New Mac Flashback Malware Variant Detected by Intego

 
 
By Jeffrey Burt  |  Posted 2012-04-24
 
 
 

The Mac Flashback malware continues to haunt users, with a new variant recently found in operation, according to Mac security software vendor Intego.

The new variant, Flashback.S, uses the same vulnerability in Java that the previous versions had exploited, but it operates in a slightly different way, Intego researchers said in an April 23 post on the company€™s Mac Security Blog. The new variant doesn€™t require a password to be installed, according to Intego researchers.

In addition, the malware places its files in the user€™s home folder, at these locations:

~/Library/LaunchAgents/com.java.update.plist

~/.jupdate

€œIt then deletes all files and folders in ~/Library/Caches/Java/cache in order to delete the applet from the infected Mac, and avoid detection or sample recovery,€ the researchers wrote. €œIntego has several samples of this new Flashback variant, which is actively being distributed in the wild.€

The detection of the Flashback.S variant is only the latest news indicating that the malware, which earlier this month had infected more than 600,000 Macs worldwide, is still a problem. Last week, researchers from Symantec and Kaspersky Lab indicated that the number of Macs compromised by the Flashback malware had declined, to between 30,000 (Kaspersky) and 140,000 (Symantec).

However, late last week, officials with Intego and Dr. Web, the small Russian antivirus vendor that initially detected the high rate of Flashback infections, said the malware was still going strong, with infection numbers still at more than 650,000. Dr. Web researchers said their €œsinkhole€ operation€”designed to highjack communications from infected Macs and to enable researchers to monitor the malware€”indicated the Flashback malware was still widespread, and both they and their counterparts at Intego said the discrepancies in the numbers were caused by how the malware finds and communicates with command-and-control (C&C) servers, which send out instructions to the compromised Macs.

Symantec officials reportedly now agree with Dr. Web€™s findings.

€œIntego has analyzed the malware, and following discussions with other security companies, has determined that not only are these [earlier lower] numbers incorrect, they are underestimating the number of infected Macs,€ Intego officials wrote in an April 20 blog. €œ[W]e conclude that not only are a larger number of Macs infected than what is being reported, but it is very likely that infections are continuing.€

Security experts at Kaspersky, Symantec, Intego, Sophos and other firms have argued that Macs and other Apple devices€”including iPads and iPhones€”will continue to see growing attention from scammers as the devices themselves grow in popularity with businesses and consumers.

The problem, they said, is twofold. First, many Mac users, convinced that their systems are more secure than Windows PCs and other systems, can be more lax in keeping their security software up to date. The second issue is Apple itself. The Flashback malware is not new; it was first detected last year as a Trojan horse, masquerading as an Adobe Flash update. Earlier this year, researchers found it had morphed into a drive-by exploit, infecting systems when users went to compromised or malicious sites.

In the case of Flashback, security experts believe it probably started by infecting tens of thousands of WordPress blog sites. The weak link was a flaw in Java, which is owned by software giant Oracle. Earlier this year, Oracle issued a patch to fix the flaw to protect Windows PCs. However, Apple€™s policy is to develop its own patch, which wasn€™t issued until April 3, just as Dr. Web was first reporting that the Flashback malware had infected more than 600,000 Macs, or more than 1 percent of all Macs in use worldwide.

Over the next couple of weeks, first security software vendors€”and then Apple€”issued free tools designed to detect and remove the malware from systems. But the onus to apply these tools and Apple€™s patch still fell to users.

Intego experts in their blog post noted that their Mac antivirus offering, VirusBarrier X6, with malware definitions dated April 23 or later, will find and remove all variants of the Flashback malware, including Flashback.S. They also said that Flashback.S will not install if it finds VirusBarrier X6, Xcode or Little Snitch installed on a Mac it€™s trying to attack.

 

Rocket Fuel