XYMer's Home away from Home

There's a new trojan out in the wild targetting OSX (and Windows) systems running older, unpatched versions of Java.

http://www.securemac.com/malware-bulletin.php
http://labs.alienvault.com/labs/index.p ... d-attacks/

From what I read elsewhere it sounds like it's attack vector is email (though might be limited to Mail.app, since most clients don't support embedded Java), so disabling Java in a browser probably isn't enough.

At first blush it sounds like Little Snitch should prompt for the connection attempts.

If it is exploiting a Java flaw via email, that is an unconscionable security flaw in Mail. I am under the impression that Mail does a piss poor job cleansing HTML, but running Java!?! WTF Apple?

Can someone confirm/deny that there's a Java execution path in Apple's Mail.app? If there is, it's about to get ripped off every Mac in the company.

- Anonymous

The latest Flashback Trojans, around for a while now, were already taking advantage of poisoned Java applets when running any version earlier than the latest 1.6.0_29, not just on older Macs. They operate the same way by installing a backdoor with no user interaction necessary. Just visiting a site with an infected applet does it. Maybe this is a latest variation -- they seem to be arriving rather frequently; they're up to Flashback i now. Not sure if this is any different; it doesn't sound new. Here's the description of the way G was operating. I think "i" is more sophisticated at burying itself.

http://www.macworld.com/article/1165534 ... horse.html

Actually, not quite sure why these, at least the ones that don't resort to trickery, are being called Trojans, since no "social engineering" or user interaction is involved. Just visit a site with that malicious applet, that's it.

Wait, they're at least up to Flashback N

http://blog.intego.com/new-flashback-va ... fect-macs/

Seems somebody that knows java could test an email!?

I suspect that Mail might be susceptible since it uses webkit just like Safari, iCal, & now I think the App Store even uses it... oh, and what about Sync Services?

I wonder if someone's being emailed a Java-based app and asking them to download & run it. I've lost count of the number of emails I get that rely on that kind of stupidity.

Or it could be as simple as mailing enticing the user to click on a link/HTML object, which loads Safari, which loads Java, and then the exploit happens.

There really isn't a lot of information out there on the exploit I originally mentioned because it's specifically targeting people related to the Tibetan protests. The suspicion is that the trojan is being used to submit false tweets and the like, since on the order of 8,000 or so false tweets are being sent to every actual tweet on the topic.

Does this explain it? "New wave of phishing attacks."


http://www.zdnet.com/blog/bott/new-wave ... -macs/4648

Did I mention that I do no online banking AND do not have a single social network account?

But maybe I can interest you in a brand new Rolex? I have some in the trunk of my car. Real cheap.

LOL, thanks, but I think watches were the step to slavery right after shoes & ties, & right before beepers & cell phones!

Update on this. The latest variants of the Flashback Trojan are responsible for crippling all PPC/Rosetta apps in a given user account. Probably not the original intention of the black hats involved, since I believe it's written in Intel code. This guy's problems, seen here in a long, tortured thread were eventually and quite unexpectedly traced to the Trojan. Reports similar to this are beginning to crop up more often now. This thing is a very nasty piece of work.

https://discussions.apple.com/thread/3825457?tstart=0

And now this one starting with jsd2's post.

https://discussions.apple.com/message/17999347#17999347

Thanks for keeping us updated.

Oh wait, this doesn't affect PPC Macs does it?

That crossed my mind. I don't know. But I don't think it goes after PPC Macs, just Macs with older, i.e. not updated, versions of Java. Not sure, but putting this topic in the G5 and earlier forum here may be misleading. Seems like it's looking for an Intel UA with an older version of Java to exploit and this behavior may only be accidental. Can't see what profit there is in doing this. In fact, once this becomes well known, it will only call attention to itself and thereby get the Trojan removed.

I often check the PPC area at Apple, and I haven't seen anything like "all my apps are crashing or not opening" that would indicate this is happening to PPC Macs.

Yeah, there is no...

~/Library/LaunchAgents/

In 10.4.11 at least, don't remember 10.5.8, but I think not.

So IntelMacs running 10.4.11 or 10.5.8 might be excluded too?

Could this be anything like I mentioned in the past... older SW being safer from attack?

Remember, this guy running 10.5.8 Intel got infected. But don't know if that was the K version or not.

https://discussions.apple.com/thread/3846648?tstart=0

Guess it could just go in some other way. This thing is changing all the time. Now it doesn't seem to matter if the latest patched Java is installed or not.

https://discussions.apple.com/thread/3844172?tstart=0

Ah, yes, don't have 10.5 at the moment to check, but I wonder if something like locking that or other folders would work?

You can create ~/Library/LaunchAgents. It doesn't even require administrator privileges, since it's in your own account.

- Anonymous

Apple finally got around to updating Java to fix the latest vulnerability. 10.6.8 is a prerequisite. (It shows 10.6.4, but that has to be a typo.) No matter, since I hardly ever need it, I'm still keeping it disabled. I don't trust this new one isn't full of holes.

http://support.apple.com/kb/DL1516

If the past is any guide, it will be exploited in the future.

Meanwhile, part of me almost wants to be glad that Apple finally got bit by their lackadaisical tardiness in updating Java; perhaps the company will learn.

Of course, the lessons the users should learn is that Apple won't fix even the most severe problems for systems more than a couple years old. I'll leave it as an exercise to the gentle reader to compare this policy to those of other large operating system vendors.

The other lesson is that Java certainly shouldn't be enabled in your browser in all but the most specific circumstances.

- Anonymous

I was under the mistaken impression when reading about the infection that the latest iteration did target PPC systems.

However, technically, since PPC systems have an old exploitable version of Java installed, the only thing stopping an infection right now is that they've compiled their malware executable as Intel-only binaries. They could, with some effort, make a universal (PPC/Intel) version and go after PPC systems. The only thing that's stopping them, in all honesty, is laziness.

The safest thing to do is unbind Java from the web browser, no matter what platform you're on. At work I have a hell of a time keeping Java updated, group policy can only do so much of the work for you, and so far haven't been able to convince anyone to knife the Java baby. Of course, Oracle makes you install it on one system to get the install files you need in order to create the group policy object, but only some Java installers leave behind those files, so it's usually a hunt-download-install-lookforfiles-uninstall-hunt-download-install-lookforfiles-etc. to find the right installer.

On a related note, Firefox blacklisted all older Windows-based Java plugins, except for the latest, in order to help stem the tide of infections. Too bad they knifed all PPC development.

looks like (free) sophos has blocked this since march 27th

http://www.sophos.com/en-us/threat-cent ... va-DT.aspx

Thanks mc68k. I'm not seeing that in the link you provided. There, it's showing "Affected operating systems: Windows." And do you know if it's been picking up the latest Mac variants? It's up to at least "N" now. March 27 is old news.

Check now whether your Mac is infected by Backdoor.Flashback.39!

http://public.dev.drweb.com/april/