OpenOffice worm Badbunny hops across operating systems

Malicious software targeting OpenOffice.org documents is spreading through multiple operating systems, according to Symantec.

"A new worm is being distributed within malicious OpenOffice documents. The worm can infect Windows, Linux and Mac OS X systems," according to a Symantec Security Response advisory. "Be cautious when handling OpenOffice files from unknown sources."

Apple's Mac OS is not a virus-free platform, said Jan Hruska, who co-founded rival antivirus firm Sophos and was one of the first ever PC antivirus experts.

"Viruses on the Mac are here and now. They are available, and they are moving around. It is not as though the Mac is in some miraculous way a virus-free environment," Hruska said. "The number of viruses coming out for non-Mac platforms is higher. It gives a false impression that somehow, Apple Macs are all virus-free."

The worm was first spotted late last month, but at the time, it was not thought to be "in the wild."

Once opened, the OpenOffice file, called badbunny.odg, launches a macro that behaves in several different ways, depending on the user's operating system.

On Windows systems, it drops a file called drop.bad, which is moved to the system.ini file in the user's mIRC folder. It also executes the JavaScript virus badbunny.js, which replicates to other files in the folder.

On Apple Mac systems, the worm drops one of two Ruby script viruses in files respectively called badbunny.rb and badbunnya.rb.

On Linux systems, the worm drops both badbunny.py as an XChat script and badbunny.pl as a Perl virus.

Symantec rates the worm as a "medium risk."

Munir Kotadia of ZDNet Australia reported from Sydney.

[rcrusoe]

Viruses on the Mac are here and now

Well, it's about time. Everyone keeps saying Macs can't do everything that a Windows computer can. This should end that argument.

On the other hand, if there are Mac OS X viruses in the wild, actually infecting computers , I wish Sophos, McAfee, Symantec, or someone would publish this information.

How am I supposed to tell all my Mac users to be careful when no one can site a single infection outside of the lab?

Come on guys, give me some help.

[smithjones]

have you ever noticed...

It's been suggested for a while, however, does it not seem like
these anti virus companies are always finding new virus to protect
us from? Sure..., that's their job...., but they always seem to have
the right fix at the right moment. It's enough to make you
speculate who the root cause of these viruses are.

[imacpwr]

Open Office "WORM"..!!

Why do we have Jan Hruska bashing OS X in this article claiming
it's not a virus free OS..??? Funny, I thought this article was
suppose to be about a cross platform Open Office WORM, not an
OS X VIRUS..!!
What I'd like to know (and the article conveniently avoids) after
this worm drops a few files here and there just WHAT are these
so called "bad boys" suppose to be doing on the different
platforms..??? Since Symantec rates the worm at "medium risk"
I'm guessing short of giving the worm/virus (whatever it's
suppose to be) outright admins privilege on the Mac this thing
isn't going to do much (hence the convenient non-meantioning
of what it can or can't do on a Mac or Linux for that matter..).

[MSSlayer]

yaaawn

Hopping across operating systems?

I would be more impressed if it actually infected 1 machine.

[GRMorgan]

Blatent scaremonger

So the macro virus drops a few scripts on a Linux box. Of course the article fails to mention that *all* scripts of Linux must be initialised as executable by the root account before they can be executed generally.

This already makes the Perl 'virus' totally ineffective unless the user has administrative access (not common on Linux, our applications are designed properly) and actively searches out and gives this script execution privileges.

The python based X-Chat script can do more 'damage' since X-Chat will execute it directly. However it will still be limited by the standard defence mechanisms of the system and by X-Chat's own APIs.

The article fails to understand a basic fact about Linux. We don't believe it to be invulnerable. We know that viruses and other malware would be restricted by the standard defensive mechanisms of the system. No Linux system is a free for all like Windows, sane separation of privileges is the order of the day. This goes further with most corporate Linux solutions now defaulting to the use of strict mandatory access control defences like SELinux (which was designed by the NSA to be their standard form of security).

Also most Linux distributions will deactivate OOo macros by default.

[Vegaman_Dan]

Complete and utter BS

We have been told time and time again that there has never been in the past, nor there is any proof of any virus now for a Macintosh.

It's impossible. They don't exist. OS X is invulnerable to viruses. That's why you don't need firewalls, anti-virus products, or any other sort of protection.

It's stupid to even consider there could be a virus that could affect a Mac.

There are many here in these forums that can give you page after page of rants about this very case.

[ArturoYee]

Bit Confused

OK - two main topics I like to get clear:
(1) What happens when the worm drops off the package on OS X? On Windows, the description indicates that the worm drops off a package that acts like a virus. Please clarify as to the impact.
(2) Are we mixing up Worms, Virus, and Malware? Or Symantec is calling all Malware are also Virus? Please be careful on the reporting!

[ethana2]

Unless it knows my su passcode....

I still have nothing to worry about. This just goes to show that OpenOffice documents can run handy macros. Think about it. You could execute script to convert a folder of bitmaps to jpegs... that kind of thing. As for windows users, I don't know whether they should feel comforted that their command prompt sucks or discouraged that they run as admin 24/7.
I mean, I really don't care. This is not a threat to me. I suspect it is much the same on with BSD based systems like Mac OSX as well. With OSS, any problem that actually does exist will have a fix within 12 hours. Microsoft only does that when their DRM gets cracked.

[Commander_Spock]

Great,; nothing said....

... in this article about OS/2 being susceptible to these viruses; and, the good news also is -- Open Office 2.0.4 has now been recently ported to eComStation thus allowing users to concentrate on the task at hand.

"OpenOffice.org 2.0.4 for eComStation and OS/2"

http://www.ecomstation.com/openoffice.phtml

[angrykeyboarder]

So then.....

all the files in your home directory require root acccess? Interesting....

[ukidding]

useless

61 comments I took the time to read. Hoping to gain a bit of useful info about the subject. None forthcoming from anyone. Just ******** about who is more ignorant, and what OS was better/worse...

[Arbalest05]

Yes - the story is a bit of a hoax

It has been a slow news month,I guess, since Symantec "discovered" the OpenOffice/StarOffice macro worm last month. Symantec rates this threat as LOW.
Here's the link:
http://www.symantec.com/security_response/writeup.jsp?docid=2007-052303-2513-99&tabid=1

My guess is that the number of infections is right around zero.
CNET does this kind of thing from time to time (as do their sister sites). I think it's because they just can't find anything else to publish - it's the same for all the tech media.

The article is more than a bit odd since it is titled and starts out about "badbunny" and then goes on about the supposed insecurity Apple's OS.

In a week or so, there won't be any article that doesn't mention the Apple iPhone

[ben::zen]

Use Common Sense (Or Uncommon, as the case may be)

Really, unless you were expecting this file,
would any of us open it? Let's cut to the chase
here, and say what all this bragging is about.
Now, would any of us here open a document of
unknown provenance with an ability to run
potentially harmful macros? SERIOUSLY???

Also, if I were to open this file, I'd put in a
LiveCD of any distro of Linux (probably ubuntu,
since it has OpenOffice on its disk), and voila!
I can see exactly what the file does. Actually,
I might try that... just for fun. That way, no
harm done!

All this fanboyism that's going around really
hides the truth of the matter. On a forum, it's
better to talk about the news, not the flamewars
people are trying to start.

[mocefish]

NICE STORY HAH HAH

SO BAD BUNNY IS HOPPING ALL OVER EVERYBODYS COMPUTER THAT WAS DUMB ENOUGH TO OPEN IT. WHAT MOST PEOPLE THAT LOKKED AT THIS STORY WANTED TO KNOW WAS WHAT DOES IT DO? MAYBE THE REPORTER FORGOT THIS PART OF THE STORY OR MOST OF THE REST OF THE POSTERS WERE JUST TO HAPPY TO JUMP ON A MS OR OSX BASH...