July 23, 2014

Flashback Still a Problem, Large Number of Macs Still Infected

(LiveHacking.Com) – According to new figures released by Dr Web, over half a million Macs are still infected with the Flashback Trojan. The number of infected Macs rose to over 650,000 on April 4th and has remained consistent since even though Apple has released patches to fix the vulnerability used by the trojan. These numbers are in stark contrast to figures released by Symantec who say that “currently, it appears that the number of infected computers has tapered off, but remains around the 140,000 mark.”

Computerworld spoke with Symantec who have now revised their outlook and are agreeing with Dr. Web’s analysis. “We’ve been talking with them about the discrepancies in our numbers and theirs,” said Liam O Murchu, manager of operations at Symantec’s security response center, in an interview. “We now believe that their analysis is accurate, and that it explains the discrepancies.” To count the number of infections Symantec uses sinkholes and according to a blog update, these “sinkholes are receiving limited infection counts for” Flashback.

Flashback is spreading due to a Java concurrency vulnerability (CVE-20120-0507) which was fixed in Java Version 6 Update 31, or Java 7 Update 3 on Feb. 15, 2012 but only on the Windows platform. This left Mac users vulnerable. Apple finally fixed the vulnerability in early April, but by then the trojan had started to spread rapidly.

The exploit used by Flashback is based on a vulnerability in AtomicReferenceArray which allows the malware to disable the Java runtime sandbox mechanism. This is done by creating a special serialized object data which due to a logic error (and not a memory corruption) allows the attacker to run arbitrary code on the victim’s Mac. The Flashback trojan, which is so named as the first variant was distributed as a fake Flash Player installer, uses Java vulnerabilities dating back to 2009 through 2011.

Here at LiveHacking we urge Mac users to to install the Java updates and afterwards scan your system to check if it has been infected. Apple have released a Flashback Removal tool.

Apples Releases Flashback Malware Removal Tool as Another Mac Trojan is Discovered

(LiveHacking.Com) – Apple has released a malware removal tool to seek out and remove common variants of the Flashback malware. The tool will look for the malware and if it is found it presents a dialog notifying the user that malware was removed. In some cases, the user will need to restart in order to completely remove the malware. The tool can be downloaded separately for users of OS X Lion who do not have Java installed or as part of a security update.

The security update provides the removal tool for Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3 and OS X Lion Server v10.7.3. It also adds functionality to automatically deactivated the Java browser plugin and Java Web Start on OS X Lion systems that have not used Java for a period of 35 days or more. The update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.

Meanwhile Sophos has discovered a new piece of malware, which it is calling Sabpab, that exploits the same Java vulnerability used by Flashback. Sabpab is a backdoor Trojan which connects to a command and control server to receive commands from the attackers. Sabpab can be commanded to make screenshots of the infected Mac, upload and download files, and execute commands remotely.

It looks like the Sabpab Trojan is not as widespread as Flashback and the release of the latest Java updates should thwart its spread – as long as Mac users update promptly!

“It’s time for Mac users to wake up and smell the coffee. Mac malware is becoming a genuine issue, and cannot be ignored any longer” said Sophos on its blog.

New Variants of Flashback Trojan for OS X Found

(LiveHacking.Com) – New variants of the Flashback trojan for OS X have been spotted by Security researchers from Intego. Flashback.G does not use an installer (unlike the previous incarnations) meaning if a user visits a web page (and they have not applied Apple’s Java updates) then the installation will occur without any user interaction. For those with up to date Java installations the trojan will trigger a certificate alert but they won’t be asked for the user password.

The trojan horse uses three methods to infect Macs. First it tries to install via one of two known Java vulnerabilities, one from way back in 2008, the other from last year. Successful exploitation of these vulnerabilities means the machine becomes infected without any user intervention. Those running Mac’s with the latest Java updates will not be affected by these first two attempts. However if the Java exploits fail then the trojan attempts again with a social engineering trick. The applet displays a self-signed certificate, claiming to be issued by Apple. Users who click on “Continue” will open the machine to infection.

Once installed the trojan patches applications like Safari and Skype to sniff out usernames and passwords, specially for sites like Google, Yahoo!, CNN and PayPal. A possible clue that a Mac has become infected is that applications like Safari start to crash as the trojan code makes the programs unstable.

“I don’t want to give [the hackers] more credit than they deserve, but [Flashback.G] is particularly sophisticated,” said Peter James, a spokesman for Intego, who spoke to ComputerWorld. “The Java vulnerability [approach] doesn’t require user interaction, and they’re putting victims into a strainer,” he added, referring to the social engineered-style fake certificate tactic that’s employed only if the Mac is invulnerable to the Java exploits.