Recently reported a new variant of the Flashback Trojan Horse which is using new techniques to infect Macs. Since then, there have been discovered a number of samples of this latest variant, Flashback.G, and have seen evidence that many Mac users have been infected by this malware.
How this malware infects Macs
This new variant of the Flashback Trojan horse uses three methods to infect Macs. The malware first tries to install itself using one of two Java vulnerabilities. If this is successful, users will be infected with no intervention. If these vulnerabilities are not available – if the Macs have Java up to date – then it attempts a third method of installation, trying to fool users through a social engineering trick. The applet displays a self-signed certificate, claiming to be issued by Apple. Most users won’t understand what this means, and click on Continue to allow the installation to continue.
Flashback.G injects code into web browsers and other applications that access a network, and in many cases causes them to crash. It installs itself in an invisible file in the /Users/Shared folder, and this file can bear many names, but with a .so extension. Here are some examples of users posting logs on forums about certain applications crashing. In each case, a file in /Users/Shared is present:
There is also a file created at:
and a plist file, used to patch applications, at:
And logs are stored at:
What this malware does
This malware patches web browsers and network applications essentially to search for user names and passwords. It looks for a number of domains – websites such as Google, Yahoo!, CNN; bank websites; PayPal; and many others. Presumably, the people behind this malware are looking for both user names and passwords that they can immediately exploit – such as for a bank website – as well as others that may be reused on different sites. (Hint: don’t use the same password for all websites!)
One of the clues that a Mac is infected is that certain applications will crash. This is notably the case for web browsers, such as Safari, or other network programs, such as Skype. This is because the injected code interferes with the program making it unstable.
This malware also has an automatic update module that checks a number of websites for new versions.
Means of protection
Most of the cases of infection that are seen are on Macs running OS X 10.6 Snow Leopard. OS X Lion does not come with Java pre-installed, but Snow Leopard does. It is therefore essential that anyone running OS X 10.6 update Java immediately. To do this, run Software Update, from the Apple menu; if you do not have the latest version of Java, an update will be available.
Nevertheless, many Macs are getting infected by the social engineering trick of the bogus certificate purporting to be signed by Apple, as shown in the screenshot above. If you see this, don’t trust it, and cancel the process.
This malware is particularly insidious, as users don’t download anything or double-click any file to launch an installer. Be careful if you see the screenshot above, and check to see if you need to update Java.
If you are infected by this malware, look for a Java applet in ~/Library/Caches.
Update: It is important to note that this version of the Flashback Trojan horse does not present an installer, as previous versions did. If a user visits a web page, and their Java is not up to date, the installation will occur without their intervention. If their Java is up to date, they will only see the certificate alert that we show above: they will never be asked for a password, and won’t have to launch any other software to allow the installation to take place.
While it is still being called the Flashback Trojan horse, because the actual malware code is similar to the first version of Flashback, its actions are different. In this case, the initial code that is installed on a Mac then downloads more code from a remote server, and deletes the original. What is seen here is an exploit, which installs a downloader, which then downloads a backdoor, which in turn injects code into applications.
VIA : Intego