(LiveHacking.Com) – New variants of the Flashback trojan for OS X have been spotted by Security researchers from Intego. Flashback.G does not use an installer (unlike the previous incarnations) meaning if a user visits a web page (and they have not applied Apple’s Java updates) then the installation will occur without any user interaction. For those with up to date Java installations the trojan will trigger a certificate alert but they won’t be asked for the user password.
The trojan horse uses three methods to infect Macs. First it tries to install via one of two known Java vulnerabilities, one from way back in 2008, the other from last year. Successful exploitation of these vulnerabilities means the machine becomes infected without any user intervention. Those running Mac’s with the latest Java updates will not be affected by these first two attempts. However if the Java exploits fail then the trojan attempts again with a social engineering trick. The applet displays a self-signed certificate, claiming to be issued by Apple. Users who click on “Continue” will open the machine to infection.
Once installed the trojan patches applications like Safari and Skype to sniff out usernames and passwords, specially for sites like Google, Yahoo!, CNN and PayPal. A possible clue that a Mac has become infected is that applications like Safari start to crash as the trojan code makes the programs unstable.
“I don’t want to give [the hackers] more credit than they deserve, but [Flashback.G] is particularly sophisticated,” said Peter James, a spokesman for Intego, who spoke to ComputerWorld. “The Java vulnerability [approach] doesn’t require user interaction, and they’re putting victims into a strainer,” he added, referring to the social engineered-style fake certificate tactic that’s employed only if the Mac is invulnerable to the Java exploits.