New Flashback variant silently infects Macs

New Flashback variant silently infects Macs

Summary: A new Flashback Trojan has been discovered that infects Macs without prompting the user for a password. If you haven't updated Java on your Mac, or disabled it entirely, you could be a victim.

SHARE:

The Flashback Trojan that infected over 600,000 Apple Macs earlier this month still reportedly has a very high infection rate, despite the fact that Apple has already patched the Java vulnerability and released a removal tool. Now, security firm Intego says it has discovered a new Flashback variant that installs without prompting the user for a password.

This version, which Intego refers to as Flashback.S, places its files in the user's home folder, at the following locations:

  • ~/Library/LaunchAgents/com.java.update.plist
  • ~/.jupdate

Once Flashback.S is done installing itself, it then deletes all files and folders in ~/Library/Caches/Java/cache to hide remove the applet from the infected Mac. This is done to avoid detection or sample recovery, according to the security firm.

This recent variant is interesting if you compare it to one discovered two months ago. That one asks for administrative privileges, but does not require them. If you give it permission, it will install itself into the Applications folder where it will silently hook itself into Firefox and Safari, and launch whenever you open one of the two browsers. If you don't give it permission, it will install itself to the user accounts folder, where it can run in a more global manner, launching itself whenever any application is launched, but where it can also more easily detected.

Flashback was initially discovered in September 2011 masquerading as a fake Adobe Flash Player installer. A month later, a variant that disables Mac OS X antivirus signatures updates was spotted in the wild.

In the past few months, Flashback has evolved to exploiting Java vulnerabilities. This means it doesn't require any user intervention if Java has not been patched on your Mac: all you have to do is visit a malicious website, and the malware will be automatically downloaded and installed.

By the way, two other Mac-specific Trojans have been discovered since Flashback's hype: one that also exploits Java and another that exploits Microsoft Word. Security firm Kaspersky recently confirmed what many have been saying for years: as Macs are becoming more popular, malware writers are increasingly targeting them.

My advice to Mac users remains the same. Get the latest security updates from Apple. Disable Java if you don't use it. Install an antivirus.

See also:

Topics: Security, Apple, Hardware, Malware, Open Source, Software Development

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

55 comments
Log in or register to join the discussion
  • Are we going to count this the same way we count Windows malware?

    You know how Windows malware numbers in the hundreds of thousands? That is because every variant is counted as being "new". Go to f-secure and search for flashback. You will see results for Flashback.A, Flashback.B, Flashback.C, etc. This latest one is now called Flashback.S. There are up to 19 variants of Flashback now, each one counting as a distinct and unique piece of malware attacking OS X.

    Or are we only going to count this as 1?
    toddbottom3
    • Sorry, you're wrong

      Every variant of Windows malware *families* is counted separately. The way you get to hundreds of thousands is to count every polymorphic variation, in which a single executable file is changed slightly so that its hash doesn't match other files in the same family.

      These are all unique variants.
      Ed Bott
      • Thanks Ed

        It is a bit of a semantic difference because the end result is the same: malware counts on Windows are grossly exaggerated compared to a counting method that identified unique types of attacks or attacks based on unique vulnerabilities. It sounds really scary to use an OS that is being attacked by 500,000 pieces of malware when the truth is that there is an incredible amount of duplication in that count. Thousands of those will be pure trojans that pretend to be AV software, or naked pictures of some famous person.

        What I've noticed is that Apple people like counting different variants of Windows malware as "new" whereas 50 different trojans pretending to be different types of commercial OS X software are counted as "1".

        Just looking for some consistency is all.
        toddbottom3
      • Windows use.

        The fact still stands that Windows is on more than 90% of all computers so it will get attacked the most. Facts should not get in the way though.
        RobertMoore12
      • That may be

        That may be, but your language seems misleading to me--a reader who has followed this story INTENSELY from the beginning.

        "still reportedly has a very high infection rate, despite the fact that Apple has already patched the Java vulnerability and released a removal tool"

        The link you attached to your words "very high infection rate" is from April 4, at the peak of the outbreak--NOT NEW information to support your "still has a"... wording.

        We already know that the infection number TODAY has dropped from 600,000 down to 30,000 in a matter of a couple weeks.

        We also know that, back in the first week of April, it was ALREADY reported that if you had Java installed an active on your Mac machine, the existing Flashback (at THAT time, weeks ago) could already infect a Mac machine WITHOUT a password, and do so silently without user interaction.

        So what you are reporting here might indeed be a new strain or "variant" of the malware, but it's mechanism is no different from that described a long time ago, and this variant is still thwarted by the techniques already reported by other tech news sites AS WELL AS this one.

        So, while, sure there may be a new variant...
        You are reporting the same story as two weeks ago, even though the infection numbers have all but disappeared, and the official removal methods STILL work.

        What, other than a variant that works EXACTLY as described before, about this entire post is new information that hasn't been reported to death everywhere including here??
        lelandhendrix
      • lelandhendrix@...

        As of Friday last, it was reported by Dr Web, later confirmed by Symantec, that the reports of plummeting infections were false. It was false (don't know what happened over the weekend ... might be plummeting or not) becuase the malware was avoiding contact with the sinkhole servers set up by the security firms. It didn't appear that the bot population had dropped below much ... at least on Friday.
        whatagenda
      • They are using scare tactics

        @lelandhendrix
        to convince you to buy more or less useless anti-malware software for your Mac. Apple as a company is growing at an impressive rate, and their Mac business too, why the Mac is a too much tempting business possibility to miss.
        Mikael_z
  • "Install an antivirus" -- are you serious? All antiviruses were proved to

    ... to be worthless in the few latest cases, so there is no point in slowing down your system with antivirus. So this advice is ill; the only correct advice is to keep Java (Flash, et cetera) always updated.

    Third party technology like Java and Flash will be always vulnerable on any platform, since there is no way to run them in the sandbox, they in principle require significant privileges to run.

    So in case of the new vulnerabilities there are always risks. Though it depends on the type of sites user visits. You could never get infected visiting normal sites like ZDNet, YouTube, CNN, Amazon, et cetera.
    DDERSSS
    • I totally agree

      We have multiple layers here at work, with web filtering, email filters, Corporate and local firewall rules, AV software, etc. And your right, all it takes is a quick drive by to the wrong website. The reason? The AV venders are always chasing the latest varient. I "Knock on wood" have not been infected in years(PC or Mac). Why, well partly its dumb luck, but partly that I don't download free software, or go to any sites that are not well known.
      Johnpford
    • AV useless

      If you run Windows, at least run the free Microsoft Security Essentials.
      It has an extremely small footprint so you'll not notice any performance hit, even on older XP machines with 1 GB of ram for example
      It can't hurt and can only be of benefit.

      We use AVG at site and it works well without a large hit on resources as well, even though it uses more than MSE, but it has saved IT a lot of grief over time dealing with a virus after the fact.
      xuniL_z
      • Good point.

        I have that on my system and it has not really changed the performance of my computer at all. It, also catches things that try to hyjack too.
        RobertMoore12
      • I agree. Simple, free protection is my solution

        I am averse to upgrading my OSes as I am on a fixed income. Security Essentials has kept my Windows systems safe without slowing them down, both XP Home and Professional as well as the notorious Vista. I've been using MSE since PC World reported that it was at least as effective as the payware suites they tested.

        Apple is no longer supplying Software Updates for OS X Leopard, so there is no Java update available for that OS. However, Sophos On Access Scanner for Mac is free as is ClamAV, a manual scanning program. I use both. So far, so good.
        doodle47
        • ClamX is worse than no Virus scanner.

          ClamX is next to use less for protecting Macs, worse in fact as it provides a false sense of security. It was designed to scan for Windows viruses on Unix networks, and in my experience it does't do much for detecting Mac viruses. I downloaded the iWork trojan from the Piratebay, by then clearly marked as a trojan, just to test scanners on. Despite having been provided with signatures of the trojan by security researchers, Clam has never detected it, unlike others I've tested. It detects some Windows trojans and viruses I've kept for a similar purpose. I scan every suspect download with Sophos as it is better than nothing.
          msandersen
      • Wow, three shills in a row

        Until the DOJ responds as to why M$ will be bundling MSE in future editions of Windows. Right, boy(s)? ;)
        ScorpioBlack
      • ZDNet: please look into ScorpioBlack

        Within minutes of him posting, many posts here were flagged and those posts were downvoted about 5 times and his post was upvoted 4 times.

        Please investigate.

        Thanks.
        toddbottom3
      • the toddytroll whines

        LOL, that's rich coming from somebody like you who's juggling the + / - votes around here. I mean +25 for one post of yours in the span of an hour?

        Puh-lease...

        I doubt there are 25 people in the world who would agree with you let alone come on here at one time and vote you up, but I do believe in 25 sock puppet accounts by three or four shills or somebody who can hack and manipulate the stats on webpage in order to change it. Maybe they should look at you instead. Hmm?

        I will say this new rating system [b]isn't working[/b] in general and zdnet should revisit that and go back to the way it was a couple of months ago. Obviously cheaters like you are so fearful and desperate of Microsoft losing their 90% marketshare because of a few dissenters like me here on zdnet that you'll stoop to anything.
        ScorpioBlack
      • Wow, now it's four shills in a row

        Should always include toddytroll in that. Always. :p
        ScorpioBlack
    • Please do not spread false information

      [i]You could never get infected visiting normal sites like ZDNet, YouTube, CNN, Amazon, et cetera.[/i]

      Don't you people ever pay attention to what goes on?
      http://www.digitaltrends.com/computing/yahoo-fox-and-google-inadvertently-spread-malware-through-ads/

      You've been informed of this several times before. I can only imagine that you work for malware authors that are trying to give OS X users a false sense of security so that your malware will be more successful.

      [i]All antiviruses were proved to be worthless in the few latest cases[/i]

      Just curious what your thoughts are regarding installing AV on Windows. Would you recommend that the average Windows user uninstall AV since it is worthless anyway? We've been told for years that Windows sucked because it couldn't be used without AV. Now here you are saying that AV is actually worthless. What's your opinion on this matter?
      toddbottom3
      • You are not arguing with me

        If you use Yahoo or Google to visit countless weird sites, then the threat of infection -- if you are not patched -- could be real.

        The article you cite has no relation to Macintoshes, and even for Windows it was one-time case. Google's part was very small, and they stopped it even before Avast's research appeared. And the search was not affected in any way, since Google's DoubleClick Ad system is not used there.

        For Windows, in many cases antivirus proved to be helpful, so I am not recommending to uninstall it. For Macintosh antiviruses, for now, have no case of being helpful yet. So keeping Java and Flash updated is more than enough.
        DDERSSS
      • Now I'm wondering if you are being naive on purpose

        [i]If you use Yahoo or Google to visit countless weird sites[/i]
        Do you literally not understand how ads on the Internet work? From the article:
        [i]Because the infected networks serve more than 50 percent of all online advertising, poisoned ads have appeared on major sites including The New York Times, TechCrunch and Drudge Report.[/i]

        Is the New York Times a "weird" site? You don't have to get to a site through Yahoo or Google to be infected by a poisoned ad. Please, for the love of all your OS X friends, stop spreading falsehoods.

        Also, you've yet to define how to identify what a "weird" site is simply by looking at the URL. Let's pretend for a second that my mother is a clueless OS X user. Tell me how to teach her what a "weird" URL looks like.

        [i]The article you cite has no relation to Macintoshes[/i]

        It is relevant to every OS that is vulnerable to drive-by attacks. OS X is vulnerable to drive-by attacks. Therefore it is absolutely relevant to OS X.

        [i]For Windows, in many cases antivirus proved to be helpful[/i]

        Please describe how Windows AV has proven helpful but OS X AV has not.
        toddbottom3