New Trojan Variant Can Install Without Password

[Ajamu]

New Trojan Variant Can Install Without Password | PCWorld

A new variant of the Flashback Trojan that appeared last year can install itself on a Mac without need for an administrator's password.


By Dan Moren, Macworld Apr 2, 2012 4:13 pm


Flashback, a Mac Trojan horse that’s been in the public eye since it was uncovered by security firm Intego last year, has a new trick up its sleeve: It can now infect your computer from little more than a visit to a website.

Originally, Flashback masqueraded as an installer for Adobe’s Flash Player—hence the name—but the malware has changed tacks at last once since then, instead pretending to be a Mac software update or a Java updater.

The latest variant, discovered by security researchers at F-Secure and dubbed OSX/Flashback.K, takes advantage of a weakness in Java SE6. That vulnerability, identified as CVE-2012-0507, allows the malware to install itself from a malicious website the user visits, without needing the user to enter an administrator’s password.

No fix is currently available for this vulnerability on the Mac, although the hole was patched in Java for Windows back in February. Unfortunately, Apple has long been criticized for lagging behind Windows when it comes to updating Java for security patches. However, given that Apple rolls out updates every few months, it seems likely that the company will distribute a patch in the not too distant future.

Until then, F-Secure suggests users deactivate Java on their Macs. The company has also given instructions for checking if your system is currently infected by the Flashback Trojan.

It’s also worth noting that the Java vulnerability has recently been included in the popular BlackHole exploit kit used by many attackers.

While there’s no need for widespread panic, the fact that this latest version of the malware can install itself without the user’s password is enough of a reason for concern that some precautions are necessary. Disabling Java is a good step, but the first line of defense is, as always, to be cognizant of the websites you visit and use common sense.

[Ajamu]

Apple Patches Java Flaw Exploited by Flashback Trojan

• Apr 04, 2012 12:36 PM EST
• 2 Comments

By Fahmida Y. Rashid

Mac users with Java installed should act quickly to install the latest version of Java from Apple. The security flaw is already being exploited by the Flashback Trojan in drive-by download attacks.

Apple updated Java to version 6 update 31 for OS X 10.6 (Snow Leopard) and 10.7 (Lion) on Apr. 3. The update addressed 12 vulnerabilities in Java, which could be exploited by malicious Websites to run code using the privileges of the current user, Apple said in its security notice. Oracle fixed the same security flaw for Java for Windows, Linux, and Unix back in February.

The new Mac malware, a variant of the Flashback Trojan, did not require user interaction to infect computers. Malicious Websites exploited a specific Java vulnerability (CVE-2012-0507) that allowed Flashback.K to download itself on to Macs without user awareness in a drive-by download attack. Once installed, the malware displayed a dialog window to ask the user for the administrative password, according to an analysis by researchers at F-Secure. Even if users didn't enter the password, it was too late, as the malware was already resident on the computer.

The Flashback.K is "one of the first cases of drive-by exploitation we have seen for OS X," Chester Wisniewski, a senior security advisor at Sophos, wrote on the Naked Security blog.

Russian security firm Dr. Web (Google Translate) claimed over 550,000 Macs have been infected with this version of Flashback. Mikko Hypponen, chief scientist of F-Secure, said on Twitter that F-Secure was unable to confirm or deny the number at this time.

Once on the computer, Flashback.K injects itself into the Safari Web browser and modifies the contents of certain Web pages to trick users. There are reports that exploits for the Java vulnerability has been recently added to the Blackhole exploit kit, which means it has become even easier for criminals to launch malicious Websites that can take advantage of the flaw.

"It appears that the Flashback gang is keeping up with the latest in exploit kit development," F-Secure said.

Even though Lion does not ship with Java by default on new installations, many Mac users installed it manually, often because a Website required the platform. When they got to those sites, they were prompted to download and install Java, and may have forgotten since then that they have it on their Macs.

Apple has long maintained its platform was safe from malware. In the past year, malware developers have started developing attacks specifically for the Mac OS X. Just last week, AlienVault warned of malicious Microsoft Office for Mac files that appeared to be targeting non-governmental organisations in Tibet.