Jump to content

Recommended Posts

Posted

So now there's a real piece of Mac OS X malware out there.

You still don't need an anti virus program (which doesn't help against this anyway). But you need to do the following:

- Disable Java in your browser. See here: http://www.f-secure.com/weblog/archives/00002330.html

- Don't update Adobe Flash if some website prompts you for it. Instead, go to the Adobe website, and update Flash from there. (Google for "update Adobe Flash").

- Don't enter your password if prompted for a system update on a website. Instead, go to your Apple menu -> Software Update and use that to update your system.

These are the three infection points, the first one is the most critical as it's a true drive-by vulnerability. To my knowledge, the first to make it out in the wilds.

Not sure Google Chrome / OS X is affected - maybe not as it's supposed to be sandboxed? But I don't know.

To those who've been warning us Mac users from Trojans for 10 years now - congratulations, your day has finally come :)

Luckily we still don't need AV programs.

Posted

Great. Updated Flash today...

From the official Flash site? Or from a browser popup? If the latter you might want to research this. I got an "Update your Flash" prompt recently in my browser but still not sure if that was a virus or the actual Adobe updater. I did the update but then paused and thought better of it when it asked me for my admin password... I thought.. hey, that's exactly what a trojan would do, maybe I better abort and install the thing from the official Adobe website...

Posted

Great. Updated Flash today...

From the official Flash site? Or from a browser popup? If the latter you might want to research this. I got an "Update your Flash" prompt recently in my browser but still not sure if that was a virus or the actual Adobe updater. I did the update but then paused and thought better of it when it asked me for my admin password... I thought.. hey, that's exactly what a trojan would do, maybe I better abort and install the thing from the official Adobe website...

I did same about 4-5 days ago but I did enter my password. I think the pop up was on Youtube. Anyway, I re-did it the way you suggested.

Posted

From a popup, which is the way all Adobe update alerts appear. I didn't think think anything unusual at the time as I seem to spend way more time updating Adobe products than actually using them.

Of course, I do have them set to check for updates automatically, and it's the first prompt I've seen since the latest version was released on Tuesday. And I'm pretty sure they all ask for the admin password when updating.

Another thing - I spent most of yesterday on TV, and never went near any sites with which you'd normally associate trojans and the like.

I'll look into it, but I'm not overly concerned.

Posted

Interestingly, Apple released Java for OS X Lion 2012-001 yesterday. From the Apple website, it "delivers improved reliability, security, and compatibility for Java SE 6. Java for OS X Lion 2012-001 supersedes all previous versions of Java for OS X."

Posted (edited)

Interestingly, Apple released Java for OS X Lion 2012-001 yesterday. From the Apple website, it "delivers improved reliability, security, and compatibility for Java SE 6. Java for OS X Lion 2012-001 supersedes all previous versions of Java for OS X."

Yep - that one fixes said bug + trojan infection via Java. That was pretty quick.

FWIW I can believe the official Adobe installer looks and behaves like a Trojan .... par for the course. But, I'm not installing anything directly from a browser popup. What they should do is direct you to the official install page so I can verify I am looking at Adobe.com, and do the normal thing, download a DMG and let the user install it...

This kind of thing will come to an end in Mountain Lion's sandboxed apps anyway. A properly sandboxed browser should not allow you to install anything.

Edited by nikster
Posted (edited)

Here's how to check whether your system is clean - run these two commands in the terminal and if you get the same results as me, your system is clean:

$ defaults read /Applications/Safari.app/Contents/Info LSEnvironment

2012-04-05 12:17:35.068 defaults[5375:707]

The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

$ defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

2012-04-05 12:17:45.861 defaults[5395:707]

The domain/default pair of (/Users/nik/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

Dr. Web claims 600k machines are infected with this trojan to date! If true, that would be the worst outbreak of malware on the Mac, ever.

Another interesting tidbit is that the malware will not install itself if it detects any of the following programs installed on the machine:

  • /Library/Little Snitch
  • /Developer/Applications/Xcode.app/Contents/MacOS/Xcode
  • /Applications/VirusBarrier X6.app
  • /Applications/iAntiVirus/iAntiVirus.app
  • /Applications/avast!.app
  • /Applications/ClamXav.app
  • /Applications/HTTPScoop.app
  • /Applications/Packet Peeper.app

That means I'm safe, I have a few of these ;)

Sources: ArsTechnica, F-Secure

Edited by nikster
Posted

Great! Thanks heaps Nickster, I'm safe too.

I actually don't have any of those apps installed, but you've given me a task for the afternoon... thumbsup.gif

Posted

Update: This is real, and apparently the first and worst malware outbreak in Mac history.

http://daringfireball.net/linked/2012/04/05/flashback

Daring Fireball did something smart - he asked his (many) readers to report back to him if their systems were infected - and got back quite a few reports of infected systems. Given that DF is read by more tech-savy people than the average, the 600k infected machines number is likely to be accurate.

Scary! I hope somebody at Apple is losing some nights sleep over this right now...

Posted

I thought it interesting how 274 bots had reported in from Cupertino, but then again, how else would they suppress the threat with knowing exactly hot it works and what it does?

I'm pretty sure that sleep was lost in Feb and March while Apple were quietly working on closing the vulnerability, which happened with this patch two days ago.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...