Tibet Malware Takes Advantage of Java Vulnerability to Harvest Information on Macs

Posted on March 20th, 2012 by

A new malware, Tibet.A, has been discovered, taking advantage of a Java vulnerability that has also been used recently by the Flashback malware. Tibet.A exploits a vulnerability that is corrected in up-to-date Macs, but that may be accessible if users don't apply system updates.

This malware starts by downloading a Java applet when users visit a booby-trapped web page. If the Mac in question does not have Java up to date, the Tibet malware installs a backdoor, in a manner that has become increasingly common. The goal is to copy user data - generally user names, passwords and credit card numbers - and send it to remote servers. The web pages serving this malware checks to see if the computer loading the page is a Mac or a Windows PC, and serves the appropriate form of the malware.

One of the ways that users are lured to the infected websites is by e-mails that contain links to them. In this case, these e-mails have been seen to specifically target Tibetan non-governmental organizations, and this attack may be designed to try and obtain information from these organizations alone. AlienVault Labs has an extensive report about these attacks.

If a Mac is infected, there is no user interaction required, and no indication that the Mac has been compromised, unless the user is running software that detects outgoing network connections, as available in Intego VirusBarrier X6's Anti-Spyware module.

Intego VirusBarrier X6 with malware definitions dated March 20, 2012 or later protects against this malware as Tibet.A. While this malware is being found in the wild, the threat is currently low.