The Mac Security Blog
The Mozilla Foundation has released Firefox 7 (it seems like they released version 6 not long ago…), and, together with optimizations to the browser and its features, there are eight security fixes, six of which are critical. Users can update their version of Firefox using the program’s built-in auto-updater (choose Firefox > About Firefox, then Check for Updates), or download a new version here.
Skype has released a new version of its iOS app to address a cross-scripting vulnerability which we recently discussed. While Skype’s update notes make no mention of this fix, The H Security reports that a Skype spokesperson confirmed that this issue was patched in the release.
Users can get the new version of Skype’s iOS app from the iTunes Store, or from their iOS device.
Following our recent security memo about the Mac Flashback Trojan horse, Intego has seen an increase in the number of Mac users infected by this malware. After publicizing this threat, many users have posted both in the comments on this blog, and on other blogs and forums about having either seen this malware download, or actually installing it.
If you end up on a site that is serving this malware, you will see something similar to this:
The first things you see are the crashed plugin graphic and the purported error messages. After this, the fake Adobe Flash installer screen pops up, and then the Flashback Trojan horse installation package downloads. At this point, if you have the default Safari settings – which allow “safe” downloads to open automatically – you will see an Installer window open.
This is effective social engineering. Savvy Mac users will not be fooled, because they know that a Flash installer would never appear in this manner, but two things make this approach believable. First, Flash Player is not installed on Mac OS X Lion, so users will need to install it themselves if they want to view Flash content on the web. Second, if they do have Flash Player installed, and have set the Flash Player preference pane (in System Preferences) to automatically check for updates, they may think that this is an update alert. (We have never had any such alerts, in spite of having checked that setting.) So this can easily fool many Mac users into downloading the malware.
For these reasons, Intego is raising the risk level of this malware to medium.
If you see a web page similar to that shown above, do not run any installer, and if the Installer window does not open, check your Downloads folder for any package file that contains the name Flash, then delete it. Only download Flash Player installers from the Adobe web site.
Note: if anyone who has been infected by this Trojan horse knows the URL at which they got it, or has a sample, please send an e-mail (with sample attached, and zipped, if possible) to sample@virusbarrier.com. Thanks.
Intego’s security researchers have been examining the code of this new Trojan horse, which we announced yesterday. They have found some interesting elements in the code.
First, the code itself is quite sophisticated. The Trojan horse installs a backdoor, at ~/Library/Preferences/Preferences.dylib, which communicates with a remote server, sending and receiving data using RC4 encryption. The backdoor uses the infected Mac’s hardware UUID (a unique identifier) as a user agent, and to identify specific computers. It also sends information about the infected Mac, such as which version of Mac OS X, which architecture (Intel or PowerPC), and more.
The encryption key used is an MD5 hash of the infected Mac’s UUID. This means that the encryption key for each Mac is different, but also allows the backdoor to find a key easily.
The backdoor is able to download further software, but, for now, we are not seeing this activity. It is also able to update itself, and creates an Sha1 hash of the malware to see if it has changed. If the Sha1 of the software version on the server is different from that installed, this means that an update is necessary.
Whether you’re going back to school or to work, it’s a good time to make sure your Macs are protected from the dangers of the Internet. Get protection from viruses, malware and network attacks, tools to back up your essential files and filter out spam, or to keep your children sheltered from inappropriate web content. Intego has the programs you need to protect you and your Macs.
Intego is offering 20% discount on any Intego X6 or Dual Protection product, purchased exclusively from the Intego online store. This includes standard packs and family packs, but not upgrades, renewals or accessories. To benefit from this discount, use the following code in the Intego online store (http://www.intego.com/store/), through September 30, 2011: BACKTOSCHOOL2011.
This promotion applies to the following Intego programs:
- VirusBarrier X6
- Internet Security Barrier X6
- VirusBarrier X6 Dual Protection
- Internet Security Barrier X6 Dual Protection
- Washing Machine
This promotion is valid worldwide, only in Intego’s on-line store, and does not apply to software sold in Apple’s Mac App Store or iTunes App Store.
Malware: OSX/flashback.A
Risk: Low; this malware has been found in the wild, and may fool Mac users who don’t have Flash Player installed. However, Intego so far has only one report of this malware, and a sample provided by a user who downloaded it from a malicious web site.
Description: Intego has discovered a new Trojan horse, Flashback, which masquerades as a Flash Player installer. This Trojan horse has been found in the wild, and has some disturbing actions.
Users visiting certain malicious websites may see a link or an icon to download and install Flash Player. Since Mac OS X Lion does not include Flash Player, some users may be fooled and think this is a real installation link. When they click the link, an installation package downloads, and, if the user is using Safari as their web browser, the Mac OS X Installer will launch. (Safari considers installer packages, with .pkg or .mpkg extensions, to be “safe” files and will launch them after download, if default settings are used.)
If the user proceeds with the installation procedure, the installer for this Trojan horse will deactivate some network security software (code in this malware specifically targets and deactivates Little Snitch, but has no effect on Intego VirusBarrier X6), and, after installation, will delete the installation package itself. The malware installs a dyld (dynamic loader) library and auto-launch code, allowing it to inject code into applications the user launches. This code, installed in a file at ~/Library/Preferences/Preferences.dylib, connects to a remote server, and sends information about the infected Mac to this server: this includes the computer’s MAC address, a unique identifier. This will allow the malware to detect if a Mac is infected.
For now, Intego has analyzed this malware and its installation process. Intego’s security researchers are analyzing the injected code and we will issue more information as soon as possible.
Means of protection: Users should not download a Flash Player installer from any site other than adobe.com. Mac OS X Lion does not include Flash Player, but users who wish to install this software should visit Adobe’s website: http://www.adobe.com/products/flashplayer/.
Next, it is advisable, for those who use Safari as their web browser, to uncheck Open “safe” files after downloading in the program’s General preferences. This will prevent installer packages—whether real or malicious—from launching automatically.
Finally, if an installer claiming to be a Flash Player installer appears, users should be very careful to ensure that they did, indeed, download it from Adobe’s web site. If not, they should quit the installer.
VirusBarrier X6 (www.intego.com/virusbarrier/) protects users from this malware with malware definitions dated September 26, 2011 or later. VirusBarrier X6’s real-time scanner will detect the file when it is downloaded, and its Anti-Spyware protection will block any connections to remote servers if a user has installed the Trojan horse.
VirusBarrier Express and VirusBarrier Plus, available exclusively from the Mac App Store, detect this malware with malware definitions dated September 26, 2011 or later, but these programs do not have a real-time scanner, due to limitations imposed by the Mac App Store; users should scan their Macs after they have updated to the latest malware definitions, or manually scan any installer packages they have downloaded if they seem suspicious.
Note: if anyone who has been infected by this Trojan horse knows the URL at which they got it, can you please send an e-mail to sample@virusbarrier.com? Thanks.