New Mac malware exploits Java bugs, steals passwords

Flashback.G first in the malware family to infect Macs using vulnerabilities

A new version of a well-known family of Mac malware exploits vulnerabilities in Java to steal usernames and passwords for online payment, banking and credit card websites.

Flashback.G is the first variant of the Trojan horse to use an attack vector that doesn't require any user interaction, said Intego Security, a French firm that specializes in Mac antivirus software. Most Mac malware needs help from users to get on a machine, if only to okay an installation by entering the system password.

When users come across the new malware -- it's being served from an unknown number of malicious websites -- Flashback.G first tries to exploit a pair of Java bugs, one harking back to 2008, the other discovered last year.

Apple has patched both vulnerabilities in its Java updates, fixing the 2011 bug in the most recent Java security update, issued last November .

While Apple no longer packages Oracle's Java with its Mac operating system -- it stopped that practice with OS X 10.7, aka Lion, in July 2011 -- it continues to issue Java security updates to people running Lion as well as Mac OS X 10.6, better known as Snow Leopard. Even though it doesn't come with Lion, Java may have be on those systems: Users are prompted to install the Oracle software the first time they try to run a Java applet.

If Flashback.G is unsuccessful because both bugs have been plugged -- or if Java isn't present on the Mac -- the malware switches to a backup tactic, where it tries to dupe users into running the attack code by posing as content digitally signed by Apple.

The malware is, of course, not signed by Apple, and although a warning appears that tells potential victims that "This root certificate is not trusted," some may ignore the warning and click "Continue," which installs Flashback.G.

"I don't want to give [the hackers] more credit than they deserve, but [Flashback.G] is particularly sophisticated," said Peter James, a spokesman for Intego. "The Java vulnerability [approach] doesn't require user interaction, and they're putting victims into a strainer," he added, referring to the social engineered-style fake certificate tactic that's employed only if the Mac is invulnerable to the Java exploits.

Once it's wormed itself onto a Mac, Flashback.G downloads more malicious code - a key logger -- that sniffs out usernames and passwords used to log into PayPal, bank and credit card websites. Those it finds it transmits to a hacker-operated command-and-control server.

The list of domains that the malware monitors also include non-financial sites, such as, said James, perhaps a clue that the attackers were after credentials they could use to access other accounts.

Users often rely on one username/password combination for multiple websites, a dangerous practice if the credentials are stolen.

If Flashback.G can't get onto a Mac by exploiting a pair of Java bugs, it tries to trick the user into manually installing the malware by presenting a fake digital certificate. (Image: Intego.)

James said that the number of infections was significantly smaller than during 2011's "Mac Defender" malware campaigns , but said Intego had captured multiple samples and monitored several support forums where users reported infections.

According to Intego's analysis , Flashback.G injects attack code into Web browsers and other applications that access the Internet. In some cases the code causes the programs to crash.

Flashback.G installs itself as an invisible file in the "/Users/Shared" folder under a variety of names, all which come with the extension ".so," said James.

Some reports on Apple's site cited unexpected errors while using Skype , and posted crash log results that, James said, indicated a Flashback.G infection.

"And although a lot of people don't use Java on their Macs, they may not even know that they have it," James said. He called out the Web conferencing software GoToMeeting as one program that requires the Java runtime, and thus prompts Mac users to install it.

Mac users can determine whether their machines have Java installed by visiting one of several websites, including this one , or by launching Terminal from the Utilities folder within the Applications folder, then typing "java -version" without the quotation marks.

A version number will appear, or the message "No Java runtime support, requesting install" if Java is not on the Mac.

Apple has not yet updated Mac OS X's bare-bones anti-malware tool to detect Flashback.G.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His email address is .

See more by Gregg Keizer on .

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Copyright © 2012 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon