Malware

Flashback Mac Trojan Horse Infections Increasing with New Variant

Posted on February 23rd, 2012 by

We recently reported about a new variant of the Flashback Trojan horse which is using novel techniques to infect Macs. Since then, we have discovered a number of samples of this latest variant, Flashback.G, and have seen evidence that many Mac users have been infected by this malware.

How this malware infects Macs

This new variant of the Flashback Trojan horse uses three methods to infect Macs. The malware first tries to install itself using one of two Java vulnerabilities. If this is successful, users will be infected with no intervention. If these vulnerabilities are not available – if the Macs have Java up to date – then it attempts a third method of installation, trying to fool users through a social engineering trick. The applet displays a self-signed certificate, claiming to be issued by Apple. Most users won’t understand what this means, and click on Continue to allow the installation to continue.



It is worth noting that Flashback.G will not install if VirusBarrier X6 is present, or if a number of other security programs are installed on the Mac in question. It does this to avoid detection. It seems that the malware writers feel it is best to avoid Macs where the malware might be detected, and focus on the many that aren’t protected.

Flashback.G injects code into web browsers and other applications that access a network, and in many cases causes them to crash. It installs itself in an invisible file in the /Users/Shared folder, and this file can bear many names, but with a .so extension. Here are some examples of users posting logs on forums about certain applications crashing. In each case, a file in /Users/Shared is present:

http://community.skype.com/t5/Mac/cant-open-skype-on-my-macbook/td-p/506175

/Users/Shared/.PCImageEditor.so

https://discussions.apple.com/thread/3755322?start=0&tstart=0

/Users/Shared/.AllXilisoftVideo.so

https://discussions.apple.com/thread/3748919?start=0&tstart=0

/Users/Shared/.memalloc.so

http://community.skype.com/t5/Mac/Skype-quits-unexpectedly-on-start-up-yep-another-one/td-p/508077

/Users/Shared/.DocumentConverterdocPrint.so

http://community.skype.com/t5/Mac/Skype-crashing-as-soon-as-I-try-to-open-it/m-p/492045

https://discussions.apple.com/thread/3727882?start=0&tstart=0

/Users/Shared/.InternetHistoryKiller.so

There is also a file created at:

/Users/Shared/.svcdmp

and a plist file, used to patch applications, at:

~/.MACOSX/environment.plist

And logs are stored at:

~/Library/Logs/vmLog

What this malware does

This malware patches web browsers and network applications essentially to search for user names and passwords. It looks for a number of domains – websites such as Google, Yahoo!, CNN; bank websites; PayPal; and many others. Presumably, the people behind this malware are looking for both user names and passwords that they can immediately exploit – such as for a bank website – as well as others that may be reused on different sites. (Hint: don’t use the same password for all websites!)

One of the clues that a Mac is infected is that certain applications will crash. This is notably the case for web browsers, such as Safari, or other network programs, such as Skype. This is because the injected code interferes with the program making it unstable.

This malware also has an automatic update module that checks a number of websites for new versions.

Means of protection

Most of the cases of infection we are seeing are on Macs running OS X 10.6 Snow Leopard. As we reported in our previous post, OS X Lion does not come with Java pre-installed, but Snow Leopard does. It is therefore essential that anyone running OS X 10.6 update Java immediately. To do this, run Software Update, from the Apple menu; if you do not have the latest version of Java, an update will be available.

Nevertheless, many Macs are getting infected by the social engineering trick of the bogus certificate purporting to be signed by Apple, as shown in our screenshot above. If you see this, don’t trust it, and cancel the process.

Intego VirusBarrier X6 detects Flashback.G and all other variants of this Trojan horse. In this case, the mere presence of VirusBarrier X6 causes the malware’s installer to abort, so even if users do not have VirusBarrier X6′s real-time scanner active, the Trojan will look elsewhere.

This malware is particularly insidious, as users don’t download anything or double-click any file to launch an installer. Be careful if you see the screenshot above, and check to see if you need to update Java.

If you are infected by this malware, look for a Java applet in ~/Library/Caches and send it to sample@virusbarrier.com before deleting it. We’d like to see as many samples as possible.

Update: It is important to note that this version of the Flashback Trojan horse does not present an installer, as previous versions did. If a user visits a web page, and their Java is not up to date, the installation will occur without their intervention. If their Java is up to date, they will only see the certificate alert that we show above: they will never be asked for a password, and won’t have to launch any other software to allow the installation to take place.

While we’re still calling this the Flashback Trojan horse, because the actual malware code is similar to the first version of Flashback, its actions are different. In this case, the initial code that is installed on a Mac then downloads more code from a remote server, and deletes the original. What we see here is an exploit, which installs a downloader, which then downloads a backdoor, which in turn injects code into applications.

  • http://twitter.com/MongolSeedtime Seedtime

    Thanks for all you are doing to keep us alert to these threats. Keep up the good work!

  • 0579186585

    Even a fully updated Apple Java still has 14 unpatched vulnerabilities!

  • http://timh-inbayarea.myopenid.com/ TimH-inBayArea

    Thanks for the warning!

    I have Virus Barrier Plus, version 1.1.5 (73) installed, with the latest definitions downloaded, dated 02-23-2012. I do manual scans each day, usually full-system-wide.

    Will this program detect this malware? I’m assuming it will. 

    Thanks for any feedback!

    • http://www.intego.com Intego

      Yes, it will.

      • skyracer_1

         Thanks Intego, its good to know I am protected using your excellent Virus Barrier X6.

        Keep up the great work.

        • narg

          Don’t let your guard down skyracer_1.  AV programs are still only blacklists.  There may be a new variant in the next hour that they don’t detect.

          • http://www.intego.com Intego

            That’s not true. VirusBarrier X6 detected this sample without having a specific signature. It uses a number of methods to detect malware; it’s much more than just a blacklist.

  • Stephen Doherty

    Do you have a list of filenames this Mac threat is using?

    • http://www.intego.com Intego

      We mention some in the blog post, but we can’t be sure that these are the only ones being used. They all, however, end in .so.

  • nobodytoo

    Could this infect iOS 5 or leopard? 
    I say this, as I have had a few request, 1 on an iMac G5 and 2 on an iPod Touch in the last few weeks. For both devices it was a day after the 14th Feb, I was concerned, so I contacted Apple help and reassured by them that it wasn’t anything and I should accept both, but I have just looked at my keychain and there is no certificate starting on that date.

    For the iOS, when replying to mail after receiving it this morning I had a request to update my certificate again. I tried checking the certificate via the interface presented to me on the request for a couple of minutes and then canceled it, after that my reply mail was sent.

    I have apps crashing in settings on iOS5, but that has been happening since just before Christmas and might be nothing to do with this.  

    • http://www.intego.com Intego

      iOS, no, as there is no Java. As for Leopard, perhaps; not that many people are using Leopard, and are reports are all on Snow Leopard.

  • http://anatheists.blogspot.com/ Mike

     Well, Gimp has lots of legitimate files with the .so extension so that’s not much to go on.

    • http://www.intego.com Intego

      These are hidden files in a specific location.

  • http://pulse.yahoo.com/_RSAXQU4I5ZTCJYMYNRWZC6R5M4 Franco

    I bumped into the untrusted “content signed by Apple Inc.” certificate about a week ago, though my Mac OS is well-updated to Lion and I am a Virus Barrier Plus user. 

    Of course, the good sense taken me to click “CANCEL”, but unfortunately others did not and they are not even protected at all. 

    I have performed full on demand scans and my system is not infected, but today another AV detected a further malware for Windows in form of e-mail attachment. 

    So always keep your system updated and your eyes open, folks. Most of all, thank you very much Intego, I am a happy customer: please keep up with the good work.  

  • bildar

    I have VirusBarrier Express 1.1.5 with definitions 2/16/2012. Will this detect Flashback.g and its predecessors?

    • http://www.intego.com Intego

      Yes.

  • markgeary

    > and a plist file, used to patch applications, at:> ~/.MACOSX/environment.plistI have a copy of this in my directory because I put it there. It’s used to set environment variables for applications that aren’t started from the shell.

  • Anatomic99

    I think my Macbook has this virus – what should I do? I’ve already tried downloading VirusBarrier X6 but it didn’t detect anything.

    Here is the error message I get when I try to access skype:

    Binary Images:    0×1000 –   0x816fff +com.skype.skype 5.5.0.2340 (5.5.0.2340) /Applications/Skype.app/Contents/MacOS/Skype 0x154c000 –  0x1574fe3 +.InternetHistoryKiller.so ??? (???) /Users/Shared/.InternetHistoryKiller.so 0×1580000 –  0x1635fe7  libcrypto.0.9.7.dylib 0.9.7 (compatibility 0.9.7) /usr/lib/libcrypto.0.9.7.dylib0x8fe00000 – 0x8fe4162b  dyld 132.1 (???) /usr/lib/dyld0x90003000 – 0x9001ffe3  com.apple.openscripting 1.3.1 (???) /System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/OpenScripting.framework/Versions/A/OpenScripting0x90020000 – 0x90024ff7  libGIF.dylib ??? (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libGIF.dylib0x90044000 – 0x900dffe7  com.apple.ApplicationServices.ATS 275.19 (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/ATS0x900e0000 – 0x900f4fe7  libbsm.0.dylib ??? (???) /usr/lib/libbsm.0.dylib0x900f5000 – 0x900f6ff7  com.apple.MonitorPanelFramework 1.3.0 (1.3.0) /System/Library/PrivateFrameworks/MonitorPanel.framework/Versions/A/MonitorPanel0x901d5000 – 0x901f0ff7  libPng.dylib ??? (???) /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libPng.dylib

    • http://www.intego.com Intego

      Can you please contact sample@virusbarrier.com? Our researchers would like to get a sample of the malware you have.

  • http://www.facebook.com/profile.php?id=1113800947 Michael Gubetta

    I have Java 6 update 29 in Lion installed, yet for Oracle Java in the Windows world, the latest version is Java 6 update 31.  Is Java 6 update 29 vulnerable to Flashback G?

    • http://www.intego.com Intego

      No.

  • JPRJR

    I’m seeing symptoms of this trojan (both Safari and Firefox freeze up), but only when I connect to a thunderbolt display and cable connection at work, but not macbook-air along on a home wireless network.  Has anyone seen this symptom?

  • http://www.facebook.com/don.gooding1 Don Gooding

    Malware on Macs: unfortunately it looks like Macs are so popular they are now getting the attention of the bad guys.

  • Eric Gallager

    Re: creating a new ~/.MacOSX/environment.plist: If I had already created my own environment.plist to modify environment variables, would this overwrite my old plist, or would it simply append its variables to my existing file?

    • http://www.intego.com Intego

      It would overwrite.

  • apple_sauced

    Not sure if my comment got through the first time around.  I verified infection via a few of the file names listed above and deleted all recommended files in Terminal.  After deleting the files, symptoms went away (Google redirects and Finder menus progressively turning into code).  I’ve downloaded Virus Barrier X6, and it’s so far scanning clean.  Any further action recommended at this time?
    Thanks

  • http://www.facebook.com/profile.php?id=100002458125096 Momo Levi

    nice !

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}