http://www.sophos.com/pressoffice/news/articles/2007/05/badbunny.html
BadBunny seen in "the wild"? OpenOffice multi-platform macro worm discovered
Worm targets Windows, Mac and Linux computers - but poses low threat
Experts at Sophos, a world leader in IT security and control, have announced the discovery of an OpenOffice/StarBasic macro worm that drops scripts in several other languages. The worm attempts to download and display an indecent JPEG image of a man wearing a bunny suit performing a sexual act in woodland.
The SB/Badbunny-A worm first infects you when you open an OpenOffice Draw file called badbunny.odg. A macro included in the file performs different functions depending on whether you are running Windows, MacOS or Linux.
Windows: The worm drops a file called drop.bad which is then moved to system.ini in your mIRC folder (if you have one) and also drops and executes badbunny.js which is a JavaScript virus that replicates to other files in the folder.
MacOS: The worm drops one of two Ruby script viruses (in files called badbunny.rb or badbunnya.rb)
Linux: The worm drops badbunny.py as an XChat script and also drops badbunny.pl which is a tiny Perl virus infecting other Perl files.
The dropped XChat and mIRC scripts are used to replicate and distribute the virus, and they initiate DCC transfers to others of the original badbunny.odg OpenOffice file.
The worm, which has not been reported at any customer sites, downloads and displays a pornographic picture of a scantily clad woman with a man dressed as a rabbit.
A small section of the photograph displayed by the worm.
"The group responsible for writing the BadBunny malware don't seem to have much confidence in it spreading as they have sent it directly to our labs. The hackers have written plenty of StarBasic malware in the past, but the most 'in the wild' this one is likely to get is by displaying a picture of a furvert in the woods," said Graham Cluley, senior technology consultant for Sophos. "This is old-school malware - seemingly written to show off a proof of concept rather than a serious attempt to spy on and steal from computer users. A financially motivated hacker would have targeted more widely used software and not incorporated such a bizarre image. This is not a piece of malware which we expect to see spreading in the wild, despite its use of a photograph of unusual wildlife."
In May 2006, experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, announced the discovery of the first malware for StarOffice. The Stardust virus tried to download a picture of porn star Silvia Saint.
Read what Mark Harris, director of SophosLabs™, has to say about the BadBunny worm's authors on the SophosLabs blog
Sophos users have been automatically updated to protect against the BadBunny worm and its components.
Sophos recommends companies automatically update their corporate virus protection, and defend their users with a consolidated solution to defend against the threats of viruses, spyware, hackers and spam.
OpenOfficeに感染する「悪いバニー」ワーム
ウサギの着ぐるみのわいせつ画像を表示するこのワーム、OSによって違う動作をするなどの点は興味深いが、質は低いとSophosは言う。
2007年05月22日 13時00分 更新
オープンソースのオフィスソフト「OpenOffice」に感染するマルチプラットフォームのワームが見つかったと、セキュリティ企業のSophosが伝えた。ただ、感染が広がるようなものではなく、ワームとしての質も低いという。
このワーム「SB/Badbunny-A」は、作者と見られる相手から直接、SophosLabsに送られてきたという。「badbunny.odg」という名称のOpenOffice Drawファイルを開くと感染し、ウサギの着ぐるみを着けた男のわいせつなJPEG画像を表示する。
SB/Badbunny-Aが表示する画像の一部。Sophosのプレスリリースより
ファイルに仕掛けられたマクロは、Windows、Linux、MacOSでそれぞれ違う動作をする。XChatとmIRCを使い、DCC転送経由でウイルスファイルを他者に感染させようとするという。
ただ、このワームはコンピュータからの情報窃盗を狙ったようなものではなく、コンセプト実証が目的のようだとSophosは見る。
SophosLabsのディレクター、マーク・ハリス氏はブログでこのマルウェアについて言及。それほど普及していないアプリケーションをターゲットとし、クロスプラットフォームのスクリプト言語で書かれているという点では興味深いが、サンプルは機能せず、検出と削除も簡単にできるなど質は低いものだったと述べている。
留言列表
