This article originally appeared in TidBITS on 2012-04-05 at 12:16 p.m.
The permanent URL for this article is: http://tidbits.com/article/12918
Include images: Off

How to Detect and Protect Against Updated Flashback Malware

by Adam C. Engst

Apple has released updates to its Java libraries for users of Mac OS X 10.7 Lion and 10.6 Snow Leopard (see “Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7 [1],” 3 April 2012). The updates bring the Java runtime engine up to version 1.6.0_31 and fix multiple vulnerabilities [2] in Java version 1.6.0_29, “the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox.” What those release notes aren’t saying is that the vulnerabilities in question were being exploited in the wild by a new variant of the Flashback malware (see “Beware the Morphing Flashback Malware,” 27 February 2012).

[Update: On 12 April 2012, Apple released updates for Lion and Snow Leopard that remove Flashback. Installing the Lion update disables Java on Web pages unless you specifically re-enable Java. Apple also made available a separate Flashback removal tool for Lion users who haven’t installed Java. For more information, see “Apple Releases Flashback Malware Updates [4],” 12 April 2012.]

Significant Infection Rates -- A Russian antivirus developer, Doctor Web [5], says their research shows more than 550,000 Macs have been infected [6] after users visited compromised Web sites that contain JavaScript code to activate a malicious Java applet. Sorokin Ivan of Doctor Web later raised that estimate to over 600,000 in a tweet [7]. [Update: A week after Flashback hit the news, its infection level had dropped to below 300,000.]

Although we haven’t seen anything from Doctor Web before, the question of who they are came up on TidBITS Talk, where security analyst Brian McNett said:

The first I heard of Doctor Web was when they were referenced, and when Sorokin Ivan later responded via Twitter to Mikko Hypponen, Chief Research Officer of F-Secure. I know and trust Mikko. He uses reliable sources. Doctor Web appears to be a Russian outfit, with largely Russian clientele, so it wouldn’t be unusual for their reputation to be unknown elsewhere. Their key discovery is that Flashback uses the MAC address of the infected machine as the User-Agent when connecting to its command-and-control server. This is a unique pattern that allowed them to track infections before anyone else. That they shared this finding publicly, along with their data, adds to their credibility.

Mikko Hypponen said in a tweet [8] that F-Secure has spoken with Doctor Web and that the infection numbers look real. And Kaspersky Labs has now provided independent confirmation [9] that Doctor Web’s numbers are reasonable and are in fact Macs.

According to Mac security firm Intego, Flashback-infected Macs show no symptoms at all, other than communication with Flashback’s command-and-control servers that could be detected by network monitoring tools. Although we haven’t seen confirmation of this with recent Flashback variants, earlier versions of Flashback tried to capture user names and passwords by injecting code into Web browsers and other network applications, like Skype. In such cases, the affected programs tended to crash frequently. Security firm Sophos says that along with stealing passwords, Flashback can also poison search engine results [10] to perform advertising fraud (by fraudulently increasing click-through rate) or to direct victims to further malicious content (though that seems unnecessary, if the Mac is already compromised).

More concerning is that Intego says it has seen dozens of variants of Flashback [11] in the past weeks, indicating that the programmers behind Flashback are modifying it quickly to avoid detection and to take advantage of newfound vulnerabilities. That may render obsolete any advice for preventing, detecting, and removing Flashback. On a side note, Intego also says that it has evidence that Flashback was created by the same people who created MacDefender [12] in 2011 (see “Beware Fake MACDefender Antivirus Software ,” 2 May 2011 and “Apple Responds to Increasingly Serious MacDefender Situation [14],” 25 May 2011).

Detect Flashback Infection -- So how can you tell if you’re infected? Security firm F-Secure posted instructions for detecting current Flashback infections [15]; the instructions also include removal steps that we would dissuade anyone but advanced users from attempting.

That said, detection comes down to issuing the following defaults read commands in Terminal (F-Secure suggests only the first and last; the others extend the technique from Safari to Google Chrome, Firefox, and iCab). In each case, if you see “does not exist” at the end of the response from each command, you are not infected. (The defaults read command is entirely safe — it’s just attempting to determine whether some data exists in the Info.plist file within each application package.)

defaults read /Applications/Safari.app/Contents/Info LSEnvironment defaults read /Applications/Google\ Chrome.app/Contents/Info LSEnvironment defaults read /Applications/Firefox.app/Contents/Info LSEnvironment defaults read /Applications/iCab\ 4/iCab.app/Contents/Info LSEnvironment defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

For a simpler approach, Marc Zeedar, publisher of Real Studio Developer [16] magazine, has written a simple Test4Flashback [17] application that encapsulates the defaults read checks and presents a dialog telling you whether or not you’re infected. It doesn’t attempt to do any removal at all.

Protect Yourself Against Flashback -- In the meantime, if you are using 10.7 Lion and have not yet installed Java, hold off unless you need it. If you have installed Java in Lion or are using 10.6 Snow Leopard, immediately install Apple’s Java updates via Software Update to prevent infection from this particular variant of Flashback. And although uninstalling Java is difficult [18], you can disable it, either system-wide or in individual Web browsers (Flashback relies entirely on Web-based attacks, as far as we’re aware).

[image link] [22]

If you need to use Java only occasionally, consider leaving it enabled in a browser that you seldom use, and rely on that browser for those specific sites — like Web conferencing tools — that require Java.

Installing antivirus software like Intego’s VirusBarrier [23] will also provide protection, both from the software’s base functionality and because the Flashback malware doesn’t install itself if it detects certain antivirus programs.

Lastly, it’s worth noting that some variants of Flashback worm their way onto Macs not through exploiting Java vulnerabilities, but by fooling users into entering an administrator password. The only way you can protect yourself against such trickery is by being suspicious of any password request that doesn’t come in direct response to an action that you’ve just taken, such as installing a new piece of software that you downloaded intentionally.

Be careful out there.

[1]: http://tidbits.com/article/12911
[2]: http://support.apple.com/kb/HT5228
[3]: http://tidbits.com/article/12818
[4]: http://tidbits.com/article/12934
[5]: http://www.drweb.com/
[6]: http://news.drweb.com/show/?i=2341&lng=en&c=14
[7]: https://twitter.com/#!/hexminer/status/187623741273026562
[8]: https://twitter.com/#!/mikko/status/187898394835025920
[9]: http://www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed
[10]: http://nakedsecurity.sophos.com/2012/04/05/mac-botnets-gaining-traction-using-drive-by-java-exploit/
[11]: http://www.intego.com/mac-security-blog/hundreds-of-thousands-of-macs-infected-by-flashback-malware/
[12]: http://www.intego.com/mac-security-blog/new-flashback-variant-changes-tack-to-infect-macs/
[13]: http://tidbits.com/article/12149
[14]: http://tidbits.com/article/12199
[15]: http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml
[16]: http://www.rsdeveloper.com/
[17]: http://rsdeveloper.com/downloads/test4flashback.zip
[18]: http://reviews.cnet.com/8301-13727_7-57408841-263/how-to-check-for-and-disable-java-in-os-x/
[19]: http://tidbits.com/resources/2012-04/MacOSX-disable-Java.png
[20]: http://tidbits.com/resources/2012-04/Safari-disable-Java.png
[21]: http://tidbits.com/resources/2012-04/Chrome-disable-Java.png
[22]: http://tidbits.com/resources/2012-04/Firefox-disable-Java.png
[23]: http://www.intego.com/virusbarrier