New Mac Spyware Discovered – OSX/Dockster.A. Malware Update: December 3, 2012 This malware is now known to be in the wild, on a website dedicated to the Dalai Lama, and the remote address contacted by the backdoor is now active.
The exploit code used to drop the backdoor is the same as that used by SabPab. This is still considered to be low-risk as this is not known to be widespread and the vulnerability targeted by the exploit code is corrected by the latest version of Java. A sample of a new Mac spyware called OSX/Dockster.A was found today on VirusTotal. If it’s executed, the trojan deletes itself from the location where it was run and installs itself in the user’s home directory with the filename .Dockset. The backdoor functionality of this trojan is quite basic – it provides a simple remote shell which allows the trojan’s controller remote access, it allows the controller to download additional files, and it logs keystrokes.
OSX/Dockster Found on Tibetan Website. New Multiplatform Backdoor Jacksbot Discovered. Malware Update – October 15, 2012 Upon further analysis, it’s been determined that this trojan is the Java RAT (aka jRAT) created by the hacker/programmer redpois0n.
A new Java backdoor trojan called Java/Jacksbot.A has been discovered that has partial multiplatform support. It is fully functional on Windows, and partially functional on OS X and Linux. This trojan is currently considered low risk as it is not known to have infected users, and it does not run without root permissions. Gathering system informationtaking screenshotsperforming denial of service attacksdeleting filesstealing passwords (including specifically Minecraft passwords)visiting remote URLs, likely to perform Clickfraud This code is looking for Minecraft passwords. New Java Zero-Day Exploit Shows Multi-Platform Development. Malware Update September 10, 2012 This exploit has been patched by Oracle and Apple.
You can find more information about the update here. OSX/Tsunami Variant Found Dropped by Java 0-Day. Malware A variant of OSX/Tsunami has been found that is rumored to be dropped as a drive-by-download by the new Java 0-day exploit, CVE-2012-4681.
This method of infection has not yet been confirmed, but as this OSX malware connects out to the same IP address as the Windows backdoors known to be dropped by CVE-2012-4681, it seems they are at least related incidents. At the time of writing, the JAR file that was purported to be dropping this Trojan has been replaced with a bit of threatening text. It seems like maybe someone knows they’ve been discovered? An Analysis of the Cross-Platform Backdoor NetWeirdRC. Malware A backdoor called OSX/NetWeirdRC has been found that affects OS X (versions 10.6 and higher), Windows, Linux and Solaris.
Much like OSX/Crisis, this is a commercial remote access tool that was leaked to Virus Total. This malware appears to be in the wild, but the risk is considered low at this time. Friday the 13th Malware: New Flashback Trojan Horse Variant Follows Apple’s Xprotect Update. New Flashback Trojan Horse Variant Uses Novel Delivery Method to Infect Macs.
Malware Intego first discovered the Flashback Trojan horse in September 2011, and since then has seen a number of variants of this malware.
A variant discovered in October 2011 notably damaged some system files. In the past few months, Intego has found new variants of the Flashback Trojan horse every few days, but the company’s latest discovery is a bit surprising. The people behind the Flashback Trojan horse have begun using a novel delivery method to infect Macs. Flashback Mac Trojan Horse Infections Increasing with New Variant. Malware.
Further Information About the Flashback.G Malware. Malware We would like to offer a bit more information about the Flashback.G malware, which we reported on last week.
It is important to note that this version of the Flashback Trojan horse does not present an installer, as previous versions did. If a user visits a web page, and their Java is not up to date, the installation will occur without their intervention. If their Java is up to date, they will only see the certificate alert that we show above: they will never be asked for a password, and won’t have to launch any other software to allow the installation to take place. While we’re still calling this the Flashback Trojan horse, because the actual malware code is similar to the first version of Flashback, its actions are different. Flashback Mac Malware Uses Twitter as Command and Control Center. Malware + Recommended The Flashback malware, which Intego pointed out was infecting an increasing number of Macs, turns out to be using a novel technique to operate.
Many types of malware use command and control servers that they connect to, in order to get instructions from the creators of the malware. The problem with using these servers is that their IP addresses are specified in the malware code, and the servers can generally be taken down. Flashback, however, uses an interesting method of getting commands: it uses Twitter. And rather than use a specific Twitter account, which can be removed, it queries Twitter for tweets containing specific hashtags. The hashtags are made up of twelve characters.
Flashback Malware: New Variant Changes Twitter Hashtags. Malware + Recommended We recently reported on how the Flashback malware was using Twitter as a command and control center, using a correspondence table between dates and four-letter strings, combining them to make twelve-letter strings.
The malware sends HTTP requests to Twitter ever hour, searching for these hashtags, and only those tweets posted since the last time it checked, but we have yet to find any actual tweets containing them. After our blog post, the latest variant contains a slightly different correspondence table. One letter in most of the four-letter codes has changed, and one is the same. Here are the new codes: We’re certain that this change was made because we published the previous codes. New Flashback Variant Changes Tack to Infect Macs. Malware Intego has discovered a new variant of the Flashback malware, Flashback.N, which has been changed since our blog post showing how Flashback used Twitter as a command and control center.
This new variant changes the files it installs and their location: the files we specified in our blog post of February 23 are no long used. In addition, it uses a different social engineering trick, if it fails to install itself via the Java vulnerabilities that we mentioned in that blog post. The new version of the Flashback malware installs after Mac users visit infected web sites.
In Intego’s tests, the installation procedure was somewhat odd, as web sites display a spinning gear for some time, before finally displaying a password request dialog pretending to be from Software Update, Apple’s tool for downloading and installing software. Next, Flashback injects code in Safari when the browser is launched. New Flashback Variant Takes Advantage of Unpatched Java Vulnerability. Hundreds of Thousands of Macs Infected by Flashback Malware. Malware + Recommended Since the latest variants of the Flashback malware have appeared, this malware has been very effective in infecting Macs. Exploiting a Java vulnerability, infections occurred, in many cases, with no user intervention. Russian security company Dr. Web, which analyzed server traffic to the Flashback command and control severs, estimates that more than 500,000 Macs are infected. How Do I Detect and Remove Flashback? Security News There have been many articles over the past few weeks, about the various new Flashback variants.
This has raised the visibility of the Mac malware situation, which is a good thing as there have been threats actively circulating in the Mac world for years now. Users are being infected, yet security knowledge among Mac users had not kept pace with that reality. Offers Free Software for Detecting All Variants of Flashback Malware. Intego + Recommended Since September, 2011, Mac users have been targeted by the Flashback malware, in what some commentators are now calling an epidemic.
This malware has gone through many changes since Intego first discovered it, morphing from a Trojan horse to a drive-by download. While the means of delivery has changed, the malware that is installed on Macs is the same, but there are many variants of it. More than 600,000 Macs are known to be infected by the Flashback malware, and most Mac users don’t know whether they are infected or not. If Apple’s Flashback removal tool does find that you are infected with one of the “most common variants of Flashback,” it will remove the malware, and display an alert.
1 in 100 Macs Infected by Flashback Malware. Flashback Mac Infection Rates Underestimated. DNS Redirection Protects Against Flashback Malware, Leads to False Infection Rates. New Flashback Variant Continues Java Attack, Installs Without Password. Flashback Mac Malware: Number of Infected Macs Not Decreasing (Update) What are the Symptoms of the Flashback Malware? Flashback Is Not a Trojan Horse; What Is It? Where Does the Flashback Malware Come From? Recommended + Security News The Flashback malware, which has been attacking Macs in various forms, using multiple techniques since September, 2011, has been especially effective in the past couple of months. Much attention has been paid to the Java vulnerabilities that Flashback uses, in the most recent versions, and the need for Mac users to apply security updates to Java. What is Flashback? Infographic – Mac Flashback Malware. Apple Releases Java Update; Includes Fix for Vulnerability Exploited by Flashback Malware.
Recommended + Security & Privacy + Security News Apple has released Java for OS X 2012-001 and Java for Mac OS X 10.6 Update 7, featuring a dozen security fixes, including one that has been used a recent variant of the Flashback malware, CVE-2012-0507. Apple Issues Second Java Update to Patch Vulnerability Exploited by Flashback Malware. Apple Issues Java Update and Flashback Removal Tool. Apple Releases Standalone Flashback Removal Tool. New Apple Mac Trojan Called OSX/Crisis Discovered. More on OSX/Crisis —Advanced Spy Tool. OSX/Crisis Has Been Used as Part of a Targeted Attack. New Crisis Behavior Observed, Now Infecting Virtual Machines. New Multi-platform Backdoor Discovered. Tibet Malware Takes Advantage of Java Vulnerability to Harvest Information on Macs. Tibet.C Malware Delivered by Poisoned Word Documents Installs Backdoors on Macs.
New Tibet Variant Found. Mac PDF Trojan Horse Surfaces; Threat is Low. New Version of Imuler Trojan Horse Masquerades as Image Files. New Imuler Variant Found–Steer Clear of “Your Dirty Pics” New OSX/Imuler Variant Targeting Tibetan Activists. New SabPab Variant Uses Word Files to Infect Macs. SabPab Backdoor Exploits Java Vulnerability. Windows Hacker Tool Creates Word Documents that Can Infect Macs.