Beware the Morphing Flashback Malware
As TidBITS Security Editor Rich Mogull wrote in “Gatekeeper Slams the Door on Mac Malware Epidemics” (16 February 2012), the most significant security hole on the Mac stems from users being tricked into installing something malicious, and once OS X 10.8 Mountain Lion sees widespread adoption later this year, Mac users will have additional protection from at least malicious downloaded applications.
But even Gatekeeper won’t protect from malware that worms its way into Macs in other ways, such as Flashback, malware that may have started out life masquerading as a Flash Player installer but can now infect Macs through sneakier means. (Thanks to TidBITS sponsor Intego for many of the details in this article, which Intego was the first to publish in its Mac Security Blog.)
Infection Vectors — In Flashback’s original approach (variants Flashback.A, Flashback.B, and Flashback.C), a malicious or hacked Web site would display what looks like a Flash error, and if you were to click it, an installer package pretending to be Flash Player would be downloaded. If “Open ‘safe’ files after downloading” is selected in Safari’s General preferences, the bogus installer would be launched automatically, and your Mac would be infected. (Tip #1: Disable that option in Safari!)
The new Flashback.G instead employs a two-pronged approach that’s completely different from the fake Flash Player installer, though the malicious code that’s installed is essentially the same (hence the continued use of the Flashback name). First, it attempts to install code on your Mac silently through one of two known Java vulnerabilities. (Luckily, Macs running 10.7 Lion don’t have Java installed by default, and those who have installed all available Java updates in either Lion or 10.6 Snow Leopard are immune from
such attacks.) Failing that, Flashback next attempts to download and run a Java applet that displays a self-signed certificate purporting to be from Apple Inc.; if you were to click the Continue button, you’d be giving the applet permission to run and your Mac would be infected.
It’s clear that Flashback is in active development, not just from the arrival of this new attack vector, but because it intentionally tries to avoid detection. Some variants check to see if the user is running Mac OS X in VMware Fusion and won’t execute if so. They do this because many security researchers test malware in virtual machines, rather than risk infection of full installations of Mac OS X, since it’s easier to delete a virtual machine and start over with a clean copy. The most recent
Flashback.G variant won’t even attempt to install if Intego’s VirusBarrier X6 or certain other security programs are present, presumably since there’s no point in bothering with Macs that are already protected.
Infection Effects — Flashback’s goal is to capture user names and passwords, which it accomplishes by inserting its code into Web browsers like Safari and Firefox and other network applications like Skype. It monitors network traffic and looks for connections to a number of domains — sites such as Google, Yahoo, CNN, PayPal, numerous banks, and many others. Presumably, the bad guys behind Flashback are looking for user names and passwords that they can exploit immediately — such as for a bank Web site — and those that may be reused across different sites. (Tip #2: Don’t use the same password for all Web sites!)
Because Flashback’s code can interfere with its host programs, it tends to cause crashes. If a network-related program starts crashing regularly, that may be a clue that your Mac has been infected.
Flashback needs both a way to transmit these stolen login credentials back to the mothership and a method of updating its code. It does this via a set of command and control servers that were initially inoperable when Intego discovered Flashback in late September 2011. They were brought online at some point in October 2011 and have been sending updates to infected Macs since. In theory, Flashback can also download additional software, although Intego hasn’t yet seen such activity.
Exactly what code Flashback installs on infected Macs has changed over time. At first, it installed a dynamic loader library and auto-launch code into a file at ~/Library/Preferences/Preferences.dylib
. That backdoor code communicated with remote servers using RC4 encryption and sent information such as the infected Mac’s unique hardware ID, version of Mac OS X, hardware architecture, and more.
Subsequent variants of Flashback moved away from the easy-to-delete Preferences.dylib file and instead install the backdoor code inside the application package for Safari and Firefox, modifying the app’s Info.plist file with the location of the backdoor and storing the actual code at /Applications/Safari.app/Contents/Resources/UnHackMeBuild
. (For Firefox, replace “Safari.app” with “Firefox.app” in all the commands and paths below.)
Just removing that file from within the app isn’t sufficient to eliminate the infection; it’s also necessary to delete the following lines from the Info.plist, and to do that, you must either open it in BBEdit, or first convert the file to XML with this Terminal command:
plutil -convert xml1 /Applications/Safari.app/Contents/Info.plist
Once that’s done, look for and delete these lines.
<key>LSEnvironment</key>
<dict>
<key>DYLD_INSERT_LIBRARIES</key>
<string>/Applications/Safari.app/Contents/Resources/UnHackMeBuild</string>
</dict>
But Flashback didn’t stop there. According to Intego, a later variant installs an executable file in the /tmp
directory, applies executable permissions, and then launches the executable. The Flashback backdoor thus becomes active with no indication that anything untoward has happened.
Intego has determined that the most recent Flashback.G variant changes approaches yet again, installing itself into an invisible file in the /Users/Shared
directory. This file can bear many names, but all the ones seen so far have a .so
extension. Unfortunately, it seems likely that Flashback will continue to rotate the names and locations of where it stores its backdoor code, making it difficult to provide reliable removal instructions.
This latest variant also creates a file at /Users/Shared/.svcdmp
and a plist file, used to patch applications, at ~/.MACOSX/environment.plist
, along with a log stored at ~/Library/Logs/vmLog
.
Some of Flashback’s early variants (but not Flashback.G) go beyond just patching network-aware applications, and intentionally damage system files. In particular, these early variants of Flashback disable Mac OS X’s built-in XProtect malware detection system by deleting some key files:
/System/Library/LaunchDaemons/com.apple.xprotectupdater.plist
/usr/libexec/XProtectUpdater
This intentional file deletion is particularly concerning not just because it prevents XProtect from working (Apple has updated XProtect to detect the earlier variants of Flashback), but also because it means that antivirus software cannot repair the damage; doing so would entail installing entirely new copies of the affected files, rather than just restoring them to their pre-infection state.
It is possible to repair the damage manually, by restoring files from Time Machine or another backup program, but it’s essential to do so from within the backup program to get the original permissions, which likely wouldn’t happen with a simple Finder copy.
Our Advice — Intego tells me that the rate of infection by Flashback has increased significantly since it started using the combination of the Java vulnerabilities and the fake self-signed certificate. What I don’t yet have a sense of is how easy it is to run across a Web site that hosts Flashback, but there are both ways that users can be fooled into visiting such sites and ways legitimate sites can unwittingly end up hosting such malware.
Regardless, it is certainly possible to avoid infection by Flashback. Apple’s own XProtect has been updated to detect and protect against Flashback’s early variants, so as long as that’s active, you’re probably safe from any of those that may still exist. Nonetheless, to guard against the later variants, you must make sure you have either not installed Java in Lion, or kept your Java installation in Lion or Snow Leopard up to date. And barring that, if you get a prompt to approve a self-signed certificate from Apple, you must deny it.
Similarly, it’s possible to remove Flashback infections manually, if you have a fairly high level of technical sophistication (the information above should give you what you need to know, though I’d also recommend searching the Web for updated information about future Flashback changes).
But I must admit, just as with the MacDefender situation, I’m driven to say that anyone who doesn’t feel they have the technical awareness to detect Flashback’s infection attempts or to repair an infected Mac manually should be running up-to-date security software like Intego’s VirusBarrier X6.
(There are of course other antivirus tools available for the Mac, some of which are free, like ClamXav and Sophos Anti-Virus for Mac Home Edition, but VirusBarrier provides additional security-related capabilities, such as a configurable port-based firewall, the capability to detect spyware activity and prevent software from “phoning home,” network traffic monitoring tools, network attack detection, anti-phishing protection, cookie filtering, and more.)
Much as I would like to say that users should just be careful out there, it’s simply too easy for someone who doesn’t know what a self-signed certificate looks like to click through such a prompt, and even allowing a fake Flash Player installer to run is the sort of thing that many less-experienced users wouldn’t think twice about doing.
Many thanks for the clear explanation of the problem.
Best explanation I've seen so far. I'm still not sure what to advise my non-techie friends, and even for my own system I have a couple of challenges.
- a casual mac user won't be able to find the suspect files/file contents that indicate infection
- i'm not comfy suggesting my friends just install Intego (too many knobs and dials to deal with)
- hard to quickly show or talk someone through whether Java is installed or not
Any thoughts?
With regard to your third point, here are some thoughts I provided to a reader of this article earlier today:
Software Update should take care of keeping it up-to-date. The latest updates are Java for Snow Leopard Update 6 and Java for Lion Update 1, released last November. Both will update Java SE 6 to 1.6.0_29 and prevent the two exploits from happening. They will not prevent the Certificate approval approach from poping up.
To determine what version of Java you have installed, open your Java Preferences (in /Applications/Utilities/) or in the Terminal app type "java -version" without the quotes and hit return. To see what version of Java is enabled in Safari go to <http://java.com/en/download/testjava.jsp>. For tips on reducing your exposure to Java exploits read <http://www.magmatic.com/currents/2011/9/28/strengthening-java-in-mac-osx.html>.
I understand the concern about VirusBarrier's interface, and in general, many of the anti-virus apps are a bit intimidating looking.
What about the free VirusBarrier Express, though, which looks a LOT simpler, although it doesn't get updated virus definitions as often from what I can tell from the description. There's also the $9.99 VirusBarrier Plus, which seems to have the same interface (clearly I need to check into these some more, since I'm mostly familiar with VirusBarrier X6).
http://itunes.apple.com/us/app/virusbarrier-express/id411642093?mt=12
http://itunes.apple.com/us/app/virusbarrier-plus/id430337549?mt=12
This talks about Java security "holes", but I only have JavaScripts enabled, not Java. Does the Flashback malware use JavaScript also?
The original version reportedly used it when you clicked the link to download the fake FlashPlayer package, but that's not reason enough to disable it as there are way too many web sites today that won't work without it. With that version you had to make a couple of bigger mistakes for it to infect you, so JavaScript played a very small role
Despite the similar names, JavaScript has barely anything to do with Java. The presence of bugs in Java does not mean you need to turn off JavaScript.
Yes, Al and Harold are right. There's no connection between Java and JavaScript, other than the name. If you're running Lion and don't need Java for something like CrashPlan, just don't install it.
I held off installing Apple's "Security Update 2012-001" because of a previous item I read in TidBits. Is this now safe to install and will it in any way help protect against this Flashback malware? Also, I just visited the VirusBarrier X6 site and I fear installing and configuring it is a day-long project -- at a time when I can't spare that much time. Any shortcuts?
I believe it's safe to install Security Update 2012-001 now, but I don't think it has anything to do with Flashback one way or another, since Java updates are generally separate.
If I have the newest Java update installed, will Flashback also be able to install itself if my users are logged in as non-admins and click onto that fake "certificate"? That's a question I have not found answered anywhere. Normally, I would reckon a non-administrator would need to input a password to install a certificate or anything else.
I'd also be really interested if it is okay to install the latest Snow Leopard security update since I held back after reading that it caused issues with PowerPC programs.
That's a very good question about the admin password, Andreas, and one I don't currently know the answer to.
Security Update 2012-001 no longer kills PowerPC programs, and the 1.1 version seems stable in my experience.
OK, the word back from the security researcher investigating this is that you don't need an admin password because the Java applet that generates the prompt is in your user folder.
I have several Questions:
1. Can you check whether your Mac still has the file "com.apple.xprotectupdater.plist" using Spotlight?
2. Does Adam's advice on this web page apply equally to Leopard, Snow Leopard and Lion?
3. Will an old version of Intego (or of ClamXav) protect against installation?
4. If not, and you install the latest version of Intego, will that be able to purge your system if already infected?
Let me see if I can help:
1. No, Spotlight won't find it, given it's location in the system files. You'll need to look manually, but the easy way to do that is choose Go > Go to Folder in the Finder and paste this path in, then look manually.
/System/Library/LaunchDaemons/
2. It applies to Lion and Snow Leopard. I don't know about Leopard. Given that Leopard has been dropped out of security updates from Apple at this point, if I were using Leopard, I'd probably err on the side of installing antivirus software.
3. Old versions of antivirus programs are worthless, since they need to have the latest definitions to find new malware.
4. The latest version of any antivirus program should be able to purge Flashback, with the caveat that if you got the variant that deletes XProtect, you'll need to reinstall that manually.
A reader asked in email how to check what version of Java is installed. It turns out to be quite simple. In Terminal, type:
java -version
Here's something I can't find an answer to: I have VirusBarrier, and after backing up, etc, I tried to visit one of the sites listed as infected, but all of the listed sites have been pulled down.
I'm trying to determine the kind of protection provided by the latest virus definitions and the latest VB.
Does it put up a flashing warning when you visit the site, or does it find the file after it's installed?... or something else.
If I could find an infected site, I'd be able to let you know, as I'm willing to test that myself. (Of course, I understand why the list isn't "loudly" published...)
So: how does VB respond?
It's a good question, but from what Intego is saying, all the attention being paid to Flashback right now has caused all the infected sites to be pulled down. And they're seeing new Flashback variants every day.
I wish I had a better answer, but at this point it seems to come down to needing to trust that all the security firms are right about this.
When does does the bogus certificate show up?
Presumably when you visit a malicious or compromised Web site. It's impossible to provide more explicit details since the sites are changing constantly.