Backtrack 5: Linux and Mac Vulnerable to Malicious Scripts

Wednesday, August 31, 2011

Dan Dieterle


Ask almost any Linux or Mac user and they will tell you that they are much better protected against viruses and online threats. But is this really true?

Not necessarily so.

Sure, most malware writers target Windows based systems due to the large volume of potential targets. But, malicious executables and scripts work just as well against Linux and Mac systems.

I have recently been working on a video showing Backtrack 5 in action against a Windows 7 target and wondered, ‘How well would some of the same attacks work against a Mac or Linux system?’

So, I fired up Backtrack 5 in my lab and used it to create a test malicious website. The site serves up a backdoored java applet to a target machine when they connect to the page.

This is what the simulated target machine saw when it surfed to the website (click image to enlarge):


The target machine is an Ubuntu 11.04 machine, running Google Chrome, with the built in firewall enabled and an updated Anti-Virus program running. As you can see, the webpage is a bogus “message from the CEO” page and it instructs the user to run the Java popup. A real malicious page could look much more believable or could even be an exact clone of an existing site.

When the user clicks “run”, a remote shell session (Session 1) is created on the Backtrack 5 machine as seen below (click image to enlarge):


And that is it. I now have read/write access to the Ubuntu host in the context of the logged in user. I ran a few Linux commands to verify the connection. Commands entered are highlighted by a white box (click image to enlarge):


I checked the Ubuntu version, the present user name and the user’s identity.

I then checked the disk space, surfed to the users document directory and viewed the contents of the file named “Test” (click image to enlarge):


And finally, checked the processes running on the remote system (click image to enlarge):


I do not have root access at this point, just user level access. But from here I could check the system for other vulnerabilities that could be exploited. Or if my goal was just to collect user data or documents, no further penetration is necessary.

Malicious scripts and executables are encoded and obfuscated to purposely bypass anti-virus programs. And once they are run on a target machine, Windows, Mac or Linux, they connect out through the firewall to the attacker machine. It is imperative to educate your users about these types of attacks and tell them to never allow programs to run from unknown websites or e-mails.

Running script blocking programs like “Noscript“, and disabling script capabilities in browsers really help against these types of attacks. But users with privileges can and will allow programs to run if they really think they need the program or gadget that the attacker is offering.

Finally, locking down what sites your users can connect out to and monitoring the traffic leaving your network is always a good idea in preventing or detecting these types of attacks.

Cross-posted from Cyber Arms

Possibly Related Articles:
Information Security
Linux Ubuntu Backtrack Attacks Mac Malicious Code backdoor
Post Rating I Like this!
Don Eijndhoven Discovered Backtrack huh? You DO realize that web attacks are so popular precisely *because* it works cross-platform? In other words: this is old hat.

If you want to see something more impressive, run Metasploit properly and try out Autopwn. Now THAT's automation.
Dan Dieterle I hear you Don. You are correct, this is old hat. And the crazy thing is that people still fall for this type of attack constantly.

This is just a very simple demonstration of what could happen when someone allows an unknown program to run.

If just one person who hasn't seen this before learns something from it, then it was well worth it.

Backtrack is great, you can do some automation in the Social Engineering Toolkit too which is pretty cool. :)
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.