Researchers at F-Secure have uncovered a new exploit that attempts to install a backdoor malware program on Windows, Linux, and OS X machines. As with other malware, this uses social engineering approaches to try tricking users, but in addition it runs a check to see what operating system the user is running and then issues a malware installer for that platform.
The attack was found on a Columbian transport Web site, where once visited, a Java applet would run using a self-signed certificate. On all platforms this certificate will flag a warning that notifies the user it is not from an authorized signing agency, but if the user continues to execute the Java applet then it will download a binary for the respective platform, which will connect to a server and download additional components of the attach, using TCP ports 8080 for OS X, 8081 for Linux, and 8082 for Windows.
While this type of approach is nothing new, the malware developers in this case have been rather careless, especially with regard to the OS X component of the attack. While the Windows and Linux binaries that are downloaded will run on those platforms, the OS X version is a PowerPC binary so it will not run on any Intel-based Mac without Rosetta. While Apple included Rosetta in OS X Leopard, it is an optional download for Snow Leopard, and was removed entirely in Lion. Therefore, this malware will not run on systems with Lion or Snow Leopard without Rosetta.
Mac security company Intego also notes that the malware was thrown together with readily available tools such as MetaSploit, which indicates the attack authors are not particularly technically savvy individuals.
Overall, this threat is of very low concern, especially for Mac users who keep their systems up to date. However, it does serve as a reminder to only use services that you personally trust or that use a legitimate certificate signing authority. If at any point you see a program, applet, or other resource attempt to use a self-signed certificate, then be sure you personally trust the source before using it (i.e., it is from a server you own or manage). Legitimate commercial vendors will use certificates signed by an authority like VeriSign, which authenticates to the root certificates in your system to ensure applets and other transactions with the service are legitimate and secure.
To check any certificate, you can click on the secure connection indicator that will appear in or near your Web browser's address bar (and should appear green in color for valid certificates). Clicking this indicator will display information about the certificate, including an indicator that it is valid (such as a green check and a note stating the certificate is valid). A valid certificate means that the signing authority has confirmed that the company or service is the original one that was verified and issued a certificate. If you see an invalid or self-signed certificate, then consider avoiding the service until the authentication problem has been resolved.