New Mac malware exploits Java bugs, steals passwords
Flashback.G first in the malware family to infect Macs using vulnerabilities
Computerworld - A new version of a well-known family of Mac malware exploits vulnerabilities in Java to steal usernames and passwords for online payment, banking and credit card websites.
Flashback.G is the first variant of the Trojan horse to use an attack vector that doesn't require any user interaction, said Intego Security, a French firm that specializes in Mac antivirus software. Most Mac malware needs help from users to get on a machine, if only to okay an installation by entering the system password.
When users come across the new malware -- it's being served from an unknown number of malicious websites -- Flashback.G first tries to exploit a pair of Java bugs, one harking back to 2008, the other discovered last year.
Apple has patched both vulnerabilities in its Java updates, fixing the 2011 bug in the most recent Java security update, issued last November.
While Apple no longer packages Oracle's Java with its Mac operating system -- it stopped that practice with OS X 10.7, aka Lion, in July 2011 -- it continues to issue Java security updates to people running Lion as well as Mac OS X 10.6, better known as Snow Leopard. Even though it doesn't come with Lion, Java may have be on those systems: Users are prompted to install the Oracle software the first time they try to run a Java applet.
If Flashback.G is unsuccessful because both bugs have been plugged -- or if Java isn't present on the Mac -- the malware switches to a backup tactic, where it tries to dupe users into running the attack code by posing as content digitally signed by Apple.
The malware is, of course, not signed by Apple, and although a warning appears that tells potential victims that "This root certificate is not trusted," some may ignore the warning and click "Continue," which installs Flashback.G.
"I don't want to give [the hackers] more credit than they deserve, but [Flashback.G] is particularly sophisticated," said Peter James, a spokesman for Intego. "The Java vulnerability [approach] doesn't require user interaction, and they're putting victims into a strainer," he added, referring to the social engineered-style fake certificate tactic that's employed only if the Mac is invulnerable to the Java exploits.
Once it's wormed itself onto a Mac, Flashback.G downloads more malicious code - a key logger -- that sniffs out usernames and passwords used to log into PayPal, bank and credit card websites. Those it finds it transmits to a hacker-operated command-and-control server.
The list of domains that the malware monitors also include non-financial sites, such as CNN.com, said James, perhaps a clue that the attackers were after credentials they could use to access other accounts.
Users often rely on one username/password combination for multiple websites, a dangerous practice if the credentials are stolen.
- Apple preps final non-security Mavericks update
- New Yosemite dev preview may herald public beta update later this week
- iPhone 5C's China bust raises questions about Apple's pricing for '14 models
- Mac sales so far in '14 may signal share push
- China scrubs Apple's iPad and MacBooks from government buying list
- Circle the date: Apple's iPhone 6 event slated for Sept. 9
- Stable Mac prices fuel reliable profit engine
- Apple unveils minor bumps to MacBook Pro laptops
- Feds arrest Florida man who allegedly conned Apple out of $309K
- Yosemite's traffic share triples after public beta debuts
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts