A new version of the Flashback Trojan that targets Macs has appeared, and this one uses a drive-by download technique to attempt exploits of two Java vulnerabilities. The Flashback.G malware also tries to trick users into accepting a fake digital certificate, which will install the malware if the Java exploits fail.
The infection methods used by the new version of the malware are along the lines of what one might expect from a Windows-based attack. The drive-by download technique is a tried-and-true method for exploiting vulnerabilities in browsers, whether they be bugs in the browser itself or in a component or plug-in. This has been incredibly fertile ground for attackers in recent years and it only makes sense for them to take their talents to OS X as well.
Researchers at Intego recently came across this newest version of the Flashback Trojan for OS X doing just that, and more. The malware’s first move is to attempt the exploits on a pair of Java vulnerabilities. If one of those exploits works, the malware installs itself on the machine and injects some code into a variety of applications. That is where the fun begins.
“Flashback.G injects code into web browsers and other applications that access a network, and in many cases causes them to crash. It installs itself in an invisible file in the /Users/Shared folder, and this file can bear many names, but with a .so extension,” Intego said in a blog post.
Whatever code the malware injects into the running applications causes them to become unstable and they often will crash. Intego said that Safari, Skype and other Web apps will crash, and that the malware also will call out to several remote domains to look for updated files to download. The goal of the malware appears to be to steal usernames and passwords for high-value sites such as online banking, PayPal and others.
If the first infection method fails, the malware will produce a Java applet that shows the user a dialog box that asks him to install a digital certificate that is supposedly self-signed by Apple. The certificate is a fake and if the user approves it, the Flashback.G malware will be installed.
“Most of the cases of infection we are seeing are on Macs running OS X 10.6 Snow Leopard. As we reported in our previous post, OS X Lion does not come with Java pre-installed, but Snow Leopard does. It is therefore essential that anyone running OS X 10.6 update Java immediately. To do this, run Software Update, from the Apple menu; if you do not have the latest version of Java, an update will be available,” Intego said.
Previous versions of Flashback have exhibited a number of other interesting behaviors, including the ability to disable Apple’s XProtect antimalware protection built into OS X.