About that Flashback Trojan for Macs.

I’m sorry, but are you stupid?! Not you dear reader. I’m speaking metaphorically.

So, there’s malware out for the Mac. It has infected around 600.000 Macs. Bummer.

I wasn’t infected. Why? Because I don’t give my administrator password if a website (read that again: a website!) asks for my computer’s password.

And that’s really all there’s to it. It doesn’t infect your system if you visit an infested site – that’s just the sensational online press trying to get page views. You need to also give your administrator password.

Who in their right mind does that? Right.

Anyhow, F-Secure has a page up, where you can check if you’re infested. Please do so, and remember: Do not ever give your administrator password on a website.

Edit: Arik Hesseldahl for AllThingD has a nice roundup of the issue. Funny that pundits blame Apple for Oracle’s fault.

Advertisements

6 comments on “About that Flashback Trojan for Macs.

  1. Can you confirm that the Flashback Trojan requires giving an admin password to a web page? That doesn’t seem to be what this Macworld article says:

    http://www.macworld.com/article/1166254/what_you_need_to_know_about_the_flashback_trojan.html

    > The significant thing is that, unlike almost all other Mac malware we’ve seen, Flashback can insinuate itself into your system if you merely visit an infected webpage and are using vulnerable software. You do not need to enter your administrative password or to manually install anything.

    I think the article is confusingly worded, but if I understand correctly, all you have to do is visit a page that hosts Flashback. Without your knowledge, your browser will install an app that will later pose as a fake software update. That app asks for your admin password, but it is not itself a web page.

    This page has a screen shot of the fake software update:

    http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

    • scottph says:

      Hi Andy,
      I’ve looked into it and this is, to my understanding, what happens:
      If you have Java installed and enabled, and you visit an infected website, a Java applet will download the Trojan payload. This, in itself, isn’t nice but it’s not critical. What is critical is that it will ask for your administrator password once the code is executed on your local system. This is where most people should be able to see that something isn’t right.
      Nonetheless, it will try to execute it’s code even if you do not give your password, but it will fail and delete itself if you have certain software present on your system, like XCode (Skype, and many others). See the “Additional Details” on the link you provided.
      This has been a known vulnerability in the JRE of Oracle since October, 18th 2011.
      Additionally, it’s not like any website can carry the payload. It has to be written with the payload in mind, meaning (almost) all websites you visit will not carry it, unless they’re shady.
      What I find really interesting is that all major anti-virus companies have been very quiet about this particular “drive-by” Trojan, because none of their software would have caught it.
      Also, keep in mind that Java is not part of OSX Lion, and is not installed by default, probably for security- and support reasons. It’s only installed if you use apps that require Java.
      In closing: It’s a dangerous variant of a Trojan, but only to a somewhat small part of the Mac community. I believe, by not including Java from now on, and by patching this vulnerability, that Apple is doing pretty much all it can to help users out.
      Cheers,
      Scott

      • Thanks, Scott.

        > it will fail and delete itself if you have certain software present on your system, like XCode (Skype, and many others)

        A side note: the link I gave lists /Developer/Applications/Xcode.app/Contents/MacOS/Xcode as a trigger for the Trojan to delete itself. But starting with Xcode 4.x (I’m not sure of the “x”), Xcode has been installed in /Applications/Xcode. I notice on another site someone claimed to be infected despite having Xcode installed. I suspect they had the newer Xcode.

        > What I find really interesting is that all major anti-virus companies have been very quiet about this particular “drive-by” Trojan, because none of their software would have caught it.

        That is interesting indeed. I’m used to those companies promoting fear whenever possible (or at least being accused of doing so). It never occurred to me there could be a case where they prefer to keep quiet.

        > I believe, by not including Java from now on, and by patching this vulnerability, that Apple is doing pretty much all it can to help users out.

        Yes, and it helps even more that adoption rates for new releases of OS X are typically very good.

      • scottph says:

        Hi Andy, agreed on all counts. I may look into the XCode directory structure when I’m on my Mac later today. Thanks for that! As a side note: Even if you had an older version of XCode on your system, wouldn’t the update move this to the new default, unless you told it to install the new version to a different directory?

      • No, the Xcode that goes into /Applications is put there by the Mac App Store if you that’s how you get the upgrade (as opposed to downloading it from developer.apple.com). The installation leaves /Developer alone. You are prompted once to delete /Developer; if you say no you can delete it later manually, or you can leave it where it is in case you don’t trust the latest Xcode and want to have a fallback. There’s more info at https://developer.apple.com/xcode/. Note that a bunch of tools like Instruments are now inside the Xcode bundle.

        HTH.

      • scottph says:

        Yeah, I have XCode installed on my machine, but thanks for the info.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s