New Mac malware exploits Java bugs, steals passwords

Flashback.G first in the malware family to infect Macs using vulnerabilities

A new version of a well-known family of Mac malware exploits vulnerabilities in Java to steal usernames and passwords for online payment, banking and credit card websites.

Flashback.G is the first variant of the Trojan horse to use an attack vector that doesn't require any user interaction, said Intego Security, a French firm that specializes in Mac antivirus software. Most Mac malware needs help from users to get on a machine, if only to okay an installation by entering the system password.

When users come across the new malware -- it's being served from an unknown number of malicious websites -- Flashback.G first tries to exploit a pair of Java bugs, one harking back to 2008, the other discovered last year.

Apple has patched both vulnerabilities in its Java updates, fixing the 2011 bug in the most recent Java security update, issued last November.

While Apple no longer packages Oracle's Java with its Mac operating system -- it stopped that practice with OS X 10.7, aka Lion, in July 2011 -- it continues to issue Java security updates to people running Lion as well as Mac OS X 10.6, better known as Snow Leopard. Even though it doesn't come with Lion, Java may have be on those systems: Users are prompted to install the Oracle software the first time they try to run a Java applet.

If Flashback.G is unsuccessful because both bugs have been plugged -- or if Java isn't present on the Mac -- the malware switches to a backup tactic, where it tries to dupe users into running the attack code by posing as content digitally signed by Apple.

The malware is, of course, not signed by Apple, and although a warning appears that tells potential victims that "This root certificate is not trusted," some may ignore the warning and click "Continue," which installs Flashback.G.

"I don't want to give [the hackers] more credit than they deserve, but [Flashback.G] is particularly sophisticated," said Peter James, a spokesman for Intego. "The Java vulnerability [approach] doesn't require user interaction, and they're putting victims into a strainer," he added, referring to the social engineered-style fake certificate tactic that's employed only if the Mac is invulnerable to the Java exploits.

Once it's wormed itself onto a Mac, Flashback.G downloads more malicious code - a key logger -- that sniffs out usernames and passwords used to log into PayPal, bank and credit card websites. Those it finds it transmits to a hacker-operated command-and-control server.

The list of domains that the malware monitors also include non-financial sites, such as CNN.com, said James, perhaps a clue that the attackers were after credentials they could use to access other accounts.

Users often rely on one username/password combination for multiple websites, a dangerous practice if the credentials are stolen.

Java certificate
If Flashback.G can't get onto a Mac by exploiting a pair of Java bugs, it tries to trick the user into manually installing the malware by presenting a fake digital certificate. (Image: Intego.)
1 2 Page
FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies