This article originally appeared in TidBITS on 2012-02-27 at 8:01 a.m.
The permanent URL for this article is: http://tidbits.com/article/12818
Include images: Off

Beware the Morphing Flashback Malware

by Adam C. Engst

As TidBITS Security Editor Rich Mogull wrote in “Gatekeeper Slams the Door on Mac Malware Epidemics [1]” (16 February 2012), the most significant security hole on the Mac stems from users being tricked into installing something malicious, and once OS X 10.8 Mountain Lion sees widespread adoption later this year, Mac users will have additional protection from at least malicious downloaded applications.

But even Gatekeeper won’t protect from malware that worms its way into Macs in other ways, such as Flashback, malware that may have started out life masquerading as a Flash Player installer but can now infect Macs through sneakier means. (Thanks to TidBITS sponsor Intego for many of the details in this article, which Intego was the first to publish in its Mac Security Blog [2].)

Infection Vectors -- In Flashback’s original approach (variants Flashback.A, Flashback.B, and Flashback.C), a malicious or hacked Web site would display what looks like a Flash error, and if you were to click it, an installer package pretending to be Flash Player would be downloaded. If “Open ‘safe’ files after downloading” is selected in Safari’s General preferences, the bogus installer would be launched automatically, and your Mac would be infected. (Tip #1: Disable that option in Safari!)

[image link] [3]

The new Flashback.G instead employs a two-pronged approach that’s completely different from the fake Flash Player installer, though the malicious code that’s installed is essentially the same (hence the continued use of the Flashback name). First, it attempts to install code on your Mac silently through one of two known Java vulnerabilities. (Luckily, Macs running 10.7 Lion don’t have Java installed by default, and those who have installed all available Java updates in either Lion or 10.6 Snow Leopard are immune from such attacks.) Failing that, Flashback next attempts to download and run a Java applet that displays a self-signed certificate purporting to be from Apple Inc.; if you were to click the Continue button, you’d be giving the applet permission to run and your Mac would be infected.

[image link] [4]

It’s clear that Flashback is in active development, not just from the arrival of this new attack vector, but because it intentionally tries to avoid detection. Some variants check to see if the user is running Mac OS X in VMware Fusion and won’t execute if so. They do this because many security researchers test malware in virtual machines, rather than risk infection of full installations of Mac OS X, since it’s easier to delete a virtual machine and start over with a clean copy. The most recent Flashback.G variant won’t even attempt to install if Intego’s VirusBarrier X6 or certain other security programs are present, presumably since there’s no point in bothering with Macs that are already protected.

Infection Effects -- Flashback’s goal is to capture user names and passwords, which it accomplishes by inserting its code into Web browsers like Safari and Firefox and other network applications like Skype. It monitors network traffic and looks for connections to a number of domains — sites such as Google, Yahoo, CNN, PayPal, numerous banks, and many others. Presumably, the bad guys behind Flashback are looking for user names and passwords that they can exploit immediately — such as for a bank Web site — and those that may be reused across different sites. (Tip #2: Don’t use the same password for all Web sites!)

Because Flashback’s code can interfere with its host programs, it tends to cause crashes. If a network-related program starts crashing regularly, that may be a clue that your Mac has been infected.

Flashback needs both a way to transmit these stolen login credentials back to the mothership and a method of updating its code. It does this via a set of command and control servers that were initially inoperable when Intego discovered Flashback in late September 2011. They were brought online at some point in October 2011 and have been sending updates to infected Macs since. In theory, Flashback can also download additional software, although Intego hasn’t yet seen such activity.

Exactly what code Flashback installs on infected Macs has changed over time. At first, it installed a dynamic loader library and auto-launch code into a file at ~/Library/Preferences/Preferences.dylib. That backdoor code communicated with remote servers using RC4 encryption and sent information such as the infected Mac’s unique hardware ID, version of Mac OS X, hardware architecture, and more.

Subsequent variants of Flashback moved away from the easy-to-delete Preferences.dylib file and instead install the backdoor code inside the application package for Safari and Firefox, modifying the app’s Info.plist file with the location of the backdoor and storing the actual code at /Applications/Safari.app/Contents/Resources/UnHackMeBuild. (For Firefox, replace “Safari.app” with “Firefox.app” in all the commands and paths below.)

Just removing that file from within the app isn’t sufficient to eliminate the infection; it’s also necessary to delete the following lines from the Info.plist, and to do that, you must either open it in BBEdit, or first convert the file to XML with this Terminal command:

plutil -convert xml1 /Applications/Safari.app/Contents/Info.plist

Once that’s done, look for and delete these lines.

<key>LSEnvironment</key> <dict> <key>DYLD_INSERT_LIBRARIES</key> <string>/Applications/Safari.app/Contents/Resources/UnHackMeBuild</string> </dict>

But Flashback didn’t stop there. According to Intego, a later variant installs an executable file in the /tmp directory, applies executable permissions, and then launches the executable. The Flashback backdoor thus becomes active with no indication that anything untoward has happened.

Intego has determined that the most recent Flashback.G variant changes approaches yet again, installing itself into an invisible file in the /Users/Shared directory. This file can bear many names, but all the ones seen so far have a .so extension. Unfortunately, it seems likely that Flashback will continue to rotate the names and locations of where it stores its backdoor code, making it difficult to provide reliable removal instructions.

This latest variant also creates a file at /Users/Shared/.svcdmp and a plist file, used to patch applications, at ~/.MACOSX/environment.plist, along with a log stored at ~/Library/Logs/vmLog.

Some of Flashback’s early variants (but not Flashback.G) go beyond just patching network-aware applications, and intentionally damage system files. In particular, these early variants of Flashback disable Mac OS X’s built-in XProtect malware detection system by deleting some key files:

This intentional file deletion is particularly concerning not just because it prevents XProtect from working (Apple has updated XProtect to detect the earlier variants of Flashback), but also because it means that antivirus software cannot repair the damage; doing so would entail installing entirely new copies of the affected files, rather than just restoring them to their pre-infection state.

It is possible to repair the damage manually, by restoring files from Time Machine or another backup program, but it’s essential to do so from within the backup program to get the original permissions, which likely wouldn’t happen with a simple Finder copy.

Our Advice -- Intego tells me that the rate of infection by Flashback has increased significantly since it started using the combination of the Java vulnerabilities and the fake self-signed certificate. What I don’t yet have a sense of is how easy it is to run across a Web site that hosts Flashback, but there are both ways that users can be fooled into visiting such sites and ways legitimate sites can unwittingly end up hosting such malware.

Regardless, it is certainly possible to avoid infection by Flashback. Apple’s own XProtect has been updated to detect and protect against Flashback’s early variants, so as long as that’s active, you’re probably safe from any of those that may still exist. Nonetheless, to guard against the later variants, you must make sure you have either not installed Java in Lion, or kept your Java installation in Lion or Snow Leopard up to date. And barring that, if you get a prompt to approve a self-signed certificate from Apple, you must deny it.

Similarly, it’s possible to remove Flashback infections manually, if you have a fairly high level of technical sophistication (the information above should give you what you need to know, though I’d also recommend searching the Web for updated information about future Flashback changes).

But I must admit, just as with the MacDefender situation, I’m driven to say that anyone who doesn’t feel they have the technical awareness to detect Flashback’s infection attempts or to repair an infected Mac manually should be running up-to-date security software like Intego’s VirusBarrier X6 [5].

(There are of course other antivirus tools available for the Mac, some of which are free, like ClamXav [6] and Sophos Anti-Virus for Mac Home Edition [7], but VirusBarrier provides additional security-related capabilities, such as a configurable port-based firewall, the capability to detect spyware activity and prevent software from “phoning home,” network traffic monitoring tools, network attack detection, anti-phishing protection, cookie filtering, and more.)

Much as I would like to say that users should just be careful out there, it’s simply too easy for someone who doesn’t know what a self-signed certificate looks like to click through such a prompt, and even allowing a fake Flash Player installer to run is the sort of thing that many less-experienced users wouldn’t think twice about doing.

[1]: http://tidbits.com/article/12795
[2]: http://blog.intego.com/
[3]: http://tidbits.com/resources/2012-02/Flashback-installer.jpeg
[4]: http://tidbits.com/resources/2012-02/Flashback-certificate-prompt.png
[5]: http://www.intego.com/virusbarrier/
[6]: http://www.clamxav.com/
[7]: http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx