A new variant of the Flashback Trojan has been discovered by Intego that is able install itself without a password and elude Apple’s XProtect anti-malware tool.
Intego researcher Lysa Myers told Security Watch: "It's an entirely silent install now. We've seen silent installs on OS X before, but this is the first time we've seen something to this extent."
"It's just making better use of the Java vulnerability," she told Security Watch.
This new version, labelled Flashback.S, is still exploiting the same Java vulnerability but has been tweeked to get around Apple’s XProtect, according to Sophos’s Chester Wisniewski.
XProtect relies on exact fingerprints of the malware. Security Watch highlights that last year when Apple updated its signature in XProtect, malware writers simply tweaked Mac Defender to bypass it.
The report also criticises Apple for only protecting Lion and Snow Leopard users. Other Mac users are just told to disable Java.
Flashback.S drops two files in the user's home folder at the following locations:
~/Library/LaunchAgents/com.java.update.plist
~/.jupdate
Once it has installed it deletes cached Java files to avoid detection or sample recovery, according to Intego.
Sophos claims that the difference between Flashback.S and the previous variant is so minor that Sophos and other Mac anti-virus products will still detect it.
The Flashback.G variant was discovered by Intego in February. It can inject code into web browsers and other applications that connect to the Internet, often causing them to crash. It attempts to sniff out usernames and passwords that you enter into many popular sites (like banking sites, Google, PayPal, and others), presumably so that the malfeasants behind the software can exploit that information in other nefarious ways.
That Flashback variant discovered two months ago asked for administrative privileges, but did not require them.
Contrary to reports by several security companies, the Flashback botnet is not shrinking, the Russian antivirus firm that first reported the massive infection three weeks ago claimed today. Dr. Web, which earlier this month was the first to report the largest-ever successful malware attack against Apple's OS X, said on Friday that the pool of Flashback-infected Macs still hovers around the 650,000 mark, and that infections are continuing.
Contact Us
Digg
It's easy and free to get the latest news headlines, reviews and opinions straight to your email inbox. Sign up NOW to make sure you receive the latest Mac news, reviews and tutorials on your favourite topics.
Comments received
theanimaster said on Tue, 24 Apr 2012
Errr... so do we just update Java or disable it entirely (on 10.7.3) ????
The impression here is that the worm still relies on old Java exploits?
Jonah said on Tue, 24 Apr 2012
What you do is buy Intego's products. That is the only way.
chinajon said on Mon, 30 Apr 2012
These guys are just trying to get publicity. I saw today where there are 55,000 Android malwares released EVERY DAY. And all I see in the news are about OSX. Android is also a new operating system with about the same market share as OSX. Why are the attacks on Android ignored?
Disclaimer
Opinions expressed here are those of the writers and do not reflect those of Macworld. Macworld accepts no responsibility legal or otherwise for their accuracy of content.
Click here to read the house rules.
Click here for the latest reader comments