Experts at SophosLabs have identified a new malware attack that is targeting both Mac and Windows computers, exploiting the infamous Java security vulnerability that allowed the Flashback botnet to commandeer 600,000 Macs.
Internet users who visit compromised webpages may find themselves at risk of infection via a Java exploit that downloads malicious software onto their computer.
Note: Patches for the Java vulnerability have been available since February 14th for Windows, Linux and Unix computers and since early April for some Mac users. Unfortunately, Apple has chosen not to issue a Java security update for users running versions of Mac OS X prior to 10.6 (Snow Leopard), meaning those users remain undefended. Presumably Apple wants them to update to a later version of Mac OS X.
So, there may still be some users whose computers are not patched against the Java vulnerability – and are at risk of attack.
The malicious Java code downloads further code onto the victim’s computer – depending on what operating system they are using. On Windows, the downloaded file will be detected by Sophos as Mal/Cleaman-B. On Mac OS X, the downloaded file (install_flash_player.py) will be detected as OSX/FlsplyDp-A.
This is not, however, the end of the story.
The downloaded programs will then install further malicious code – downloading the Troj/FlsplyBD-A backdoor Trojan on Windows computers, and decrypting a Python script called update.py (extracted from install_flash_player.py) on Mac OS X.
This Python script acts as a Mac OS X backdoor, allowing remote hackers to secretly send commands, uploading code to the computer, stealing files and running commands without the user’s knowledge.
Sophos is adding detection of the final Python script as OSX/FlsplySc-A.
This attack is quite different from the earlier Flashback attack, and may indicate that other cybercriminal gangs are exploring the possibilities of infecting Mac computers.
Certainly, whoever wrote the script has left a clue that they may be planning to make developments to their code in the future.
The easiest way to look for an infection is, of course, to run an up-to-date anti-virus product. But if you want to check your Mac by hand to see if it is infected by this backdoor Trojan, here’s a quick way to do it:
Examine /Users/Shared/ and look for files called update.sh and update.py.
update.sh is a shell script that will execute update.py, the Python script. These files can be safely deleted.
It should go without saying that you really should be running an up-to-date anti-virus, and be keeping up to date with security patches (like those available for Java).
Although Windows users are generally pretty good about running anti-virus protection, Mac users are only just waking up to the need. We have a free Mac anti-virus for home users, if you think it’s time to take your computer’s security more seriously.
Thanks to SophosLabs researcher Xiaochuan Zhang for his assistance with this article.