Experts during SophosLabs have identified a new malware conflict that is targeting both Mac and Windows computers, exploiting a barbarous Java confidence vulnerability that authorised a Flashback botnet to commandeer 600,000 Macs.
Internet users who revisit compromised webpages might find themselves during risk of infection around a Java feat that downloads antagonistic program onto their computer.
The latest malware conflict exploits a Java disadvantage to download serve antagonistic formula onto a mechanism (Sophos products detect a conflict as Mal/20113544-A and Mal/JavaCmC-A).
Note: Patches for a Java disadvantage have been accessible since Feb 14th for Windows, Linux and Unix computers and since early April for some Mac users. Unfortunately, Apple has selected not to emanate a Java confidence refurbish for users regulating versions of Mac OS X before to 10.6 (Snow Leopard), definition those users sojourn undefended. Presumably Apple wants them to refurbish to a after chronicle of Mac OS X.
So, there might still be some users whose computers are not patched opposite a Java disadvantage – and are during risk of attack.
The antagonistic Java formula downloads serve formula onto a victim’s mechanism – depending on what handling complement they are using. On Windows, a downloaded record will be rescued by Sophos as Mal/Cleaman-B. On Mac OS X, a downloaded record (install_flash_player.py) will be rescued as OSX/FlsplyDp-A.
This is not, however, a finish of a story.
The downloaded programs will afterwards implement further antagonistic formula – downloading a Troj/FlsplyBD-A backdoor Trojan on Windows computers, and decrypting a Python book called update.py (extracted from install_flash_player.py) on Mac OS X.
This Python book acts as a Mac OS X backdoor, permitting remote hackers to personally send commands, uploading formula to a computer, hidden files and regulating commands but a user’s knowledge.
Sophos is adding showing of a final Python book as OSX/FlsplySc-A.
This conflict is utterly opposite from a progressing Flashback attack, and might prove that other cybercriminal gangs are exploring a possibilities of infecting Mac computers.
Certainly, whoever wrote a book has left a idea that they might be formulation to make developments to their formula in a future.
The easiest approach to demeanour for an infection is, of course, to run an present anti-virus product. But if we wish to check your Mac by palm to see if it is putrescent by this backdoor Trojan, here’s a discerning approach to do it:
Examine /Users/Shared/ and demeanour for files called update.sh and update.py.
update.sh is a bombard book that will govern update.py, a Python script. These files can be safely deleted.
It should go but observant that we unequivocally should be regulating an present anti-virus, and be gripping adult to date with confidence rags (like those accessible for Java).
Although Windows users are generally flattering good about regulating anti-virus protection, Mac users are usually only waking adult to a need. We have a free Mac anti-virus for home users, if we consider it’s time to take your computer’s confidence some-more seriously.
Thanks to SophosLabs researcher Xiaochuan Zhang for his assistance with this article.