Malware

New Flashback Trojan Horse Variant Uses Novel Delivery Method to Infect Macs

Posted on February 10th, 2012 by

Intego first discovered the Flashback Trojan horse in September 2011, and since then has seen a number of variants of this malware. A variant discovered in October 2011 notably damaged some system files.

In the past few months, Intego has found new variants of the Flashback Trojan horse every few days, but the company's latest discovery is a bit surprising. The people behind the Flashback Trojan horse have begun using a novel delivery method to infect Macs. Taking advantage of two Java vulnerabilities, this latest variant is able to install itself on a Mac with much more limited user intervention. There is no more installer, no request for a password. The malware first tries to install itself using one of two Java vulnerabilities. If this is successful, users will be infected with no intervention. If these vulnerabilities are not available - if the Macs have Java up to date - then it attempts a third method of installation, trying to fool users through a social engineering trick. The applet displays a a self-signed certificate, claiming to be issued by Apple. Most users won't understand what this means, and click on Continue to allow the installation to continue.



Found in the wild, this new variant installs an executable file in the /tmp directory, applies executable permissions with the chmod command, then launches the executable with the nohup command. The Flashback backdoor is then active with no indication to users that anything untoward has happened.

A few points need to be made regarding Java and Mac OS X. Since Mac OS X 10.7 Lion, Java is no longer included with the operating system. However, the first time a user attempts to launch a Java applet, they see a dialog asking if they want to download Java. While most users may not use any Java applets, it is fairly common for online meeting and collaboration services to use Java, as it is cross-platform. Because of this, many Mac users may not realize that they have Java installed, as they may not remember having downloaded it when presented with such a request.

Also, the current version of Java for Mac OS X has patched the vulnerabilities that are being exploited. However, many Mac users who haven't applied all the necessary security updates are at risk of having this malware installed with no intervention on their part.

Intego's VirusBarrier X6 detects all current Flashback Trojan horse variants, so this new delivery method changes nothing for those users who are protected by VirusBarrier X6; the attempt to install this malware will be blocked, and users will be alerted.

  • http://profile.yahoo.com/JUMBDGWKE2FJELSXTKJXJUG664 Gary

    “Intego’s VirusBarrier X6 detects all current Flashback Trojan horse variants, so this new delivery method changes nothing for those users who are protected by VirusBarrier X6; the attempt to install this malware will be blocked, and users will be alerted.”

    This did not happen in my case. On the 7th of Feb I downloaded the security update 1.1 from apple. 

    On the 11, my partner inadvertently downloaded the trojan file. I remember seeing what appeared to be the Netbeans program opened. I didn’t think anything of it at the time until i updated the virus definitions and did a full system scan.

    My partner was logged under her own account. 

    We definitely didn’t see any alert from VirusBarrier. I have sent the file in for assessment.

    cheers

  • Anonymous

    This one seems to be attacking quite a few users over the past two days. Is it the same one described here or yet another strain? Can you provide additional details on how it presents itself (same Flashplayer update dialog or something else); what files it installs and where; what are the symptoms of being infected? The ones being seen are displaying alpanumeric codes in the side and title bar of the Finder. None of the files deployed by version “A” have been found.updating Java seems to make the symptoms disappear for at least some users, but does that also disable the Trojan?

    • http://www.intego.com Intego

      Yes, we’ve spotted a number of new variants in the past few days. VirusBarrier X6 detects all of them so far.

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}