Sophos Cloud Optix
Experts at SophosLabs have identified a new malware attack that is targeting both Mac and Windows computers, exploiting the infamous Java security vulnerability that allowed the Flashback botnet to commandeer 600,000 Macs.
Internet users who visit compromised webpages may find themselves at risk of infection via a Java exploit that downloads malicious software onto their computer.
The latest malware attack exploits the Java vulnerability to download further malicious code onto the computer (Sophos products detect the attack as Mal/20113544-A and Mal/JavaCmC-A).
Note: Patches for the Java vulnerability have been available since February 14th for Windows, Linux and Unix computers and since early April for some Mac users. Unfortunately, Apple has chosen not to issue a Java security update for users running versions of Mac OS X prior to 10.6 (Snow Leopard), meaning those users remain undefended. Presumably Apple wants them to update to a later version of Mac OS X.
So, there may still be some users whose computers are not patched against the Java vulnerability – and are at risk of attack.
The malicious Java code downloads further code onto the victim’s computer – depending on what operating system they are using. On Windows, the downloaded file will be detected by Sophos as Mal/Cleaman-B. On Mac OS X, the downloaded file (install_flash_player.py) will be detected as OSX/FlsplyDp-A.
This is not, however, the end of the story.
The downloaded programs will then install further malicious code – downloading the Troj/FlsplyBD-A backdoor Trojan on Windows computers, and decrypting a Python script called update.py (extracted from install_flash_player.py) on Mac OS X.
This Python script acts as a Mac OS X backdoor, allowing remote hackers to secretly send commands, uploading code to the computer, stealing files and running commands without the user’s knowledge.
Sophos is adding detection of the final Python script as OSX/FlsplySc-A.
This attack is quite different from the earlier Flashback attack, and may indicate that other cybercriminal gangs are exploring the possibilities of infecting Mac computers.
Certainly, whoever wrote the script has left a clue that they may be planning to make developments to their code in the future.
The easiest way to look for an infection is, of course, to run an up-to-date anti-virus product. But if you want to check your Mac by hand to see if it is infected by this backdoor Trojan, here’s a quick way to do it:
Examine /Users/Shared/ and look for files called update.sh and update.py.
update.sh is a shell script that will execute update.py, the Python script. These files can be safely deleted.
It should go without saying that you really should be running an up-to-date anti-virus, and be keeping up to date with security patches (like those available for Java).
Although Windows users are generally pretty good about running anti-virus protection, Mac users are only just waking up to the need. We have a free Mac anti-virus for home users, if you think it’s time to take your computer’s security more seriously.
Thanks to SophosLabs researcher Xiaochuan Zhang for his assistance with this article.
Does this apply to iPad and iPhone users as well?
I don't think so, because this uses the built in python compiler that comes with OSX, IOS doesn't have it installed.
The python code actually explicitly checks to see what environment it is running on, and requires a desktop OS X, or it fails. Interestingly, it has a quick fail for Linux, and non-OS X darwin builds just fail implicitly.
Also, as the dropper exploits wouldn't run on an iOS device (wrong processor, no Java), it would be difficult to inject such a script in the first place — unless you had a jailbroken device that had all the required tools installed and the security settings already compromised.
Probably not. iOS doesn’t use any Java to the best of my knowledge, so iOS devices should be safe. The only way they’re vulnerable is if they’re jailbroken, which is not recommended and voids the warranty.
The python appears to be a legitimate script re-purposed for evil.
http://nullege.com/codes/show/src@m@a@matahari-HE…
Just wondering, I downloaded your free anti virus tool and just want to know , does it automatically do a check or do I need to run it say every week or day
Sophos’s free anti-virus for Mac home users runs automatically in the background, scanning in real-time as you access files
So you shouldn’t need to remember to scan your whole drive 🙂
Please use 'Sophos Anti-Virus for Mac Home Edition': http://www.sophos.com/en-us/products/free-tools/s…
Also wondering: I have OSX 10.4.11 and cannot update it any further, due to the age of my computer (it's old enough to run System 9). I use the free version of your software. Am I protected? I could go into the Terminal and check, but I am not too comfortable with doing that.
Yes, you are protected. I would also disable Java Applets in all the browsers you have installed just to be sure nothing nasty gets by in the future.
By the grammar of the comment in the code, it sounds like a Filipino did it.
thats good to hear that theres a way to look for the files to manually delete. I recently got a Macbook to refresh my old macintosh skills so I need to keep it clean of viruses as long as I can.
Winds me up that you offer the MAC peeps a FREE antivirus product, and nothing of the sort to us PC owners and this is after I have promoted your product throughout my industry.
I refer the right honourable gentleman to..
http://nakedsecurity.sophos.com/2012/04/11/free-v…
Is the free-virus-removal-tool updated by Sophos to remove new viruses that seem to be coming out all to frequently?
I just reinstalled Sophos antivirus on my Mac hard drive. It shows up as an icon on my desktop but I don't have a black shield. What did I do wrong?
Sorry, we're not able to offer technical support for Sophos products on the Naked Security site.
You may wish to try the support community for the free anti-virus product: http://openforum.sophos.com/macav
I’m wondering how this python based virus effected Windows PC.
Atleast it will fail in all the Windows PC if python complier is not present.
If someone has the source code for this virus. Please share!