A new variant of the Flashback Trojan has been discovered by Intego that is able install itself without a password and elude Apple’s XProtect anti-malware tool.
Intego researcher Lysa Myers told Security Watch: "It's an entirely silent install now. We've seen silent installs on OS X before, but this is the first time we've seen something to this extent."
"It's just making better use of the Java vulnerability," she told Security Watch.
This new version, labelled Flashback.S, is still exploiting the same Java vulnerability but has been tweeked to get around Apple’s XProtect, according to Sophos’s Chester Wisniewski.
XProtect relies on exact fingerprints of the malware. Security Watch highlights that last year when Apple updated its signature in XProtect, malware writers simply tweaked Mac Defender to bypass it.
The report also criticises Apple for only protecting Lion and Snow Leopard users. Other Mac users are just told to disable Java.
Flashback.S drops two files in the user's home folder at the following locations:
Once it has installed it deletes cached Java files to avoid detection or sample recovery, according to Intego.
Sophos claims that the difference between Flashback.S and the previous variant is so minor that Sophos and other Mac anti-virus products will still detect it.
The Flashback.G variant was discovered by Intego in February. It can inject code into web browsers and other applications that connect to the Internet, often causing them to crash. It attempts to sniff out usernames and passwords that you enter into many popular sites (like banking sites, Google, PayPal, and others), presumably so that the malfeasants behind the software can exploit that information in other nefarious ways.
That Flashback variant discovered two months ago asked for administrative privileges, but did not require them.
Contrary to reports by several security companies, the Flashback botnet is not shrinking, the Russian antivirus firm that first reported the massive infection three weeks ago claimed today. Dr. Web, which earlier this month was the first to report the largest-ever successful malware attack against Apple's OS X, said on Friday that the pool of Flashback-infected Macs still hovers around the 650,000 mark, and that infections are continuing.