Mac trojanA new version of the Flashback Trojan that targets Macs has appeared, and this one uses a drive-by download technique to attempt exploits of two Java vulnerabilities. The Flashback.G malware also tries to trick users into accepting a fake digital certificate, which will install the malware if the Java exploits fail.

The infection methods used by the new version of the malware are along the lines of what one might expect from a Windows-based attack. The drive-by download technique is a tried-and-true method for exploiting vulnerabilities in browsers, whether they be bugs in the browser itself or in a component or plug-in. This has been incredibly fertile ground for attackers in recent years and it only makes sense for them to take their talents to OS X as well.

Researchers at Intego recently came across this newest version of the Flashback Trojan for OS X doing just that, and more. The malware’s first move is to attempt the exploits on a pair of Java vulnerabilities. If one of those exploits works, the malware installs itself on the machine and injects some code into a variety of applications. That is where the fun begins.

“Flashback.G injects code into web browsers and other applications that access a network, and in many cases causes them to crash. It installs itself in an invisible file in the /Users/Shared folder, and this file can bear many names, but with a .so extension,” Intego said in a blog post.

Whatever code the malware injects into the running applications causes them to become unstable and they often will crash. Intego said that Safari, Skype and other Web apps will crash, and that the malware also will call out to several remote domains to look for updated files to download. The goal of the malware appears to be to steal usernames and passwords for high-value sites such as online banking, PayPal and others.

If the first infection method fails, the malware will produce a Java applet that shows the user a dialog box that asks him to install a digital certificate that is supposedly self-signed by Apple. The certificate is a fake and if the user approves it, the Flashback.G malware will be installed. 

“Most of the cases of infection we are seeing are on Macs running OS X 10.6 Snow Leopard. As we reported in our previous post, OS X Lion does not come with Java pre-installed, but Snow Leopard does. It is therefore essential that anyone running OS X 10.6 update Java immediately. To do this, run Software Update, from the Apple menu; if you do not have the latest version of Java, an update will be available,” Intego said.

Previous versions of Flashback have exhibited a number of other interesting behaviors, including the ability to disable Apple’s XProtect antimalware protection built into OS X. 

Categories: Malware

Comments (7)

  1. Anonymous

    Java on all platforms is easy attack vector, not only that, it can be used to send your internal IP, so turn off Java (not Javascript) in your browsers preferences as it’s rarely used. Also seriously consider using Firefox and the NoScript add-on, it’s the best browser protection one can get.

  2. Jan van Niekerk

    I’m tired of waiting for these viruses to support my platform. I think I should switch to Mac.

  3. Anonymous

    The ability to turn off scripting or control what scripts I let in my web browser is the only reason why I still browse the internet. If NoScript wasn’t around, I’d be booting off live linux distros just to go on the internet. Web designers need to start looking at security more. What’s the point of the majority of the scripts other than to make things look more pretty or to let in ads?

  4. Anonymous

    How do I stop it? Turn off Java in your browser preferences unless needed and if your on OS X, then in Terminal: “java -version” (no quotes) and press enter. You should be on 1.6.0_29 and if not update it at Apple or software update. If Apple doesn’t supply a update, 10.5 and earlier users are S.O.L. for any security updates (don’t you just love Apple now?) then don’t run Java, or use your machine for anything personal or security related (banking) because we are ready to punk down your machine if we find you. LOL 😉

  5. Anonymous

    Thanks for the advice. Now everyone knows.  See that’s how it helps people, not just telling them threats.  Everyone knowsthreats are there, I do, you do.  Java, always a problem for IE. Stay kewl anon. 

    Dont let me catch ya :->

Comments are closed.