Python-based malware attack targets Macs. Windows PCs also under fire

Filed Under: Apple, Data loss, Featured, Malware, Privacy, Windows

Mac and WindowsExperts at SophosLabs have identified a new malware attack that is targeting both Mac and Windows computers, exploiting the infamous Java security vulnerability that allowed the Flashback botnet to commandeer 600,000 Macs.

Internet users who visit compromised webpages may find themselves at risk of infection via a Java exploit that downloads malicious software onto their computer.

The latest malware attack exploits the Java vulnerability to download further malicious code onto the computer (Sophos products detect the attack as Mal/20113544-A and Mal/JavaCmC-A).

Note: Patches for the Java vulnerability have been available since February 14th for Windows, Linux and Unix computers and since early April for some Mac users. Unfortunately, Apple has chosen not to issue a Java security update for users running versions of Mac OS X prior to 10.6 (Snow Leopard), meaning those users remain undefended. Presumably Apple wants them to update to a later version of Mac OS X.

So, there may still be some users whose computers are not patched against the Java vulnerability - and are at risk of attack.

The malicious Java code downloads further code onto the victim's computer - depending on what operating system they are using. On Windows, the downloaded file will be detected by Sophos as Mal/Cleaman-B. On Mac OS X, the downloaded file (install_flash_player.py) will be detected as OSX/FlsplyDp-A.

This is not, however, the end of the story.

The downloaded programs will then install further malicious code - downloading the Troj/FlsplyBD-A backdoor Trojan on Windows computers, and decrypting a Python script called update.py (extracted from install_flash_player.py) on Mac OS X.

This Python script acts as a Mac OS X backdoor, allowing remote hackers to secretly send commands, uploading code to the computer, stealing files and running commands without the user's knowledge.

Sophos is adding detection of the final Python script as OSX/FlsplySc-A.

The backdoor Python script allows remote hackers to steal information

This attack is quite different from the earlier Flashback attack, and may indicate that other cybercriminal gangs are exploring the possibilities of infecting Mac computers.

Certainly, whoever wrote the script has left a clue that they may be planning to make developments to their code in the future.

The script has been written with future development in mind

The easiest way to look for an infection is, of course, to run an up-to-date anti-virus product. But if you want to check your Mac by hand to see if it is infected by this backdoor Trojan, here's a quick way to do it:

Examine /Users/Shared/ and look for files called update.sh and update.py.

update.sh is a shell script that will execute update.py, the Python script. These files can be safely deleted.

Files on Mac OS X

It should go without saying that you really should be running an up-to-date anti-virus, and be keeping up to date with security patches (like those available for Java).

Although Windows users are generally pretty good about running anti-virus protection, Mac users are only just waking up to the need. We have a free Mac anti-virus for home users, if you think it's time to take your computer's security more seriously.

Thanks to SophosLabs researcher Xiaochuan Zhang for his assistance with this article.

, , , , , ,

You might like

18 Responses to Python-based malware attack targets Macs. Windows PCs also under fire

  1. George · 910 days ago

    Does this apply to iPad and iPhone users as well?

    • some guy · 909 days ago

      I don't think so, because this uses the built in python compiler that comes with OSX, IOS doesn't have it installed.

      • The python code actually explicitly checks to see what environment it is running on, and requires a desktop OS X, or it fails. Interestingly, it has a quick fail for Linux, and non-OS X darwin builds just fail implicitly.

        Also, as the dropper exploits wouldn't run on an iOS device (wrong processor, no Java), it would be difficult to inject such a script in the first place -- unless you had a jailbroken device that had all the required tools installed and the security settings already compromised.

    • Jon Fukumoto · 909 days ago

      Probably not. iOS doesn't use any Java to the best of my knowledge, so iOS devices should be safe. The only way they're vulnerable is if they're jailbroken, which is not recommended and voids the warranty.

  2. Tom · 909 days ago

    The python appears to be a legitimate script re-purposed for evil.
    http://nullege.com/codes/show/src@m@a@matahari-HE...

  3. Janelle · 909 days ago

    Just wondering, I downloaded your free anti virus tool and just want to know , does it automatically do a check or do I need to run it say every week or day

    • Sophos's free anti-virus for Mac home users runs automatically in the background, scanning in real-time as you access files

      So you shouldn't need to remember to scan your whole drive :)

  4. ViRuT · 909 days ago

    Please use 'Sophos Anti-Virus for Mac Home Edition': http://www.sophos.com/en-us/products/free-tools/s...

  5. Michelle · 908 days ago

    Also wondering: I have OSX 10.4.11 and cannot update it any further, due to the age of my computer (it's old enough to run System 9). I use the free version of your software. Am I protected? I could go into the Terminal and check, but I am not too comfortable with doing that.

    • Chester Wisniewski · 908 days ago

      Yes, you are protected. I would also disable Java Applets in all the browsers you have installed just to be sure nothing nasty gets by in the future.

  6. Steve · 908 days ago

    By the grammar of the comment in the code, it sounds like a Filipino did it.

  7. roy jones jr · 907 days ago

    thats good to hear that theres a way to look for the files to manually delete. I recently got a Macbook to refresh my old macintosh skills so I need to keep it clean of viruses as long as I can.

  8. Nick Sheldon · 907 days ago

    Winds me up that you offer the MAC peeps a FREE antivirus product, and nothing of the sort to us PC owners and this is after I have promoted your product throughout my industry.

  9. Cliff Wood · 906 days ago

    Is the free-virus-removal-tool updated by Sophos to remove new viruses that seem to be coming out all to frequently?

  10. Gail · 905 days ago

    I just reinstalled Sophos antivirus on my Mac hard drive. It shows up as an icon on my desktop but I don't have a black shield. What did I do wrong?

  11. Yogeesh Seralathan · 142 days ago

    I'm wondering how this python based virus effected Windows PC.
    Atleast it will fail in all the Windows PC if python complier is not present.

    If someone has the source code for this virus. Please share!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.