New Mac malware exploits Java bugs, steals passwords
Flashback.G first in the malware family to infect Macs using vulnerabilities
Computerworld - A new version of a well-known family of Mac malware exploits vulnerabilities in Java to steal usernames and passwords for online payment, banking and credit card websites.
Flashback.G is the first variant of the Trojan horse to use an attack vector that doesn't require any user interaction, said Intego Security, a French firm that specializes in Mac antivirus software. Most Mac malware needs help from users to get on a machine, if only to okay an installation by entering the system password.
When users come across the new malware -- it's being served from an unknown number of malicious websites -- Flashback.G first tries to exploit a pair of Java bugs, one harking back to 2008, the other discovered last year.
Apple has patched both vulnerabilities in its Java updates, fixing the 2011 bug in the most recent Java security update, issued last November.
While Apple no longer packages Oracle's Java with its Mac operating system -- it stopped that practice with OS X 10.7, aka Lion, in July 2011 -- it continues to issue Java security updates to people running Lion as well as Mac OS X 10.6, better known as Snow Leopard. Even though it doesn't come with Lion, Java may have be on those systems: Users are prompted to install the Oracle software the first time they try to run a Java applet.
If Flashback.G is unsuccessful because both bugs have been plugged -- or if Java isn't present on the Mac -- the malware switches to a backup tactic, where it tries to dupe users into running the attack code by posing as content digitally signed by Apple.
The malware is, of course, not signed by Apple, and although a warning appears that tells potential victims that "This root certificate is not trusted," some may ignore the warning and click "Continue," which installs Flashback.G.
"I don't want to give [the hackers] more credit than they deserve, but [Flashback.G] is particularly sophisticated," said Peter James, a spokesman for Intego. "The Java vulnerability [approach] doesn't require user interaction, and they're putting victims into a strainer," he added, referring to the social engineered-style fake certificate tactic that's employed only if the Mac is invulnerable to the Java exploits.
Once it's wormed itself onto a Mac, Flashback.G downloads more malicious code - a key logger -- that sniffs out usernames and passwords used to log into PayPal, bank and credit card websites. Those it finds it transmits to a hacker-operated command-and-control server.
The list of domains that the malware monitors also include non-financial sites, such as CNN.com, said James, perhaps a clue that the attackers were after credentials they could use to access other accounts.
Users often rely on one username/password combination for multiple websites, a dangerous practice if the credentials are stolen.
- Hands on: Apple's Mac Pro is the fastest Mac ever
- Apple CFO to retire in September after he cashes in $53M stock award
- Apple's CarPlay to spark mobile apps war in your car
- Apple retires Snow Leopard from support, leaves 1 in 5 Macs vulnerable to attacks
- Apple patches critical 'gotofail' bug with Mavericks update
- Why Apple needs a $700 MacBook Air
- Apple takes top spot in brand value computation
- Apple gets a patent for health-monitoring ear buds
- Apple shifts to hardware-first TV strategy with revamped set-top box
- iTunes is almost as big a biz as OEM Windows
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Malware and Vulnerabilities White Papers | Webcasts