New Mac Spyware Discovered – OSX/Dockster.A. Malware Update: December 3, 2012 This malware is now known to be in the wild, on a website dedicated to the Dalai Lama, and the remote address contacted by the backdoor is now active. The exploit code used to drop the backdoor is the same as that used by SabPab. This is still considered to be low-risk as this is not known to be widespread and the vulnerability targeted by the exploit code is corrected by the latest version of Java. A sample of a new Mac spyware called OSX/Dockster.A was found today on VirusTotal. If it’s executed, the trojan deletes itself from the location where it was run and installs itself in the user’s home directory with the filename .Dockset. The backdoor functionality of this trojan is quite basic – it provides a simple remote shell which allows the trojan’s controller remote access, it allows the controller to download additional files, and it logs keystrokes.
OSX/Dockster Found on Tibetan Website. New Multiplatform Backdoor Jacksbot Discovered. Malware Update – October 15, 2012 Upon further analysis, it’s been determined that this trojan is the Java RAT (aka jRAT) created by the hacker/programmer redpois0n. A new Java backdoor trojan called Java/Jacksbot.A has been discovered that has partial multiplatform support. It is fully functional on Windows, and partially functional on OS X and Linux. This trojan is currently considered low risk as it is not known to have infected users, and it does not run without root permissions. Jacksbot has the usual backdoor functionality, including the following capabilities: gathering system informationtaking screenshotsperforming denial of service attacksdeleting filesstealing passwords (including specifically Minecraft passwords)visiting remote URLs, likely to perform Clickfraud This code is looking for Minecraft passwords.
It appears likely that this trojan is intended to be dropped by another component that has not yet been identified. New Java Zero-Day Exploit Shows Multi-Platform Development. Malware Update September 10, 2012 This exploit has been patched by Oracle and Apple. You can find more information about the update here. Update August 29, 2012 The exploit has been has now been given a reference number in the Common Vulnerability and Exposures List: CVE-2012-4681 There is a new Java zero-day exploit that was discovered last night, which is currently being used in targeted attacks against Windows users to deliver the Poison Ivy Remote Access Trojan. The exploit in all major browsers and appears to work on some versions of Linux, OS X 10.7 and higher, as well as Windows, if you’re using the latest version of Java.
At this time there is no patch available for this exploit, so it’s highly recommend that you disable Java until this vulnerability has been fixed. Java is a popular vehicle for malware authors – an unpatched Java flaw was largely responsible for the success of Flashback earlier this year. OSX/Tsunami Variant Found Dropped by Java 0-Day. Malware A variant of OSX/Tsunami has been found that is rumored to be dropped as a drive-by-download by the new Java 0-day exploit, CVE-2012-4681. This method of infection has not yet been confirmed, but as this OSX malware connects out to the same IP address as the Windows backdoors known to be dropped by CVE-2012-4681, it seems they are at least related incidents. At the time of writing, the JAR file that was purported to be dropping this Trojan has been replaced with a bit of threatening text. It seems like maybe someone knows they’ve been discovered? Either way, this means we have two issues: A malware variant has been discovered, andIt may be spreading via an unpatched Java exploit.
About the Malware The Tsunami family was originally a Linux hacker tool (calling itself Kaiten) created in 2002. This variant is an IRC bot like its predecessor. The Unpatched Java Exploit It’s important to note that this Java 0-day exploit is only a danger to OS X users if you have installed Java 7. An Analysis of the Cross-Platform Backdoor NetWeirdRC. Malware A backdoor called OSX/NetWeirdRC has been found that affects OS X (versions 10.6 and higher), Windows, Linux and Solaris. Much like OSX/Crisis, this is a commercial remote access tool that was leaked to Virus Total.
This malware appears to be in the wild, but the risk is considered low at this time. It is not known how the malware would arrive, though presumably it would be part of a targeted attack and it would come with a custom dropper or entice the user to run a file through social engineering. In testing, it was found that this malware is not persistent–perhaps due to a bug, it does not restart after a reboot, and will lie dormant unless it is manually restarted or removed.
The sample we received copies itself to the user’s home directory, though this is configurable and may vary. Once it is installed, it calls home to the IP address 212.7.208.65 on port 4141 and awaits instructions. A temporary file is created for the malware to know if it has already been installed: Friday the 13th Malware: New Flashback Trojan Horse Variant Follows Apple’s Xprotect Update.
New Flashback Trojan Horse Variant Uses Novel Delivery Method to Infect Macs. Malware Intego first discovered the Flashback Trojan horse in September 2011, and since then has seen a number of variants of this malware. A variant discovered in October 2011 notably damaged some system files. In the past few months, Intego has found new variants of the Flashback Trojan horse every few days, but the company’s latest discovery is a bit surprising.
The people behind the Flashback Trojan horse have begun using a novel delivery method to infect Macs. Found in the wild, this new variant installs an executable file in the /tmp directory, applies executable permissions with the chmod command, then launches the executable with the nohup command. A few points need to be made regarding Java and Mac OS X. Also, the current version of Java for Mac OS X has patched the vulnerabilities that are being exploited. Flashback Mac Trojan Horse Infections Increasing with New Variant. Malware We recently reported about a new variant of the Flashback Trojan horse which is using novel techniques to infect Macs. Since then, we have discovered a number of samples of this latest variant, Flashback.G, and have seen evidence that many Mac users have been infected by this malware.
How this malware infects Macs This new variant of the Flashback Trojan horse uses three methods to infect Macs. It is worth noting that Flashback.G will not install if VirusBarrier X6 is present, or if a number of other security programs are installed on the Mac in question. Flashback.G injects code into web browsers and other applications that access a network, and in many cases causes them to crash. /Users/Shared/.PCImageEditor.so There is also a file created at: /Users/Shared/.svcdmp and a plist file, used to patch applications, at: Further Information About the Flashback.G Malware. Malware We would like to offer a bit more information about the Flashback.G malware, which we reported on last week. It is important to note that this version of the Flashback Trojan horse does not present an installer, as previous versions did. If a user visits a web page, and their Java is not up to date, the installation will occur without their intervention.
If their Java is up to date, they will only see the certificate alert that we show above: they will never be asked for a password, and won’t have to launch any other software to allow the installation to take place. While we’re still calling this the Flashback Trojan horse, because the actual malware code is similar to the first version of Flashback, its actions are different. In this case, the initial code that is installed on a Mac then downloads more code from a remote server, and deletes the original. Flashback Mac Malware Uses Twitter as Command and Control Center. Malware + Recommended The Flashback malware, which Intego pointed out was infecting an increasing number of Macs, turns out to be using a novel technique to operate. Many types of malware use command and control servers that they connect to, in order to get instructions from the creators of the malware.
The problem with using these servers is that their IP addresses are specified in the malware code, and the servers can generally be taken down. Flashback, however, uses an interesting method of getting commands: it uses Twitter. And rather than use a specific Twitter account, which can be removed, it queries Twitter for tweets containing specific hashtags. These hashtags aren’t as simple as, say, #Flashback or #MacMalwareMaster, but are seemingly random strings of characters that change each day. Intego’s malware research team cracked the 128-bit RC4 encryption used for Flashback’s code and discovered the keys to this system. The hashtags are made up of twelve characters. Flashback Malware: New Variant Changes Twitter Hashtags.
Malware + Recommended We recently reported on how the Flashback malware was using Twitter as a command and control center, using a correspondence table between dates and four-letter strings, combining them to make twelve-letter strings. The malware sends HTTP requests to Twitter ever hour, searching for these hashtags, and only those tweets posted since the last time it checked, but we have yet to find any actual tweets containing them.
After our blog post, the latest variant contains a slightly different correspondence table. One letter in most of the four-letter codes has changed, and one is the same. Here are the new codes: We’re certain that this change was made because we published the previous codes. New Flashback Variant Changes Tack to Infect Macs. Malware Intego has discovered a new variant of the Flashback malware, Flashback.N, which has been changed since our blog post showing how Flashback used Twitter as a command and control center. This new variant changes the files it installs and their location: the files we specified in our blog post of February 23 are no long used.
In addition, it uses a different social engineering trick, if it fails to install itself via the Java vulnerabilities that we mentioned in that blog post. The new version of the Flashback malware installs after Mac users visit infected web sites. In Intego’s tests, the installation procedure was somewhat odd, as web sites display a spinning gear for some time, before finally displaying a password request dialog pretending to be from Software Update, Apple’s tool for downloading and installing software.
Next, Flashback injects code in Safari when the browser is launched. New Flashback Variant Takes Advantage of Unpatched Java Vulnerability. Malware A new variant of the Flashback malware, Flashback, has been found in the wild. This variant uses a Java vulnerability, as a previous variant did. This variant takes advantage of two Java vulnerabilities, on of which has not yet been patched by Apple in the version of Java that they supply. Intego has had samples of this variant of the Flashback malware since March 23, and have been finding new samples and variants of this malware almost daily since then.
In any case, the safest thing that users can do is turn off Java in their web browser. It’s worth noting that given the reactivity of the creators of this malware, it can be risky to follow instructions presented on some websites about removing it. Hundreds of Thousands of Macs Infected by Flashback Malware. Malware + Recommended Since the latest variants of the Flashback malware have appeared, this malware has been very effective in infecting Macs. Exploiting a Java vulnerability, infections occurred, in many cases, with no user intervention. Russian security company Dr. Web, which analyzed server traffic to the Flashback command and control severs, estimates that more than 500,000 Macs are infected.
Apple has since released a Java update, patching the vulnerability that Flashback was using, and it is essential that all Mac users apply this update. Intego’s Malware Research Team has seen dozens of variants of the Flashback malware in the past week, showing a rarely seen level of activity for Mac malware. This malware has changed greatly from its first incarnation. Intego VirusBarrier X6 protects against Flashback and all other Mac malware. How Do I Detect and Remove Flashback? Security News There have been many articles over the past few weeks, about the various new Flashback variants. This has raised the visibility of the Mac malware situation, which is a good thing as there have been threats actively circulating in the Mac world for years now. Users are being infected, yet security knowledge among Mac users had not kept pace with that reality.
Now more people understand that Macs have never been immune to malware. Many reputable sources have published thorough, technical articles about the Flashback malware. This post is for those of you who just want a quick article to explain how you can check to see if your Mac is infected, and how you can protect yourself. The latest variants of Flashback are silent; you may never be aware that you’re infected unless you specifically look for signs of infection. As a result of the recent press, many people want to know how to detect and remove a Flashback infection. Offers Free Software for Detecting All Variants of Flashback Malware.
Intego + Recommended Since September, 2011, Mac users have been targeted by the Flashback malware, in what some commentators are now calling an epidemic. This malware has gone through many changes since Intego first discovered it, morphing from a Trojan horse to a drive-by download. While the means of delivery has changed, the malware that is installed on Macs is the same, but there are many variants of it. More than 600,000 Macs are known to be infected by the Flashback malware, and most Mac users don’t know whether they are infected or not. If Apple’s Flashback removal tool does find that you are infected with one of the “most common variants of Flashback,” it will remove the malware, and display an alert. However, in Intego’s tests, this alert displayed very quickly, and disappeared almost immediately. Unfortunately, this information can be misleading, because the instructions that circulate discuss just one variant of the Flashback malware.
1 in 100 Macs Infected by Flashback Malware. Flashback Mac Infection Rates Underestimated. DNS Redirection Protects Against Flashback Malware, Leads to False Infection Rates. New Flashback Variant Continues Java Attack, Installs Without Password. Flashback Mac Malware: Number of Infected Macs Not Decreasing (Update) What are the Symptoms of the Flashback Malware? Flashback Is Not a Trojan Horse; What Is It? Where Does the Flashback Malware Come From? What is Flashback? Infographic – Mac Flashback Malware. Apple Releases Java Update; Includes Fix for Vulnerability Exploited by Flashback Malware. Apple Issues Second Java Update to Patch Vulnerability Exploited by Flashback Malware. Apple Issues Java Update and Flashback Removal Tool.
Apple Releases Standalone Flashback Removal Tool. New Apple Mac Trojan Called OSX/Crisis Discovered. More on OSX/Crisis —Advanced Spy Tool. OSX/Crisis Has Been Used as Part of a Targeted Attack. New Crisis Behavior Observed, Now Infecting Virtual Machines. New Multi-platform Backdoor Discovered. Tibet Malware Takes Advantage of Java Vulnerability to Harvest Information on Macs.
Tibet.C Malware Delivered by Poisoned Word Documents Installs Backdoors on Macs. New Tibet Variant Found. Mac PDF Trojan Horse Surfaces; Threat is Low. New Version of Imuler Trojan Horse Masquerades as Image Files. New Imuler Variant Found–Steer Clear of “Your Dirty Pics” New OSX/Imuler Variant Targeting Tibetan Activists. New SabPab Variant Uses Word Files to Infect Macs. SabPab Backdoor Exploits Java Vulnerability. Windows Hacker Tool Creates Word Documents that Can Infect Macs.