June 11, 2007 4:57 AM PDT

OpenOffice worm Badbunny hops across operating systems

Malicious software targeting OpenOffice.org documents is spreading through multiple operating systems, according to Symantec.

"A new worm is being distributed within malicious OpenOffice documents. The worm can infect Windows, Linux and Mac OS X systems," according to a Symantec Security Response advisory. "Be cautious when handling OpenOffice files from unknown sources."

Apple's Mac OS is not a virus-free platform, said Jan Hruska, who co-founded rival antivirus firm Sophos and was one of the first ever PC antivirus experts.

"Viruses on the Mac are here and now. They are available, and they are moving around. It is not as though the Mac is in some miraculous way a virus-free environment," Hruska said. "The number of viruses coming out for non-Mac platforms is higher. It gives a false impression that somehow, Apple Macs are all virus-free."

The worm was first spotted late last month, but at the time, it was not thought to be "in the wild."

Once opened, the OpenOffice file, called badbunny.odg, launches a macro that behaves in several different ways, depending on the user's operating system.

On Windows systems, it drops a file called drop.bad, which is moved to the system.ini file in the user's mIRC folder. It also executes the JavaScript virus badbunny.js, which replicates to other files in the folder.

On Apple Mac systems, the worm drops one of two Ruby script viruses in files respectively called badbunny.rb and badbunnya.rb.

On Linux systems, the worm drops both badbunny.py as an XChat script and badbunny.pl as a Perl virus.

Symantec rates the worm as a "medium risk."

Munir Kotadia of ZDNet Australia reported from Sydney.

See more CNET content tagged:
OpenOffice, worm, Symantec Corp., malicious software, virus

71 comments

Join the conversation!
Add your comment
Viruses on the Mac are here and now
Well, it's about time. Everyone keeps saying Macs can't do everything that a Windows computer can. This should end that argument.

On the other hand, if there are Mac OS X viruses in the wild, actually infecting computers , I wish Sophos, McAfee, Symantec, or someone would publish this information.

How am I supposed to tell all my Mac users to be careful when no one can site a single infection outside of the lab?

Come on guys, give me some help.
Posted by rcrusoe (1305 comments )
Reply Link Flag
re
WMDs are in Iraq, we just can't find them.

Linux infringes on hundreds of patents, we just can't find them.

OO has a worm, but we can't find a single instance of it infecting anyone outside contrived lab setups.

Show us a real world OSX virus or worm, or even one for Linux.

In the lab it is trivial to exploit any OS and put malware on it. The only truly damaging viruses or worms in the past 20 years have been written for an OS that makes it trivial to write malware that can spread itself around the world: aka Windows.
Posted by MSSlayer (1074 comments )
Link Flag
have you ever noticed...
It's been suggested for a while, however, does it not seem like
these anti virus companies are always finding new virus to protect
us from? Sure..., that's their job...., but they always seem to have
the right fix at the right moment. It's enough to make you
speculate who the root cause of these viruses are.
Posted by smithjones (103 comments )
Reply Link Flag
Problem
The anti virus companies watch for that sort of thing, and would shred any of their own pulling it. There's a lot of programmers able to spot that sort of thing, and would scream to high heaven if they spotted it.
Posted by Phillep_H (497 comments )
Link Flag
Terry Pratchett and the Discworld
There are no fire departments in Ahnke-Morpork because it was found that fire departments weren't getting paid unless there were fires to put out. They would go out of their way to make sure they had work to do as a result.

AV companies are wise to do the Chicken Little thing to spark sales in their products.
Posted by Vegaman_Dan (6683 comments )
Link Flag
Hen or egg?
As a frequent (not professional) user of mostly textwriter, spreadsheet and internet programs, I regret that the already limited performance of my 9-year old pc is constantly reduced by my virus, spyware etc. hunters. I find your suggestion on [anti]virus amusing, something like the question who came first, the hen or the egg. But ours can be answered clearly. Programming an worm requires a high level of skill, so if an antivirus can be launched only a few hours after damage has been done, I can only conclude that it has been designed by the weapon manufacturer himself. The same way company executives are often able to enrich themselves by abuse of inside information -in such cases, the law CAN punish them! -
Posted by federico1931 (1 comment )
Link Flag
Open Office "WORM"..!!
Why do we have Jan Hruska bashing OS X in this article claiming
it's not a virus free OS..??? Funny, I thought this article was
suppose to be about a cross platform Open Office WORM, not an
OS X VIRUS..!!
What I'd like to know (and the article conveniently avoids) after
this worm drops a few files here and there just WHAT are these
so called "bad boys" suppose to be doing on the different
platforms..??? Since Symantec rates the worm at "medium risk"
I'm guessing short of giving the worm/virus (whatever it's
suppose to be) outright admins privilege on the Mac this thing
isn't going to do much (hence the convenient non-meantioning
of what it can or can't do on a Mac or Linux for that matter..).
Posted by imacpwr (456 comments )
Reply Link Flag
Spoken like...
a true Mac zealot. Keeping you head in a hole in the ground doesn't mean your precious OS X isn't going to get whacked.
Posted by jase1125 (18 comments )
Link Flag
Wake up
Apple's marketing has really done a number on Mac users. They've been able to establish the concept that any mention of Apple being theoretically susceptible to malware is "bashing". This is, of course, a preposterously ill-advised way of thinking.
Posted by woadlined (5 comments )
Link Flag
Doesn't take admin
I could very easily port MyDoom to a scripting language that would be OS independent. The only thing it did with admin privileges was make itself auto restarting, and you don't need admin for that if you use a different mechanism.

Not running as admin makes it easier to clean up, but most of what needs to be done in a virus or worm can be done from a regular account very easily.
Posted by rpmyers1 (15 comments )
Link Flag
Don't worry about it. It's impossible anyways
There are no known viruses ever recorded for the Macintosh and it's impossible to be affected by them, so don't worry.

Let them say what they want. We all know that the Macintosh OS is perfect the way it is so there is no need to even bother with firewalls or AV products. I mean geez, one might think you were trying to promote self responsibility or something weird like that.

Macs are perfect, plain and simple.
Posted by Vegaman_Dan (6683 comments )
Link Flag
yaaawn
Hopping across operating systems?

I would be more impressed if it actually infected 1 machine.
Posted by MSSlayer (1074 comments )
Reply Link Flag
Can't infect perfection
I've seen you say many times here online that no Mac has ever been infected and cannot be ever infected in the future. Let these people whine and cry because they are using OS's that aren't perfect while Mac users go blissfully along without any sort of protection.

They don't need it. Macs are perfect. :)
Posted by Vegaman_Dan (6683 comments )
Link Flag
Blatent scaremonger
So the macro virus drops a few scripts on a Linux box. Of course the article fails to mention that *all* scripts of Linux must be initialised as executable by the root account before they can be executed generally.

This already makes the Perl 'virus' totally ineffective unless the user has administrative access (not common on Linux, our applications are designed properly) and actively searches out and gives this script execution privileges.

The python based X-Chat script can do more 'damage' since X-Chat will execute it directly. However it will still be limited by the standard defence mechanisms of the system and by X-Chat's own APIs.

The article fails to understand a basic fact about Linux. We don't believe it to be invulnerable. We know that viruses and other malware would be restricted by the standard defensive mechanisms of the system. No Linux system is a free for all like Windows, sane separation of privileges is the order of the day. This goes further with most corporate Linux solutions now defaulting to the use of strict mandatory access control defences like SELinux (which was designed by the NSA to be their standard form of security).

Also most Linux distributions will deactivate OOo macros by default.
Posted by GRMorgan (4 comments )
Reply Link Flag
Now it is Linux fanboys
We already have too many Mac fanboys here with their uninformed views on Mac OS invulnerability. Now we seem to have a Linux fanboy as well.

Your claims concerning Linux are bogus in that they don?t tell the full story. It is the same take I have seen from Linux/open source fanatics for years. We don?t need that here either.

But of course we will get it anyway. (sigh)
Posted by gmcaloon--2008 (72 comments )
Link Flag
Complete and utter BS
We have been told time and time again that there has never been in the past, nor there is any proof of any virus now for a Macintosh.

It's impossible. They don't exist. OS X is invulnerable to viruses. That's why you don't need firewalls, anti-virus products, or any other sort of protection.

It's stupid to even consider there could be a virus that could affect a Mac.

There are many here in these forums that can give you page after page of rants about this very case.
Posted by Vegaman_Dan (6683 comments )
Reply Link Flag
Funny windiots...
defending their platform :P

Telling OSX and linux users that they are uninformed... yea, we
have viruses, we just don't know it! LOLOLOL
Posted by BobBobBobBobBobBobBob (49 comments )
Link Flag
lol..
...you almost made me fall off my chair laughing. You are right, Mac is invulnerable to virues and Steve Job is God.
Posted by FutureGuy (742 comments )
Link Flag
What an idiot
Everyone needs a firewall. End of story.

You are the only one saying it will never be exploited.

Just because you can't point out one real world OSX flaw in a world that Windows is exploited daily, doesn't give you the right to pull crap out of your rear.
Posted by MSSlayer (1074 comments )
Link Flag
Bit Confused
OK - two main topics I like to get clear:
(1) What happens when the worm drops off the package on OS X? On Windows, the description indicates that the worm drops off a package that acts like a virus. Please clarify as to the impact.
(2) Are we mixing up Worms, Virus, and Malware? Or Symantec is calling all Malware are also Virus? Please be careful on the reporting!
Posted by ArturoYee (20 comments )
Reply Link Flag
Defensive
Word to that!
people have been getting all defensive over their stupid OS and we still don't even know what the hell this "virus" does
for starts... I'm a hater... I know it... I have been for a wile... I think I always will be...
Mac OSX doesn't do it for me... the idea of Mac on anything makes me feel sick.
I would like nothing better than to see Mac OSX crumble at their knees and all those cocky Mac users would really wish they had been a little less cocky...

but i know that if Mac were to fail in security...
Linux probably wouldn't be far behind
and that would be a bad day

people like to know that they've made a good choice... they like to know that the software they use is better than everyone else's software
my dad could beat up your dad... etc.

I'm sure that any one of us can agree that we love what we use.. and if someone told you that you're obviously an idiot because you chose the wrong side, I'm sure you'd take offense and try to disembowel the poor chap who said it.

I'm also an Atheist... do I go around saying things like
"abandon thine gods, ye tiny brained creatures"
"truly a blessed man is one who believes in his own doings more than a divine fathom of whom he has never met"
"hell hath no fury like a people scorned. Hell is a prison which you create from your own guilt and malice."

no.. I don't say those things... mostly because I'm not sure if that's the proper way to speak archaic English. ( if you can believe, I researched it a little bit just so I wouldn't look stupid in this post)
I don't say that because I'm sure that A. no one wants to hear it because they've already got an idea in their head what they should be living for
B. they'll eventually "see the light" and come over to the Atheist side.
or
C. I'm wrong and I'm going to have a heck of a time trying to eat my ice cream in hell... or wherever I'm going

congrats to all those mac users out there who think that Jobs is a god send...
personally... this is like the arrival of a new baby... I really couldn't care less
unless it's my baby
then i care

Rock on you hopeless Mac, Windows and Linux fanboys/fangirls
~Ryan
Posted by PDG1 (24 comments )
Link Flag
Unless it knows my su passcode....
I still have nothing to worry about. This just goes to show that OpenOffice documents can run handy macros. Think about it. You could execute script to convert a folder of bitmaps to jpegs... that kind of thing. As for windows users, I don't know whether they should feel comforted that their command prompt sucks or discouraged that they run as admin 24/7.
I mean, I really don't care. This is not a threat to me. I suspect it is much the same on with BSD based systems like Mac OSX as well. With OSS, any problem that actually does exist will have a fix within 12 hours. Microsoft only does that when their DRM gets cracked.
Posted by ethana2 (348 comments )
Reply Link Flag
Right
All you need to owrry about are all the files and applications that
can be run, deleted, or modified as you. Which, oddly enough,
includes all of your documents, music, movies, and so forth. Its
also possible to use this to install a root kit... so all of those
exploits which no one cared about because you needed local access
to use them? Guess what this is giving you...
Posted by rapier1 (2722 comments )
Link Flag
Great,; nothing said....
... in this article about OS/2 being susceptible to these viruses; and, the good news also is -- Open Office 2.0.4 has now been recently ported to eComStation thus allowing users to concentrate on the task at hand.

"OpenOffice.org 2.0.4 for eComStation and OS/2"

<a class="jive-link-external" href="http://www.ecomstation.com/openoffice.phtml" target="_newWindow">http://www.ecomstation.com/openoffice.phtml</a>
Posted by Commander_Spock (3123 comments )
Reply Link Flag
So then.....
all the files in your home directory require root acccess? Interesting....
Posted by angrykeyboarder (136 comments )
Reply Link Flag
useless
61 comments I took the time to read. Hoping to gain a bit of useful info about the subject. None forthcoming from anyone. Just ******** about who is more ignorant, and what OS was better/worse...
Posted by ukidding (1 comment )
Reply Link Flag
So what's the surprise?
The technology market and marketeers are such dullards. They keep promoting more fantastical features and capabilities yet networks are no more secure today than 5 years ago. More money and complexity=less secure and more threats?

The guys at Symantec can stuff it. A mile wide and 1/8th deep of coverage doesn't cut it. How about some real basic practice: write very clear policies and train everyone on them from the execs on down and verify the effectiveness of technology. No software can tell you if another software is bad or not. Rules and signatures only go so far so every new turn creates the opportunity for compromise.

These are the only ways to ensure a secure and productive network. All the rest is just ******* and moaning, something quite common among the IT professional set. Look at all the budget and overhead and they're still insecure.
Posted by Schratboy (122 comments )
Link Flag
Yes - the story is a bit of a hoax
It has been a slow news month,I guess, since Symantec "discovered" the OpenOffice/StarOffice macro worm last month. Symantec rates this threat as LOW.
Here's the link:
<a class="jive-link-external" href="http://www.symantec.com/security_response/writeup.jsp?docid=2007-052303-2513-99&#38;tabid=1" target="_newWindow">http://www.symantec.com/security_response/writeup.jsp?docid=2007-052303-2513-99&#38;tabid=1</a>

My guess is that the number of infections is right around zero.
CNET does this kind of thing from time to time (as do their sister sites). I think it's because they just can't find anything else to publish - it's the same for all the tech media.

The article is more than a bit odd since it is titled and starts out about "badbunny" and then goes on about the supposed insecurity Apple's OS.

In a week or so, there won't be any article that doesn't mention the Apple iPhone
Posted by Arbalest05 (83 comments )
Reply Link Flag
Use Common Sense (Or Uncommon, as the case may be)
Really, unless you were expecting this file,
would any of us open it? Let's cut to the chase
here, and say what all this bragging is about.
Now, would any of us here open a document of
unknown provenance with an ability to run
potentially harmful macros? SERIOUSLY???

Also, if I were to open this file, I'd put in a
LiveCD of any distro of Linux (probably ubuntu,
since it has OpenOffice on its disk), and voila!
I can see exactly what the file does. Actually,
I might try that... just for fun. That way, no
harm done!

All this fanboyism that's going around really
hides the truth of the matter. On a forum, it's
better to talk about the news, not the flamewars
people are trying to start.
Posted by ben::zen (127 comments )
Reply Link Flag
NICE STORY HAH HAH
SO BAD BUNNY IS HOPPING ALL OVER EVERYBODYS COMPUTER THAT WAS DUMB ENOUGH TO OPEN IT. WHAT MOST PEOPLE THAT LOKKED AT THIS STORY WANTED TO KNOW WAS WHAT DOES IT DO? MAYBE THE REPORTER FORGOT THIS PART OF THE STORY OR MOST OF THE REST OF THE POSTERS WERE JUST TO HAPPY TO JUMP ON A MS OR OSX BASH...
Posted by mocefish (7 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.