Flashback Mac TrojanIn a report by Sophos earlier, new Mac malware is a BackDoor.Flashback.39 Trojan variant that exploits a Java vulnerability (known as CVE-2012-0507) that were identified including its various components such as Exp/20120507-A, Troj/JavaDl-JI, OSX/Dloadr-DMU and OSX/Flshplyr-B that were intercepted by their security software’s before it can compromise a Mac user.
At first hackers exploited the CVE-2011-3544 and CVE-2008-5353 vulnerabilities to spread malware in February 2012, and after March 16 they switched to another exploit (CVE-2012-0507). The vulnerability has been closed by Apple only on April 3 2012 according to Dr. Web, a Russian antivirus company.
Java has not been included in the latest version of Mac OS X Lion, and has already decided to abandon the native OS X support for Java because of incidents showing an increase rate of hackers exploiting bugs in Java software. The malware also affects PC running Windows, Linux operating systems.
The malware does not require user interaction to infect computers. When a user visits a malware infected website, the Flashback.K downloads on his PC without the user knowing and once it is installed it asks through a dialog window for the user’s administrative password. Even if you don’t enter your password the malware is still in your Mac system.
Flashback.K injects itself into the Safari Web browser and modifies the contents of certain Web pages to trick users. There are reports that exploits for the Java vulnerability has been recently added to the Blackhole exploit kit, which means it has become even easier for criminals to launch malicious Websites that can take advantage of the flaw, according to Security Watch.
Mac Hacker’s Handbook co-author Dino Dai Zovi said that most Max users don’t even need or even use Java, so installing one will open them into a large window of vulnerability in a plug-in that are being actively attacked through exploits that can easily be adapted to target Mac OS X.
However, Java is still used by many users to run many older applications based in OS X, the reason that Java version 6 update 31 was released. But the release was way behind schedule compare to its Linux and Windows counterpart when Oracle, the owner of Java released on February 14.
Dr. Web, in a post reveals that there are already around 550,000 Macs that have been infected with this version of Flashback. It reported that the BackDoor.Flashback botnet encompasses infected machines are mostly located in United States and Canada. To date there most infected computers reside in the United States (56.6%, or 303,449 infected hosts), Canada comes second (19.8%, or 106,379 infected computers), the third place is taken by the United Kingdom (12.8% or 68,577 cases of infection) and Australia with 6.1% (32,527 infected hosts) is the fourth.
Users infected by the Trojan is redirected to a spam site from a compromised resource or via a traffic distribution system by using a JavaScript code that is being loaded using Java-applet containing an exploit. The compromised websites that still be found at the Google search engine results, and reports of infection by Apple users can be found when they visit dlink.com.
When the trojan is installed, an executive file stored in the hard drive of an infected Mac book is then activated and while running in the background it installed malicious payload from a remote server to launch it.
The BackDoor.Flashback.39 then searches the hard drive for the following components:
/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app
If the files are not found, the Trojan uses a special routine to generate a list of control servers, sends an installation success notification to intruders’ statistics server and sends consecutive queries at control server addresses.
Dr. Web furthered that the malware is using a peculiar routine in generating such address and can switch between several servers for better load balancing. after a reply was sent from a control server, the BackDoor.Flashback.39 verifies its RSA signature and then, if successful, downloads and runs payload on the infected machine. It may get and run any executable specified in a directive received from a server.
Each bot includes a unique ID of the infected machine into the query string it sends to a control server. Doctor Web’s analysts employed the sinkhole technology to redirect the botnet traffic to their own servers and thus were able to count infected hosts.
Sophos added that in installing Java add-on for Lion, be sure to click the Apple icon in the upper-left corner and choose Software Update. Lion users will see “Java for OS X 2012-001″ and Snow Leopard users will see “Java for Mac OS X 10.6 Update 7″ in the software updater. You can also check what version of java you are using by opening Terminal and typing “java –version”.
It is also advised for those who are using older versions of OS X to immediately disable their java plugin since Apple is no longer giving updates to Java on these platforms.
You can download the update manually on OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7 here.
F-Secure has the tips for those users who wanted to get rid of the malware infection off their Mac books.
Manual Removal Instructions
1. Run the following command in Terminal:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
2. Take note of the value, DYLD_INSERT_LIBRARIES
3. Proceed to step 8 if you got the following error message:
“The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”
4. Otherwise, run the following command in Terminal:
grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step2%
5. Take note of the value after “__ldpath__”
6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):
sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment
sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
7. Delete the files obtained in steps 2 and 5
8. Run the following command in Terminal:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:
“The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”
10. Otherwise, run the following command in Terminal:
grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step9%
11. Take note of the value after “__ldpath__”
12. Run the following commands in Terminal:
defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
launchctl unsetenv DYLD_INSERT_LIBRARIES
13. Finally, delete the files obtained in steps 9 and 11.
Update: Easy way to check if your infected with FlashBack trojan.
Go to Dr.Web C&C Botnet HW-UUID checker and submit your Mac UUID at the form given.
via Sophos, Security Watch, Gizmodo. Image via Softpedia, Dr. Web.
