XYMer's Home away from Home

When http://bbs.xlr8yourmac.com is down (i.e. always)
It is currently Wed Dec 17, 2014 3:13 pm

All times are UTC - 8 hours




Post new topic Reply to topic  [ 98 posts ]  Go to page 1, 2, 3, 4  Next
Author Message
PostPosted: Fri Mar 23, 2012 9:20 am 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 7024
Location: Inner Suburbia
There's a new trojan out in the wild targetting OSX (and Windows) systems running older, unpatched versions of Java.

http://www.securemac.com/malware-bulletin.php
http://labs.alienvault.com/labs/index.p ... d-attacks/

From what I read elsewhere it sounds like it's attack vector is email (though might be limited to Mail.app, since most clients don't support embedded Java), so disabling Java in a browser probably isn't enough.

At first blush it sounds like Little Snitch should prompt for the connection attempts.


Top
 Profile  
 
PostPosted: Fri Mar 23, 2012 11:51 am 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 8928
Location: North of the State of Jefferson
If it is exploiting a Java flaw via email, that is an unconscionable security flaw in Mail. I am under the impression that Mail does a piss poor job cleansing HTML, but running Java!?! WTF Apple?

Can someone confirm/deny that there's a Java execution path in Apple's Mail.app? If there is, it's about to get ripped off every Mac in the company.

- Anonymous


Top
 Profile  
 
PostPosted: Fri Mar 23, 2012 1:47 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 4358
Location: NYC
The latest Flashback Trojans, around for a while now, were already taking advantage of poisoned Java applets when running any version earlier than the latest 1.6.0_29, not just on older Macs. They operate the same way by installing a backdoor with no user interaction necessary. Just visiting a site with an infected applet does it. Maybe this is a latest variation -- they seem to be arriving rather frequently; they're up to Flashback i now. Not sure if this is any different; it doesn't sound new. Here's the description of the way G was operating. I think "i" is more sophisticated at burying itself.

http://www.macworld.com/article/1165534 ... horse.html

Actually, not quite sure why these, at least the ones that don't resort to trickery, are being called Trojans, since no "social engineering" or user interaction is involved. Just visit a site with that malicious applet, that's it.

Wait, they're at least up to Flashback N

http://blog.intego.com/new-flashback-va ... fect-macs/


Top
 Profile  
 
PostPosted: Fri Mar 23, 2012 2:33 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 10828
Seems somebody that knows java could test an email!?

I suspect that Mail might be susceptible since it uses webkit just like Safari, iCal, & now I think the App Store even uses it... oh, and what about Sync Services?


Top
 Profile  
 
PostPosted: Fri Mar 23, 2012 5:40 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 7024
Location: Inner Suburbia
I wonder if someone's being emailed a Java-based app and asking them to download & run it. I've lost count of the number of emails I get that rely on that kind of stupidity.

Or it could be as simple as mailing enticing the user to click on a link/HTML object, which loads Safari, which loads Java, and then the exploit happens.

There really isn't a lot of information out there on the exploit I originally mentioned because it's specifically targeting people related to the Tibetan protests. The suspicion is that the trojan is being used to submit false tweets and the like, since on the order of 8,000 or so false tweets are being sent to every actual tweet on the topic.


Last edited by MonkeyBoy on Sat Mar 31, 2012 8:18 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Sat Mar 24, 2012 3:53 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 4358
Location: NYC
Does this explain it? "New wave of phishing attacks."
Quote:
Clicking this link led to a site that served up a variant of the Blacole (aka “blackhole”) exploit capable of installing a very nasty data-stealing Trojan on a PC or Mac that’s running outdated versions of Java, Adobe Shockwave, Adobe Acrobat and Reader, and other third-party software.


http://www.zdnet.com/blog/bott/new-wave ... -macs/4648


Top
 Profile  
 
PostPosted: Sat Mar 24, 2012 12:03 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 10828
Quote:
They look like routine messages from a bank or a social network, but instead of phishing for passwords, they’re serving up malware.


Did I mention that I do no online banking AND do not have a single social network account?


Top
 Profile  
 
PostPosted: Sat Mar 24, 2012 12:32 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 4358
Location: NYC
But maybe I can interest you in a brand new Rolex? I have some in the trunk of my car. Real cheap.


Top
 Profile  
 
PostPosted: Sat Mar 24, 2012 12:57 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 10828
LOL, thanks, but I think watches were the step to slavery right after shoes & ties, & right before beepers & cell phones! ;)


Top
 Profile  
 
PostPosted: Fri Mar 30, 2012 2:58 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 4358
Location: NYC
Update on this. The latest variants of the Flashback Trojan are responsible for crippling all PPC/Rosetta apps in a given user account. Probably not the original intention of the black hats involved, since I believe it's written in Intel code. This guy's problems, seen here in a long, tortured thread were eventually and quite unexpectedly traced to the Trojan. Reports similar to this are beginning to crop up more often now. This thing is a very nasty piece of work.

https://discussions.apple.com/thread/3825457?tstart=0

And now this one starting with jsd2's post.

https://discussions.apple.com/message/17999347#17999347


Last edited by WZZZ on Fri Mar 30, 2012 6:46 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Fri Mar 30, 2012 3:08 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 10828
Thanks for keeping us updated.

Oh wait, this doesn't affect PPC Macs does it?


Top
 Profile  
 
PostPosted: Fri Mar 30, 2012 6:12 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 4358
Location: NYC
BDAqua wrote:

Oh wait, this doesn't affect PPC Macs does it?


That crossed my mind. I don't know. But I don't think it goes after PPC Macs, just Macs with older, i.e. not updated, versions of Java. Not sure, but putting this topic in the G5 and earlier forum here may be misleading. Seems like it's looking for an Intel UA with an older version of Java to exploit and this behavior may only be accidental. Can't see what profit there is in doing this. In fact, once this becomes well known, it will only call attention to itself and thereby get the Trojan removed.

I often check the PPC area at Apple, and I haven't seen anything like "all my apps are crashing or not opening" that would indicate this is happening to PPC Macs.


Top
 Profile  
 
PostPosted: Mon Apr 02, 2012 3:18 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 4358
Location: NYC
http://arstechnica.com/apple/news/2012/ ... needed.ars

http://www.f-secure.com/weblog/archives/00002341.html

http://www.f-secure.com/v-descs/trojan- ... ck_k.shtml


Top
 Profile  
 
PostPosted: Mon Apr 02, 2012 3:54 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 10828
Yeah, there is no...

~/Library/LaunchAgents/

In 10.4.11 at least, don't remember 10.5.8, but I think not.

So IntelMacs running 10.4.11 or 10.5.8 might be excluded too?

Could this be anything like I mentioned in the past... older SW being safer from attack?


Top
 Profile  
 
PostPosted: Mon Apr 02, 2012 4:24 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 4358
Location: NYC
BDAqua wrote:
Yeah, there is no...

~/Library/LaunchAgents/

In 10.4.11 at least, don't remember 10.5.8, but I think not.

So IntelMacs running 10.4.11 or 10.5.8 might be excluded too?

Could this be anything like I mentioned in the past... older SW being safer from attack?

Remember, this guy running 10.5.8 Intel got infected. But don't know if that was the K version or not.

https://discussions.apple.com/thread/3846648?tstart=0

Guess it could just go in some other way. This thing is changing all the time. Now it doesn't seem to matter if the latest patched Java is installed or not.

https://discussions.apple.com/thread/3844172?tstart=0


Top
 Profile  
 
PostPosted: Mon Apr 02, 2012 4:35 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 10828
Ah, yes, don't have 10.5 at the moment to check, but I wonder if something like locking that or other folders would work?


Top
 Profile  
 
PostPosted: Mon Apr 02, 2012 6:02 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 8928
Location: North of the State of Jefferson
You can create ~/Library/LaunchAgents. It doesn't even require administrator privileges, since it's in your own account.

- Anonymous


Top
 Profile  
 
PostPosted: Wed Apr 04, 2012 5:12 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 4358
Location: NYC
Apple finally got around to updating Java to fix the latest vulnerability. 10.6.8 is a prerequisite. (It shows 10.6.4, but that has to be a typo.) No matter, since I hardly ever need it, I'm still keeping it disabled. I don't trust this new one isn't full of holes.

http://support.apple.com/kb/DL1516


Top
 Profile  
 
PostPosted: Wed Apr 04, 2012 12:49 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 8928
Location: North of the State of Jefferson
If the past is any guide, it will be exploited in the future.

Meanwhile, part of me almost wants to be glad that Apple finally got bit by their lackadaisical tardiness in updating Java; perhaps the company will learn.

Of course, the lessons the users should learn is that Apple won't fix even the most severe problems for systems more than a couple years old. I'll leave it as an exercise to the gentle reader to compare this policy to those of other large operating system vendors.

The other lesson is that Java certainly shouldn't be enabled in your browser in all but the most specific circumstances.

- Anonymous


Top
 Profile  
 
PostPosted: Wed Apr 04, 2012 1:06 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 4358
Location: NYC
Anonymous wrote:
If the past is any guide, it will be exploited in the future.

Quote:
Whilst it is good that Apple has finally patched the vulnerabilities that Windows users saw updates for back in February, it is rumored that one critical flaw remains, which F-Secure says is being actively discussed on underground forums where money is also being exchanged in return for the exploit code.

http://www.techspot.com/news/48056-appl ... lware.html


Top
 Profile  
 
PostPosted: Wed Apr 04, 2012 3:59 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 7024
Location: Inner Suburbia
WZZZ wrote:
That crossed my mind. I don't know. But I don't think it goes after PPC Macs, just Macs with older, i.e. not updated, versions of Java. Not sure, but putting this topic in the G5 and earlier forum here may be misleading.
I was under the mistaken impression when reading about the infection that the latest iteration did target PPC systems.

However, technically, since PPC systems have an old exploitable version of Java installed, the only thing stopping an infection right now is that they've compiled their malware executable as Intel-only binaries. They could, with some effort, make a universal (PPC/Intel) version and go after PPC systems. The only thing that's stopping them, in all honesty, is laziness.

The safest thing to do is unbind Java from the web browser, no matter what platform you're on. At work I have a hell of a time keeping Java updated, group policy can only do so much of the work for you, and so far haven't been able to convince anyone to knife the Java baby. Of course, Oracle makes you install it on one system to get the install files you need in order to create the group policy object, but only some Java installers leave behind those files, so it's usually a hunt-download-install-lookforfiles-uninstall-hunt-download-install-lookforfiles-etc. to find the right installer. :roll:

On a related note, Firefox blacklisted all older Windows-based Java plugins, except for the latest, in order to help stem the tide of infections. Too bad they knifed all PPC development. :upset:


Top
 Profile  
 
PostPosted: Thu Apr 05, 2012 12:13 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:20 pm
Posts: 2010
looks like (free) sophos has blocked this since march 27th

http://www.sophos.com/en-us/threat-cent ... va-DT.aspx


Top
 Profile  
 
PostPosted: Thu Apr 05, 2012 1:23 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 4358
Location: NYC
Thanks mc68k. I'm not seeing that in the link you provided. There, it's showing "Affected operating systems: Windows." And do you know if it's been picking up the latest Mac variants? It's up to at least "N" now. March 27 is old news.


Top
 Profile  
 
PostPosted: Thu Apr 05, 2012 1:53 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 10828
Quote:
In order to avoid detection, the installer will first look for the presence of some antivirus tools and other utilities that might be present on a power user's system, which according to F-Secure include the following:

/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app

If these tools are found, then the malware deletes itself in an attempt to prevent detection by those who have the means and capability to do so. Many malware programs use this behavior, as was seen in others such as the Tsunami malware bot.


http://reviews.cnet.com/8301-13727_7-57 ... from-os-x/


Top
 Profile  
 
PostPosted: Fri Apr 06, 2012 3:37 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 10828
Check now whether your Mac is infected by Backdoor.Flashback.39!

http://public.dev.drweb.com/april/


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 98 posts ]  Go to page 1, 2, 3, 4  Next

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group