ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

New Mac OS X trojan spotted in the wild

By | February 24, 2012, 1:53am PST

Summary: Security researchers from Intego, have intercepted several new variants of the Flashback Mac OS X trojan.

Security researchers from Intego, have intercepted several new variants of the Flashback Mac OS X trojan.

According to the company, the new variants of the Flashback trojan use three different infection vectors in an attempt to trick end users into installing the malware.

More details on the infection vectors:

This new variant of the Flashback Trojan horse uses three methods to infect Macs. The malware first tries to install itself using one of two Java vulnerabilities. If this is successful, users will be infected with no intervention. If these vulnerabilities are not available – if the Macs have Java up to date – then it attempts a third method of installation, trying to fool users through a social engineering trick. The applet displays a self-signed certificate, claiming to be issued by Apple. Most users won’t understand what this means, and click on Continue to allow the installation to continue.

Once the end user gets tricked into installing the malware, the Flashback trojan will patch web browsers and network applications in order to search for user names and passwords. Targeted web sites include, Google, Yahoo! CNN, numerous banking web sites, PayPal and many others. What’s particularly interesting about the  Flashback trojan is the fact that it has an auto-update feature periodically phoning back to several web sites in order to check for updates.

Intego is advising users running OS X 10.6, to update Java immediately.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Apple Macintosh, Wild, Trojan Horse, Spyware, Spyware, Adware & Malware, Apple Mac OS X, Apple Mac OS, Viruses And Worms, Security, Operating Systems, Software, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
53
Comments
Add Your Opinion

Join the conversation!

Top Rated

Certificates Don't Work - this is not a user error
orthorim 24th Feb
Do you really expect users to NOT trust a certificate that apparently comes from Apple? I bet that this trick will have a success rate higher than 99%.

And the red text and stuff that is supposed to warn us that the cert is not trusted - any normal user, and even advanced users will assume that that is some sort of annoying system error that we want to just click away.

This is not a bug with the user - this is a colossal failure of the whole certificate system. Certificates are out of date all the time, and then they're untrusted - users have learned to deal with that.
View in thread

Just In

Spread enough FUD...
ScorpioBlack 29th Feb
...that they hope will reel in millions of Apple user sales.
View in thread
3 Votes
+ -
Social Engineering still best bet for infection
BrentRBrian 24th Feb
My anti-malware will save me .... CLICK
2 Votes
+ -
RE: My Antimalware will save me
bobiroc 24th Feb
The funny thing that is so true. It is this belief that just because a person has Antivirus Software they are safe from clicking on things. What they don't understand is if they ignore the warnings and give malware like this permission to install then they are bypassing their anti-malware software basically saying it is OK.
3 Votes
+ -
Too bad
MrElectrifyer 24th Feb
Cause there's not a damn thing you nor I can do about it; there's always gonna be a pebcak vulnerability where ever there's a computer sad
1 Vote
+ -
...and...
MyopicOne 24th Feb
...it's non-denominational regarding the operating system, browser, gender, politics, age, race, etc. etc. etc.
0 Votes
+ -
Not only for computer infections....
phatkat 24th Feb
With the proper social engineering, you will get you anything including things give you VD.
0 Votes
+ -
you joke... but in this case that's actually true
UrNotPayingAttention 24th Feb
That's the one of the most important pieces of Intego's post that Dancho didn't feel relevant to include:

It is worth noting that Flashback.G will not install if VirusBarrier X6 is present, or if a number of other security programs are installed on the Mac in question. It does this to avoid detection. It seems that the malware writers feel it is best to avoid Macs where the malware might be detected, and focus on the many that aren???t protected.
0 Votes
+ -
buy out (anti)virus or...
danbi 25th Feb
Nice try to convince people they need this "antivirus" junk.
-4 Votes
+ -
Mac Trojans are so rare that when one is actually discovered in the wild
kenosha77a 24th Feb
It makes news! All Social Engineering Trojans are a minor annoyance that an educated computer user learns how to deal with them over time.
4 Votes
+ -
RE: computer user learns how to deal with them over time.
bobiroc 24th Feb
If only that was true. Unfortunately for many people it is not. The information on how to deal with these tricks and how to protect themselves can be hand fed to many and yet they will still ignore and blindly click.
0 Votes
+ -
That sounds like something...
ScorpioBlack 29th Feb
...the typical Windows user would do.

Tell me @bobiroc, do you go to Windows blogs and warn them all about all this? They do need your simplistic help over there, ya know. wink
12 Votes
+ -
Top Rated
Certificates Don't Work - this is not a user error
orthorim 24th Feb Top Rated
Do you really expect users to NOT trust a certificate that apparently comes from Apple? I bet that this trick will have a success rate higher than 99%.

And the red text and stuff that is supposed to warn us that the cert is not trusted - any normal user, and even advanced users will assume that that is some sort of annoying system error that we want to just click away.

This is not a bug with the user - this is a colossal failure of the whole certificate system. Certificates are out of date all the time, and then they're untrusted - users have learned to deal with that.
1 Vote
+ -
A certificate system...
ScorpioBlack 29th Feb
...that was developed for the Windows ecosystem in the first place.

Trust me, it doesn't work very well over there either. wink
4 Votes
+ -
How do you think they learn over time?
kris_stapley@... 24th Feb
By getting infected in the first place. People need to learn these things the hard way. I've noticed the same thing with data backups. The only people that do them properly are the people that have lost data in the past.
0 Votes
+ -
Bit harsh?
tkeller@... 24th Feb
Financial devastation, yeah, that'll learn 'em.
And getting maimed or killed by not looking both ways before crossing a street will also leave a lasting impression. But still... harsh.
2 Votes
+ -
RE: Bit Harsh?
bobiroc 24th Feb
@tkeller

but he is not wrong. Even with the easy to use and effective built in back up options built into modern OSes like OS X and Windows Vista/7 most people still think it too much of a bother to hook up a USB hard drive and click a few clicks to set up an automatic backup.

The same goes for Malware and scams. It is too much effort to verify something is legit or true before blindly clicking that link to see a video that leads to malware or get scammed by some offer to get a person something for free. They pass chain letters in email and in facebook status updates and faked pictures to try and justify their religious or political beliefs when all they have to do is spend a few minutes to check the many sites that debunk and expose such scams and myths.
3 Votes
+ -
Re: How do you think they learn over time?
keane01 25th Feb
Unfortunately I know several professional Mac users who do not see a need for virus protection or using caution, because the believe a Mac can not be infected. Their solution, if their Mac gives trouble wipe the drive and reinstall. How much time would decent virus protection save them? Some Mac users are so arrogant when it comes to this stuff.
1 Vote
+ -
PWN2OWN and 'security via obscurity'
HypnoToad72 26th Feb
not the best way to do things...
1 Vote
+ -
Yes, but...
Imrhien 26th Feb
Yes, but Mac users tend to NOT be educated computer users - they picked the Mac to avoid the hassle of thinking about security.

A sweeping generalisation, I know, but in my experience, very true.
4 Votes
+ -
However...
Let's take a neutral look at this 24th Feb
Old people who bought a Mac exactly to get away from this issue on windows aren't educated and will get trapped. Also it looks for Security leaks in Java first and since old people don't even know what updating software is, you'll bet it's an issue. My grandpa will get robbed.
-2 Votes
+ -
Right. Because people buying Macs have never used Windows
baggins_z 24th Feb
before. After all, it only has 90% marketshare.
7 Votes
+ -
What's your Point?
bobiroc 24th Feb
The Operating System one uses makes no difference. The fact that a person used Windows before and thought going to another operating system because they felt they were more secure is irrelevant. The point here is that people are and continue to be the weakest link in their own security. The people who scam and write malware know this and find it easier to trick the computer user than to try and fully circumvent the security of the operating system themselves. If they can get a user to say it is OK to install something then their job got a whole lot easier.
3 Votes
+ -
Dear Author.
pradhanavs@... 24th Feb
Dude...I dont know what to say from this. You guys are acting more like CNN or Associated Press..For gods sake this a Tech related blog/ news etc website. Please provide detailed explanation on how to prevent this kind of stuff rather than just saying update the java..You mentioned that there is a 3rd method where it will ask us to install..Why cant you guys write one more line and help millions of non IT people by saying that a certificate that says its from Apple and that cannot be verified is a fake one...This will help a lot of people and may save several dollars..and of course, people would come back to u r site for more info.
2 Votes
+ -
Three methods mentioned are...
msalzberg 24th Feb
two Java vulnerabilities and then social trick.

Yes, it's confusing.
-3 Votes
+ -
The blog author has a documented history of trolling when it comes
baggins_z 24th Feb
to Apple. The general consensus is because the AV company he works for can't get Mac users to buy their products.
-1 Votes
+ -
Spread enough FUD...
ScorpioBlack 29th Feb
...that they hope will reel in millions of Apple user sales.
3 Votes
+ -
RE: The malware first tries to install itself using one of two Java vulns
Rabid Howler Monkey 24th Feb
It's noteworthy that, starting with Mac OS X Lion, Java is no longer installed by default on Macs. For Lion users that have not installed Java, this is a big nothing.

For the rest, either keep your Java updated or uninstall it from your systems. Just like Windows.
1 Vote
+ -
Unless you need Java
spdragoo@... 24th Feb
Just because a particular program isn't installed by default with an OS doesn't mean that the user will never use it. I'm not talking just about OS X, either; it applies to any OS out there (Windows, Linux, BSD, etc.)

So saying that "They're safe if they have OS X Lion, because Java doesn't come with that version" means squat, since the user can install Java after they buy their Mac, but there's no guarantee that they'll keep the Java version updated.
3 Votes
+ -
Reading and comprehension 101
Rabid Howler Monkey 25th Feb
Here's what I wrote:
For Lion users that have not installed Java, this is a big nothing.

You need to stop listening to those voices in your head as the words you have attributed to me, quoted no less, could have come from nowhere else.
-1 Votes
+ -
So "this is a big nothing" means literally nothing, then?
spdragoo@... 27th Feb
@Rabid Howler Monkey

If your statement "For Lion users that have not installed Java, this is a big nothing" doesn't mean you're claiming there's no danger for OS X Lion users, then what exactly does it mean, Oh Great & Wise Simian [/sarcasm]?

Because if you didn't want people to think you were claiming that Lion users were safe, then you should have chosen your words more carefully. As it is, your credibility comes off as... a big "nothing".
1 Vote
+ -
RE: So "this is a big nothing" means literally nothing, then?
Rabid Howler Monkey Updated - 27th Feb
spdragoo@... wrote:
If your statement "For Lion users that have not installed Java, this is a big nothing" doesn't mean you're claiming there's no danger for OS X Lion users, then what exactly does it mean

Here's the second part of my original post that you obviously missed:
For the rest, either keep your Java updated or uninstall it from your systems. Just like Windows.

By "the rest", I refer to those OS X Lion users that have installed Java on their systems as well as Mac OS X Snow Leopard users.
3 Votes
+ -
Also Noteworthy
bobiroc 24th Feb
There are some programs that require Java to run so it has to be installed on OS X lion. One program that comes to mind is Adobe Creative Suite 5. Without Java the software does not work so it must be installed.

Your comment about keeping Java up to date is spot on. Simply keeping your plugins up to date is one of the better tactics are combatting malware. Unfortunately too many people ignore the update notifications.
1 Vote
+ -
Just Turn off Java in Safari
orthorim 24th Feb
Much easier: Turn off Java in Safari. Go to Preferences->Security and uncheck the "Enable Java" checkbox. Done.
1 Vote
+ -
Also...
jeremychappell 24th Feb
I THINK it only affects older versions of Mac OS X (10.6 it says in the article) am I reading that right?

The trouble is even when the system works correctly (like here) the user is often the weak link and understandably so. Let's not lose sight of the fact that was trojan was deliberately designed to be confusing.

We can all say "I'd never get caught like this", but is that true, might we not fail to read carefully, or give it sufficient thought? Has nobody ever clicked "Don't Save" or "Save" when they meant the opposite?

It is all too easy if you're in a hurry, or not thinking - just because you've not done it, don't think it can't happen.

However, the article is a little light on what to look for, am I right about 10.6?

I agree there is functionally no difference here from similar exploits targeting Windows.

But Mac users do have less experience with this nonsense (often).

GateKeeper can't come soon enough (let's hope Apple keep the defaults they currently have for it).
-1 Votes
+ -
Re-evaluate that...
tkeller@... Updated - 24th Feb
Not having Java installed may not make any difference for the social engineering aspect. This article does not say the trojan uses Java, only that unpatched flaws are attack vectors to gain access. So it may well be that a system without Java, coupled with an impatient user clicking through = Bingo!
EDIT - For that matter, as the article says, a fully patched Java machine WOULD be infected if the user clicks through and allows it. Ergo, it is not a "big nothing".
0 Votes
+ -
RE: Re-evaluate that...
Rabid Howler Monkey Updated - 24th Feb
Quoted in the article:
if the Macs have Java up to date then it attempts a third method of installation, trying to fool users through a social engineering trick. The applet displays a self-signed certificate, claiming to be issued by Apple.

And here's the relevant portion of my comment:
For Lion users that have not installed Java, this is a big nothing.

It's also true for Mac OS X Leopard and Snow Leopard users that have uninstalled Java from their systems. Without Java installed, the applet (read 'Java applet') can't run. How could it?! Java, whether up-to-date or not, must be installed on one's system for the exploit to run.
0 Votes
+ -
Unless the user then installs it
spdragoo@... 25th Feb
How many users have we known that, when a page pops up & says "You need to download Application X in order to view content on this website", simply click to download & install the software without a second thought?
-1 Votes
+ -
Trojan Spotted! Hmm...
celliott113 24th Feb
I sure can't wait for all the fanboys to get a glimps at this article. Already posted to Twitter, just waiting for the pot to boil. :-D This is going to be a fun Friday after all...
1 Vote
+ -
Fun?
thetwonkey 24th Feb
Malware propagation makes the day fun for you? You need to turn off Twitter and get out more.
3 Votes
+ -
It's not the malware propagation
Pete "athynz" Athens 24th Feb
but the reaction of the frothing at the mouth die hard mac zealots at the notion of malware affecting any mac-based PC that is amusing.
1 Vote
+ -
I suspect Apple users will be tricked
jscott418 24th Feb
Considering how many Apple users are in denial about getting viruses. I also think this could end up being pretty effective.
9 Votes
+ -
Virus Denial
bobiroc 24th Feb
That is part of the problem. Some get too hung up on the technical term of virus neglecting the fact that most average computer users refer to everything that can compromise a computer as a virus no matter if it is a Trojan, Scareware, Phishing, or just some social engineering attack. The truth of the matter is viruses are not the real threat anymore like they once were many years ago. Today it is easier to exploit the weakest link of the computer which is the user and trick them into installing something to compromise their computer and their data.
1 Vote
+ -
Agree to a point
smashandgrab 24th Feb
I agree to a point, but the fact is that this particular piece of malware does in fact try 2 different attack vectors before it tries the social engineering tactic. So while the user is definitely the weakest link in the chain, it still does not explain why many MAC users refuse to protect themselves.

This is not the first and will not be the last piece of malware for OSX. For years the MAC crowd has wagged their tongues at Windows users claiming their superiority. Most of us as windows users (non fanboi ones), advise MAC users to protect themselves, but I don't see that happening as long as they have the mentality of "We are Immune".

It also does not help that Apple themselves launched an advertising campaign proclaiming their immunity. This has really hurt their own users when it comes to having your computer compromised by baddies.
0 Votes
+ -
But...
jeremychappell 24th Feb
Knowing what to do (and what NOT to do) means understanding the issues. Using the wrong terms hardly promotes that understanding. Let's call a virus a virus and a trojan a trojan.

I know some people think that pointing out it isn't a virus is just Mac users blowing it off - but getting the terminology right is, I think, important.
-1 Votes
+ -
I'm not ready to "protect" myself with AV software yet
rbethell 24th Feb
I guess I don't want to introduce the slowdown that an antivirus program brings because of one trojan horse application. My Windows boxes pay this price.

If there were a hundred thousand viruses and worms for Mac, I'd probably be worried about it enough to get Nortons or what have you. But I can keep my eye out for the relative handful of threats that currently exist. And I can use Time Machine to get back to where I was, if its ever a problem.
2 Votes
+ -
RE: slowdown that an antivirus program brings
bobiroc 24th Feb
@rbethell

A good modern antivirus/antimalware program brings little to no slowdown to the daily use of the computer. Some of the bigger companies neglected the performance aspect of their software for years but there are some really good programs that have no impact on the use of the computer.

Of course if a person practices safe browsing and computer use habits that will be the best protection of all and while it is true that there is significantly less malware for MacOS all it takes is one to get in to cause major headache. I can honestly say ever computer I have taken in infected with Malware can be traced back to something the user did to let the infection into the computer in the past 6 - 8 years or so. I have even taken in a few Macs with Malware in the past couple years. After all these things do not just sneak in without warning.
2 Votes
+ -
I'm glad Apple got rid of native Java in Lion
rbethell 24th Feb
it may be useful as a mobile platform (Android), but Java's days in the browser should have ended by now.
-1 Votes
+ -
Android
jeremychappell 25th Feb
Android doesn't actually use Java. This is actually a point of dispute between Oracle and Google.

Android applications are written in the language of Java (the vocabulary if you like) but not compiled in to Java bytecodes (this is what Java becomes before it runs on your computer, toaster or whatever). Instead it is compiled into Dalvik bytecodes (a Google invention). Android itself doesn't include a Java VM (thing that runs Java) so cannot run Java programs. Instead it includes the Dalvik VM, this is what runs Android "apps". So vulnerabilities found in the Java Runtime won't be found in Dalvik (and for completeness; vice versa).

So concerns you have about Java don't apply to Android (you'll need fresh concerns about that [wink])
0 Votes
+ -
Google "inventions"...
danbi 25th Feb
Even if Google has borrowed Java and renamed the runtime to Dalvik does not make it different. It may not have the same vulnerabilities, but chances are it has other vulnerabilities and probably much more than Java has. (simple because it is not that widely used)
0 Votes
+ -
To reiterate...
jeremychappell 25th Feb
@danbi: As I said: "So vulnerabilities found in the Java Runtime won't be found in Dalvik (and for completeness; vice versa)."
0 Votes
+ -
Hmmm....
Gisabun 24th Feb
Affects just 10.6? Shouldn't those with 10.6 be at 10.7 by now anyways? [Oooopps. Not free.] And with 10.8 coming out soon, Apple will drop support for 10.6 shortly after 10.8 is released.

That said, if it does get messy, I wonder how Apple will handle it? Buy some software at the AppStore(TM) [of course Apple gets their 30% cut] or maybe ignore the issue like they did initially with MacDefender last year.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix