OpenOffice.org worm that affects Windows, Linux and Mac OS X

When it came to an OpenOffice.org related presentation, my slide deck always contained a mention about security. However, as it gains in popularity, and a more bloated (read: MS Office-compatible) feature set, security alone is not going to be a selling point. In fact, when it comes to OSS advocacy, the word “free” (or the idea of zero/minimal cost) is also not a large selling point, neither is the “you can view the source code” (erm, yeah, so what do I do with it?). But I’ll save that rant for another day.

It seems there’s an OpenOffice.org worm in the wild, that affects Windows, Linux and Mac OS X systems. BadBunny as it has affectionately become known, comes to you as an OpenOffice.org Draw file, which displays a man in a bunny rabbit suit engaging in sexual intercourse. While you see this, its launching mIRC or XChat (on OS X and Linux) and forwarding it to other IRC users. Assuming you don’t have IRC installed, this shouldn’t do anything, right?

Apparently, not only does BadBunny come with some StarBasic, it also has got some other evil components that use JavaScript on Windows, Ruby on OS X and Perl for Linux. I wonder, why they just didn’t use JavaScript across the board? Why Ruby on OS X (Perl would’ve sufficed). Seems very odd, the choice of multiple languages.

This is largely a proof of concept, but it just goes to show that no matter what you’re running, its a good idea to practice safe computing practices. What peeved me though was a quote from Sophos in heise Security:

If the BadBunny developers had any financial intentions, they would have selected a more popular software structure and not included bizarre images, Sophos adds.

Is OpenOffice.org a non-popular software structure? I highly doubt it. Writing virii is like a coming of age present for some, and while OpenOffice.org was ignored as a suitable platform, its being recognised now. Mohandas Gandhi said: “First they ignore you, then they laugh at you, then they fight you, then you win.” I think OpenOffice.org is at stage 3 (not just because of the virus writers, but also because of the plight towards ODF).

Technorati Tags: , , , , , , , , ,

2 Comments

  1. virens says:

    “Worm in the wild” means that I can catch it up with any document. But why I`m not still effected!? Where are those ugly and stupid symanteckers and pandazauros with their “viruses” under Linux!?
    By the way, I haven`t any IRC clients installed…

  2. byte says:

    In the wild when you receive badbunny.odt. I’ve personally not seen/received it. I’d state without a doubt that OOo is probably more secure than MS Office, but as it becomes more “compatible” and “feature complete” (some versions are now executing vba macros, even), its inevitable that security holes are going to be opened up


i