Mac or Linux system?’
So, I fired up Backtrack 5 in my lab and used it to create a test malicious website. The site serves up a backdoored java applet to a target machine when they connect to the page.
This is what the simulated target machine saw when it surfed to the website:
The target machine is an Ubuntu 11.04 machine, running Google Chrome, with the built in firewall enabled and an updated Anti-Virus program running. As you can see, the webpage is a bogus “message from the CEO” page and it instructs the user to run the Java popup. A real malicious page could look much more believable or could even be an exact clone of an existing site.
When the user clicks “run”, a remote shell session (Session 1) is created on the Backtrack 5 machine as seen below:
And that is it. I now have read/write access to the Ubuntu host in the context of the logged in user. I ran a few Linux commands to verify the connection. Commands entered are highlighted by a white box:
I checked the Ubuntu version, the present user name and the user’s identity.
I then checked the disk space, surfed to the users document directory and viewed the contents of the file named “Test”:
And finally, checked the processes running on the remote system:
I do not have root access at this point, just user level access. But from here I could check the system for other vulnerabilities that could be exploited. Or if my goal was just to collect user data or documents, no further penetration is necessary.
Malicious scripts and executables are encoded and obfuscated to purposely bypass anti-virus programs. And once they are run on a target machine, Windows, Mac or Linux, they connect out through the firewall to the attacker machine. It is imperative to educate your users about these types of attacks and tell them to never allow programs to run from unknown websites or e-mails.
Running script blocking programs like “Noscript“, and disabling script capabilities in browsers really help against these types of attacks. But users with privileges can and will allow programs to run if they really think they need the program or gadget that the attacker is offering.
Finally, locking down what sites your users can connect out to and monitoring the traffic leaving your network is always a good idea in preventing or detecting these types of attacks.