Skip to comments.Flashback Malware Evolves to Exploit Unpatched Java Vulnerabilities
Posted on 04/03/2012 7:30:16 AM PDT by cartan
The Flashback Trojan horse is a fairly recent malware package developed for OS X that attempts to steal personal information by injecting code into Web browsers and other applications on an OS X system. When these programs are then launched, the malicious code attempts to contact remote servers and upload screenshots and other personal information to them.
This malware was initially found in September 2011 while being distributed as a fake Flash Player installer (hence its "Flashback" name). In in the past few months it has evolved to exploiting Java vulnerabilities to target Mac systems.
While the exploits used by recent variants of the Flashback malware have been for older, patched vulnerabilities, over the weekend another variant surfaced that appears to be taking advantage of Java vulnerability (CVE-2012-0507) that currently is unpatched in OS X.
For OS X systems with Java installed, simply visiting a malicious Web site containing the malware will result in one of two installation routes, both of which have been characteristic of prior variants of the malware. First it will ask for an administrator password, and if supplied it will install its payload into target programs within the /Applications folder. However, if no password is supplied, then the malware will still install to the user accounts where it will run in a more global manner.
While Apple does have a built-in malware scanner called XProtect, which will catch some variants of the Flashback malware, this scanner will not detect files being executed by the Java runtime, so these latest Flashback variants bypass this mode of protection.
This shortcoming of XProtect, coupled with Java for OS X currently being unpatched, might be concerning; however, in most cases Mac users should be relatively safe. Starting with OS X 10.6 Snow Leopard, Apple stopped including a Java runtime with OS X, so if you have purchased a new system with OS X 10.6 or later, or have formatted and reinstalled either OS X 10.6 or 10.7, then you will, by default, not be affected by this malware.
However, if you do have Java installed on your system, then for now the only way to prevent this malware from running is to disable Java. This can be done in the Security preferences in Safari, or by unchecking the Java runtime entries in the Java Preferences utility.
Even though new Mac systems cannot be affected by this malware in their default configurations, this development does outline a problem with how threats are handled in cross-platform runtimes such as Java. When vulnerabilities like the one here are discovered, they are often distributed among malware creators via exploit kits like Blackhole, which offer tools and code that make developing malware far easier for the criminals to do.
Because of the availability of these kits, even if the runtime for one platform is patched, then any lag in development for the other platforms (as is the case with Java on OS X) will provide a larger window of opportunity for malware developers to take advantage.
It appears this is exactly what the criminals behind the Flashback malware are doing, and as a result it puts those who use Java at an increased risk.
Looks like the revenge of the java developers.
the first i ever saw it, I said "java sucks" and I've been saying it ever since.
Swordmaker, I thought you swore this could never happen! Even though mac defender proved it could be done, but now this is just getting out of hand.
I’m sure this isn’t really in the wild or anything like that and is just FUD spread by nonMac users to confuse people. Please tell me the truth behind this because we really can’t believe what anyone says about this stuff except for Apple.
Software is ....well software....exploits are always possible.
I agree, but after hearing for years that this can’t happen to Macs I just figured I’d ask to understand why/how this is possible :-)
I’ve always said if/when Macs get more mainstream they will have more people exploiting the security holes on them.
No, you've been told that Apple OSX viruses don't exist. They still don't. None, zero. This is merely another Trojan horse. Social engineering.
It’s a Trojan horse. No different. . . Taking advantage of outdated software and already closed vulnerabilities on the latest two versions of OSX from at least TWO YEARS ago. It IS no different from MacDefender.
And right, it is no virus, technically. In fact, classical viruses are a thing of the past; it is all trojans, nowadays. Calling it “social engineering,” however, is misleading since the malware gets installed even if you don’t cooperate. (The difference is that if you say “yes,” it gets installed system-wide. If not, it will still run under the user account.)
Not on OSX.6 or OS.7 systems of the past two years... only older OSX.5 systems and older that have not been updated to the newer Snow Leopard and Lion systems.
Incidentally, Apple released a Java Runtime patch to fix this vulnerability for anyone that has Java Runtime installed, including those who may have installed it on Snow Leopard and Lion...
ok so it sounds like OSX is just like every other OS on the market today. I thought it was special and was not vulnerable to attack unless the user entered an admin password and chose to install the malware.
Glad we got that cleared up. Looks like I was right all along. Nice to see you joining me glad to have you on the team.
There’s no such thing as “merely” another Trojan horse. The most widely spread chunks of malware in history were “merely” Trojan horses. Users have always been the weakest link in security, and that’s true on all platforms.
You thought right....
"First it will ask for an administrator password, and if supplied it will install...."
Look, for-q-Clinton, You have been told this repeatedly... quit acting as though this were a new discovery. Quit being so disingenuous... and trollish.
It is a TROJAN... all operating systems are susceptible to Trojans... OSX less so because it has a built in Trojan detection that is NOT dependent on third party add on software for such protection and will identify known Trojans and prevent them from being downloaded or being installed. Apple has already PATCHED the Java Runtime vulnerability this exploit depends on to operate and pushed it out to OSX users. Apple has also already pushed out the signature of this Trojan to its built-in detection system, 24 hours or so after its discovery. Apple users ARE protected.
This is a basic non-story we have seen numerous times when a new variation of an existing (which they said) Trojan is released. The only Apple OSX users who were at risk were those who had not upgraded in the past two years, and who have installed Java Runtime on their previous installations of OSX... even THEN, although it was included with the distribution, the Java Runtime applet was an optional install. Now, Apple does not include it and, if a user wants it, he has to download it and install it.
The number of Trojans in the wild for Apple OSX is now about 20... compared to how many for Windows?
Correction it’s malware as it installs without needing the admin password. If you have the admin password it just makes it even worse for the system.
Funny how that works. I thought the only way to get malware on OSX was via the admin password. Looks like I was wrong or misunderstood what all the macbots told me. I’m glad I didn’t jump on that ship and convince my friends and family to go with OSX because it was malware proof. I’d have egg on my face if I did.
How many for windows? Depends, if I use your definition of always changing to explain away any issues then I could argue 0, but we know that’s not an honest answer just like OSX not being able to be attacked without the user giving up the admin password.
BTW: The slammer virus which is blamed on windows was a SQL issue and not an OS issue. Granted it was a Microsoft server, but as I’ve always said...Windows gets blamed for way more then it deserves simply because it’s easy and the users are ignorant. Many issues with windows is caused from Adobe products, but users will just blame windows.
You thought right.... "First it will ask for an administrator password, and if supplied it will install...."Now go back to the article and read the next sentence, too…
The user would have to give an admin name and password to have it install to affect any system level operations. Even at the user level, the this article uses FUD phrasing by stating "more global" in its description of what the malware could do, if the user installed it in the user's home directory. Exactly what does "more global" mean, for-q-clinton, in reference to what could be done with a system wide installation? NOT much! In fact, very little... the user would still have to have installed the Java runtime applet to even BE vulnerable to this exploit. Do you have any idea what a small fraction of OSX users that is?
I again repeat, this is an ALREADY closed vulnerability, for the past TWO YEARS, affecting a small fraction of OSX users of older OSX Macs, and in addition, Apple has pushed out a patch fixing even THAT vulnerability within a short time of the announcement of its being found. The system now identifies it and prevents its download and/or installation. You are beating a dead horse.
Yes. IF you have user accounts. Not everyone does. In fact of all Mac users I know, they all run as admin. For those that do have user accounts...(from CNET) “the attack does not require admin privileges to complete; however, it does ultimately result in a more obvious infection that will destabilize the system and lead to crashes.”
An “obvious infection” threat ain’t much of one.
Further....”OS X does not come with Java installed by default, and the latest versions of Java should be patched properly so anyone with new or properly updated systems should be safe from these threats...”
Iso the question begs (though I am pretty sure of the answer)- if no password is provided, this malware can it cannot install anyway?
Or more directly- if your software is up to date, this applet won’t even try to install?