Yet Another Flashback Variant Targeting Mac OS X

Thursday, April 26, 2012

Headlines

69dafe8b58066478aea48f3d0f384820

Yet another Flashback Trojan malware variant has been discovered, and this one is even more insidious than those already identified - it can silently infect a Mac user's device.

Previously, Russian Anti-Virus company Doctor Web, discovered that the Flashback Trojan had infected more than 600,000 Mac OS X systems.

The Trojan exploited three Java vulnerabilities to gain remote access to the infected systems and likely included a keylogger capability to capture authentication credentials.

Then last week, researchers at Kaspersky Labs have discovered another OSX backdoor that utilizes a Java exploit. The Trojan, dubbed "SabPub", uses the an obfuscator to attempt to bypass antivirus protection. Analysis lead Kasperky to believe that the malware was designed for use in targeted attacks.

Early analysis had not determined the exact mechanism for the spread of SubPub, but researchers suspect the use of emails containing a malicious URL as the primary method of delivery.

Now researchers at Intego have discovered a variant called "Flashback.S" which can stealthily infect an OS X system without having tipped the victim off by requesting a password.

The company's blog reveals the following:

"Intego has discovered a new variant of the Flashback malware, Flashback.S, which continues to use a Java vulnerability that Apple has patched. No password is required for this variant to install, and it places its files in the user’s home folder, at the following locations:"

  • ~/Library/LaunchAgents/com.java.update.plist
  • ~/.jupdate

"It then deletes all files and folders in ~/Library/Caches/Java/cache in order to delete the applet from the infected Mac, and avoid detection or sample recovery. Intego has several samples of this new Flashback variant, which is actively being distributed in the wild."

Doctor Web already created an online tool for uses to see if they had been infected by the earlier versions of the Flashback Trojan, security provider F-Secure issued instructions on how to remove the virus, and recently Apple announced they had successfully patched the vulnerability.

Possibly Related Articles:
11339
Viruses & Malware
Apple malware Attacks Headlines Mac OS X trojan Flashback Flashback.S Intego
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.