Cross-Platform Malware Infects Windows Vista, Linux and Solaris

Windows Vista, Linux and Solaris, three of the operating systems applauded in different contexts for the high level of security they deliver can all be infected by the same piece of malware. MSIL.Yakizake is a cross-platform worm that will infect not only Vista, Linux and Solaris but also Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003 and Windows 2000. But essentially, the worm is designed to run in the .NET or Mono framework, and since it comes complete with mass-mailing capabilities, it also requires the open source Thunderbird desktop email client to be installed. Peter Ferrie, Senior Security Response Engineer at Symantec downplayed the relevance of the worm as a severe threat and also as a cross-platform piece of malicious code.

"At DEFCON 15 this year, Paul Sebastian Ziegler presented a "multi-platform" worm that runs in the .NET framework and compatible implementations. It's unclear why Mr. Ziegler thinks that his worm is multi-platform, because the platform is the environment in which the application runs. It's not the CPU on which it is running, and it's not the operating system, either, if the environment is a virtual machine of some kind. In this case, the environment is the .NET framework or equivalent, which is a virtual machine. While .NET itself is multi-platform, the virtual machine that it presents is not. The virtual machine is just a single platform, regardless of which CPU it is running on", Ferrie explained.

According to Ferrie, MSIL.Yakizake (Japanese for "grilled fish"), christened "Akikaze" (Japanese for "autumn wind") by Ziegler, is an example of malware that is neither cross-platform nor multi-platform aware. Yakizake simply manages to identify correctly the operating system it is executed in, in order to perform the infection. Nothing more. "Once executed, the worm sends messages with different subject and bodies, depending on the domain suffix in the recipient address, and the presence or absence of particular software on the compromised computer", Ferrie added.