We were sent a sample this week written by a self-pronounced “Whitehat Hacker” for a worm written using the .NET framework, that we’re detecting as Mal/Fallblo-A. What makes this malware unusual is its intention to be able to run on any platform that supports .NET, including both Windows- and Unix-based systems.
In this case the worm attempts to send itself via email, and in fact will choose the message characteristics based on the language of your system, the language of the recipient’s email address, the platform you are running, and whether or not it believes you to be a “professional” or an “average” user (based on the software you have installed). So an “average” user with an English, Windows-based system might send out an email to a “.co.uk” address saying:
I have recently started to try out programming!
This is one of my first programms. What do you think of it?
A “professional” user with a German, Windows-based system might send out an email to a “.de” address saying:
Ich habe beim Schreiben dieses Programms einen neuen Ansatz verfolgt. Sag mir bitte was du davon hälts.
Meanwhile a user with an English, Unix-based system might send out an email to a “.com” address saying:
If the programm should not work instantly on your non-windows-system you probably need to execute it using mono. (mono-project.com)
Despite the author announcing this malware publicly and providing the source code and binaries, it’s unlikely that we’ll be seeing Mal/Fallblo-A “in the wild”. It does however make a point about the possibility for cross-platform malware, and once again raises the issue of “responsible disclosure”, or in this case the lack thereof.