Multiplatform Badbunny worm attacks OpenOffice across Windows, Mac and Linux


A proof-of-concept multiplatform macro worm that can attack OpenOffice on Windows, Mac and Linux PCs, has been sent to security vendor Sophos.

The "Badbunny" worm attempted to download and display an indecent JPG image of a bunny-suited man.

The SB/Badbunny-A worm could infect users who open an OpenOffice Draw file called badbunny.odg, researchers at the Boston-based vendor said. A macro included in the file performed different functions depending on whether the user is running Windows, the Mac operating system or Linux.

The "upside" of Badbunny, said Ron O'Brien, a senior security analyst at Sophos, "is that it was not found in the wild. It was sent directly to the Sophos lab."

However, its existence has negative security ramifications for Mac and Linux users, he said.

"It's in a category of what we'd call "proof of concept," and it's the first volley of malware that operates on all three platforms," said O'Brien. "It's clearly an indication that this person is making a statement about whether one operating system is more insecure than another, and we can expect to see additional malware that's capable of operating across multiple platforms."

In Windows, the worm dropped a file called drop.bad, which moves to the system.ini file in a mIRC folder. It also dropped and executed badbunny.js, a JavaScript virus that replicates to other files in the folder, according to Sophos.

On Mac, the worm dropped one of two Ruby script viruses (in files called badbunny.rb or badbunnya.rb).

On Linux operating systems, it dropped as an XChat script and, a Perl virus infecting other Perl files.

Linux and Mac users "need to be more diligent in providing protection for the machines with those operating systems," said O'Brien. "Up to this point, they've been able to avoid what some consider the added expense of spending money on software and resources required to maintain up-to-date anti-virus software."

In May 2006, Sophos researchers discovered the first malware for StarOffice, Sun Microsystems’ commercial productivity suite. Called the Stardust virus, that malware attempted to download a picture of porn star Silvia Saint.


Get more IT security news. Click here for SC Magazine Blogs.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.