The Mac Security Blog
Apple has recently updated its Xprotect file quarantine system, used to check for malware downloaded by certain programs – notably Safari, Mail and iChat – but Intego has spotted a new variant of the Flashback Trojan horse, called OSX/FlashBack.J. This variant was released after Apple’s update, and Xprotect does not recognize it yet.
VirusBarrier X6′s generic signatures already detected this new variant, and will probably detect many future variants as well.
As Americans enjoy their long Thanksgiving weekend, malware writers are thankful for only one thing: more and more Mac users are getting tricked into installing their wares. The Flashback Trojan horse, that we reported on here, then discussed a new variant, then another new variant, has bred several new variants. Intego has spotted several new versions of this malware, which, while not changing the features of the malware, have changed the code, in an attempt to sneak through malware protection, such as that of VirusBarrier X6.
The bogus alerts you see on sites serving this malware haven’t changed:
But the effect is the same. When you end up on a site like this, an installation package is automatically downloaded, and, if your browser settings allow it, launched so you’ll see an Installer window.
As we said in a previous article, if you see a web page similar to that shown above, do not run any installer, and if the Installer window does not open, check your Downloads folder for any package file that contains the name Flash, then delete it. Only download Flash Player installers from the Adobe web site.
Adobe has released yet another update to Flash Player, fixing a dozen vulnerabilities, some critical. This brings the program up to version 11.1.102.55. Adobe’s security bulletin discusses the vulnerabilities that are patched.
It’s worth noting that the main Mac we use for writing these blog posts has not been updated for several versions of Flash – it’s currently running 10.3.183.5 – and we have never received any sort of alert that a new version was available. Contact with Adobe offered no answer to why this occurs, and we know many people who have also not gotten alerts for updates.
So don’t trust Adobe’s “auto-updater,” and check yourself when you read about new versions. You can use the Flash Player preference pane, which is in System Preferences, to see the version of Flash Player you have, and you can click the Check Now button to go to a web page which will tell you if you are up to date or not.
To get the latest version of Flash Player, go to the Adobe Flash Player Download Center. Adobe has also created a patched version of Flash Player 10, for those who cannot run Flash Player 11; you can get that here.
The company has also updated Adobe Air: you can get the latest version, 3.1.0.4880 here.
We’re curious: do you get auto-update alerts for Flash Player on your Mac? Let us know in the comments.
Security researcher Feross Aboukhadijeh discovered a flaw in Adobe Flash that could allow malicious users to “turn on your webcam and microphone without your knowledge or consent to spy on you.” You may not realize this, but one of the “features” in Flash is the ability for Flash objects to utilize your webcam (or iSight camera) and microphone. Ostensibly, this is so you can interact via Flash with other users, but we’ve never seen this in actual use.
It turns out that a sophisticated clickjacking technique could allow malicious users to set up a web page using CSS opacity to hide the Adobe Flash Settings Manager (a Flash object, naturally, that adjusts settings on your computer), and overlay it with buttons. When you click a button that seems to do something you want to do, the hidden Settings Manager setting gets turned on. Abjoukhadijeh has set up a demo page where you can see how this works.
Adobe has fixed their Settings Manager so this problem can no longer occur. Nevertheless, you might want to go to the Settings Manager page and, on the Global Privacy Settings tab, check Always Deny for the Camera and Microphone settings. Unless you have actually used a webcam and microphone with Flash, or plan to do so, there’s no reason for these settings to be active.
A security firm has published some information on a new variant of the Flashback Trojan horse, which Intego discovered in September. This new variant, which they are calling Flashback.C is the variant that Intego spotted a week ago, Flashback.D. (It’s not uncommon for different security companies to name variants differently; we may have more variants than other companies.)
Some of the information published about this variant is interesting, notably the fact that it can disable Apple’s Xprotect malware detection system. When disabling the Xprotect system, the Trojan horse overwrites certain files (notably the info.plist file for the XProtectUpdater daemon, which prevents Mac OS X from getting updates to this file), which means that VirusBarrier X6 cannot repair the damage. (In order to repair it, VirusBarrier X6 would need to re-install a new version of the file; the program cannot simply erase changes made, since the file is overwritten entirely.)
Some companies have published instructions for manually removing this malware, but it is important to note that such instructions only discuss removing code added to the Safari or Firefox web browsers; given the damage done to the XProtect system, manual repair is impossible. (It is technically possible to recover the XProtect file from a backup, if a user has cloned their startup volume, such as with Intego Personal Backup, which is part of Internet Security Barrier, or made a full system backup with Apple’s Time Machine; this entails restoring the /usr/libexec/XProtectUpdater daemon. Users should be very careful if they do this manually, as opposed to using the restoration function of Personal Backup or Time Machine, as permissions on the file could cause the daemon to not function correctly.)
This is the first malware affecting Mac OS X that we have seen that intentionally damages system files. Because of this, repairing damage can be very time-consuming. Even with the appropriate, up-to-date backups, it still takes time to restore the operating system. In the Windows world, the most common method for dealing with this type of file corruption is to re-install the entire operating system. We hope Mac malware doesn’t use similar techniques in the future that would require a full installation of Mac OS X to repair damage. Of course, it is wise to protect one’s Mac with antivirus software to ensure that such damage doesn’t occur in the first place.
Since Intego discovered this variant of the Flashback Trojan horse, the command and control servers that the malware contacts have been inoperable. However, now that this Trojan horse is in the news again, these servers have awakened, and Intego has seen activity today, sending updates to installed malware.
Intego VirusBarrier X6, with malware definitions dated October 13, 2011, or later, detects and blocks this malware.
Intego’s security researchers have been examining the code of this new Trojan horse, which we announced yesterday. They have found some interesting elements in the code.
First, the code itself is quite sophisticated. The Trojan horse installs a backdoor, at ~/Library/Preferences/Preferences.dylib, which communicates with a remote server, sending and receiving data using RC4 encryption. The backdoor uses the infected Mac’s hardware UUID (a unique identifier) as a user agent, and to identify specific computers. It also sends information about the infected Mac, such as which version of Mac OS X, which architecture (Intel or PowerPC), and more.
The encryption key used is an MD5 hash of the infected Mac’s UUID. This means that the encryption key for each Mac is different, but also allows the backdoor to find a key easily.
The backdoor is able to download further software, but, for now, we are not seeing this activity. It is also able to update itself, and creates an Sha1 hash of the malware to see if it has changed. If the Sha1 of the software version on the server is different from that installed, this means that an update is necessary.