After almost two weeks since the last updates released by Apple to remove the Trojan Flashback, a new malware attacks OS X systems through Java exploit, drawing Apple to the drastic decision of disabling the Java environment.
The threat, named Backdoor.OSX.SabPub.a by Kaspersky, sends to its creators information form an infected system through screenshots and it seems to originate from China. Costin Raiu from Kaspersky also informed that the malware appears to use the Exploit.Java.CVE-2012-0507.bf vulnerability and that the source of the attack proved to be an infected Word document containing a statement from Dalai Lama.
“In case you are wondering, the name of the file (“10th March Statemnet”) is directly linked with the Dalai-Lama and Tibetan community. On March 10, 2011, the Dalai-Lama released a special statement related to Anniversary of the Tibetan People’s National Uprising Day — hence the name.”
As attackers are using security flaws from Java to access Mac hardware, Apple’s decision of disabling both the plugin and the Java Web Start applet fitted the bill. Apple also decided to no longer ship OS X Lion with Java pre-installed, leaving the usage of it at the users’ choice.
Apple announced on Tuesday that it started working on a tool for the Flashback malware detection and removal and also on the development of other security improvements. The communication appeared on Apple’s official site in a support document:
“Apple is developing software that will detect and remove the Flashback malware.
In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions. Apple is working with ISPs worldwide to disable this command and control network.”
The virus is currently installed on more than 600K Macs from all over the world and due to the fluster produced last week, Apple already released two Java security updates in order to find and to steady the vulnerabilities on Macs running OS X 10.7 and OS X 10.6.
The support document does not include specifications about the release of the software, but Apple never runs late when it comes to serious issues of its devices performances. Anyway, until then, you can use the FlashbackChecker and see if the software might be useful for you too once Apple releases it. FlashbackChecker is a tool that checks for the Flashback virus in your system and reports its existence and you can get it for free form github.
Source: 9to5 Mac
Apple implemented few days ago a Java security update 2012-001, due to the Trojan BackDoor.Flashback that infested more than 550K Mac, mostly in the U.S., Canada and UK.
According to the reports received by 9to5 Mac, it seems that Apple is pushing forward a new version of Java update, as noted in the Software Update. The new update, 2012-002, displaces the previous –001, though it appears in the KB article still as -001.
Specifications about the aim of the new update are not mentioned yet. Maybe the first update was meant to close the vulnerability in Java 1.6.0_29 that caused the Macs infection, while the latter comes with security improvements.
The Russian anti-virus vendor, Doctor WEB, released on Wednesday a research reporting that the Trojan BackDoor.Flashback reached to 500 000 of Apple’s hardware running Mac OS X. Mac owners from the U.S., Canada and UK were the most injured.
BackDoor.Flashback.39 gets installed in someone’s computer once a user reaches an infested link, and it seems that more than four million infested Web pages were found on a Google SERP at the end of March.
When it reaches a Mac, Flashback automatically saves on its hard drive an exe. file that adds malicious charges to the system. If the Trojan analyzes your system’s field and if the immunity is low, it successfully installs and starts downloading and running payloads.
In order to keep the track of the infected hosts, Dr. WEB redirected the botnet traffic to its own servers. It seems that the compromised Mac owners were mostly from the U.S., Canada and UK.
Apple closed this vulnerability on April 3rd, 2012.
Source: Dr. Web