Mac computers infected with a virus

[Central Scrutinizer]

5 April 2012 Last updated at 12:54 GMT

http://www.bbc.co.uk/news/science-environment-17623422

Half a million Mac computers 'infected with malware'

More than half a million Apple computers have been infected with the Flashback Trojan, according to a Russian anti-virus firm.

Its report claims that about 600,000 Macs have installed the malware - potentially allowing them to be hijacked and used as a "botnet".

The firm, Dr Web, says that more than half that number are based in the US.

Apple has released a security update, but users who have not installed the patch remain exposed.

Flashback was first detected last September when anti-virus researchers flagged up software masquerading itself as a Flash Player update. Once downloaded it deactivated some of the computer's security software.

Later versions of the malware exploited weaknesses in the Java programming language to allow the code to be installed from bogus sites without the user's permission.

Remote control
Dr Web said that once the Trojan was installed it sent a message to the intruder's control server with a unique ID to identify the infected machine.

"By introducing the code criminals are potentially able to control the machine," the firm's chief executive Boris Sharov told the BBC.

"We stress the word potential as we have never seen any malicious activity since we hijacked the botnet to take it out of criminals' hands. However, we know people create viruses to get money.

"The largest amounts of bots - based on the IP addresses we identified - are in the US, Canada, UK and Australia, so it appears to have targeted English-speaking people."

Dr Web also notes that 274 of the infected computers it detected appeared to be located in Cupertino, California - home to Apple's headquarters.
Update wait

Java's developer, Oracle, issued a fix to the vulnerability on 14 February, but this did not work on Macintoshes as Apple manages Java updates to its computers. http://www.oracle.com/technetwork/to...12-366318.html

Apple released its own "security update" on Wednesday - more than eight weeks later. It can be triggered by clicking on the software update icon in the computer's system preferences panel. http://support.apple.com/kb/HT5228

The security firm F-Secure has also posted detailed instructions about how to confirm if a machine is infected and how to remove the Trojan.
http://www.f-secure.com/v-descs/troj...shback_i.shtml

Although Apple's system software limits the actions its computers can take without requesting their users' permission, some security analysts suggest this latest incident highlights the fact that the machines are not invulnerable.

"People used to say that Apple computers, unlike Windows PCs, can't ever be infected - but it's a myth," said Timur Tsoriev, an analyst at Kaspersky Lab.

Apple could not provide a statement at this time.

[Gentle Giant]

Secure your Mac from Flashback infection

By Rob Pegoraro, Special for USA TODAY

Question: What's the best way to keep my Mac safe from the Flashback Trojan that has been in the news?

Answer: Flashback is technically not a trojan-horse application at all, but a "drive-by download" that infects computers by exploiting a vulnerability in Web software.

That makes it much worse than a trojan: You just need to visit a malicious site, without downloading the wrong app or entering an admin password, to have this program silently take command of your Mac and begin altering the content of Web pages........

http://www.usatoday.com/tech/product...jan/54087366/1

[toper01]

this might help people,and F-Secure has put out how to remove the trojan manually http://news.cnet.com/8301-27076_3-57...col;subStories

[Miyuki]

This is from Will Konsider

http://www.macworld.com/article/1166...ck_trojan.html

What is Flashback?

Flashback is the name for a malicious software program discovered in September 2011 that tried to trick users into installing it by masquerading as an installer for Adobe Flash. (Antivirus vendor Intego believes Flashback was created by the same people behind the MacDefender attack that hit last year.) While the original version of Flashback and its initial variants relied on users to install them, this new form is what’s called in the security business a drive-by download: Rather than needing a user to install it, Flashback uses an unpatched Java vulnerability to install itself.

If you visit a malicious (or unwillingly infected) website hosting Flashback, the program attempts to display a specially crafted Java applet. (We don’t yet know how many websites host Flashback.) If you have a vulnerable version of Java installed and enabled in your Web browser, the malicious code will infect your system and then install a series of components. Since Apple did not release an update for that vulnerable version of Java until April 3rd, many users were and are still susceptible.

After initial infection, Flashback pops open a Software Update window to try and obtain your administrative password, but it does so only to embed itself more deeply into your Mac. Even if you aren’t fooled at this point, you are still infected.

Once it succeeds in infecting your Mac, Flashback inserts itself into Safari and (according to F-Secure) appears to harvest information from your Web browsing activities, including usernames and passwords. It then sends this information to command-and-control servers on the Internet.

The significant thing is that, unlike almost all other Mac malware we’ve seen, Flashback can insinuate itself into your system if you merely visit an infected webpage and are using vulnerable software. You do not need to enter your administrative password or to manually install anything.

Am I at risk?

You are at risk if you meet four criteria:

1. You have Java installed on your Mac. One way to find out: Open Terminal and type java -version at the prompt. If you do have Java installed, you'll get a version number. It is installed by default on OS X 10.6 Snow Leopard, but not by OS X 10.7 Lion. (But is installed the first time you need to run it, which means most Macs likely have it).

2. You do not have the Java for OS X Lion 2012-001 (if you're running OS X Lion) or Java for Mac OS X 10.6 Update 7 installed (if you're running Snow Leopard) or you were infected before either of them was installed. Both of those updates install Java version 1.6.0_31; running that java -version command above will tell you if that's what you've got.

3. You allow Java applets to display in your browser. In Safari, go to Preferences > Security > Web Content and see if the Enable Java option is checked. You can turn that option off by unchecking it.

4. You do not have certain security tools installed on your Mac that Flashback checks for, including Little Snitch, Xcode, and a few anti-malware tools.

Antivirus vendors do not appear to have detected this particular version of Flashback for a few days after it appeared in the wild, though some vendors—including Intego—protected users with updates in late March. Malware often shares bits of code from earlier versions that may be detectable by antivirus products before those products have been specifically updated to catch newer versions, but such protection is hit-or-miss.

[De Master Yoda]

No operating system is 100% foolproof.


While it is true that mac's will not become infected with many of the windows type virus , there is an increasing number of virus being worked upon for macintosh operating systems.

Here is a FREE program that will help keep your mac safe.

http://www.iantivirus.com/

[Spidey]

'Mac Virus' Fix: Apple Releases New Update For Flashback Trojan

The Huffington Post | By Courteney Palis Posted: 04/13/2012

Apple has followed through with its promise to develop software that will detect and remove the malicious Mac Flashback trojan, which infected more than 600,000 Mac laptops worldwide.

On April 12, the company released yet another Java update that "removes the most common variants of the Flashback malware." While the update is meant only for OS X Lion and Mac OS X v10.6, Apple suggested previously that users with Macs running Mac OS X v10.5 or earlier disable Java in order to better protect their devices from the Flashback trojan.

http://support.apple.com/kb/HT5242?v...S&locale=en_US

When the company on April 10 announced it would be developing a malware removal tool, Apple also mentioned it is currently working with Internet service providers (ISPs) across the world to shut down the network of computer servers presumably hosted by the malware authors and currently supporting the Flashback trojan.

http://support.apple.com/kb/HT5244

This is Apple's third software update to Java in nine days; however, this latest update release is the first one actually designed to detect and remove the Flashback trojan from Mac laptop devices, as well as patch up the Java vulnerabilities of which the trojan took advantage.

According to PCMag, another function of the update is to "disable the Java plugin on all Web browsers (not just Safari) and turn off applet execution by default." In addition, Apple explained in its support document for the Java update, "Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets."

The Flashback trojan has been around in various forms since last September, but it wasn't until recently that it seemed to become a huge problem, prompting Java developer Oracle to release a security update back in February.

While Apple has been criticized for its slow response to the Flashback trojan, at least it seems its Java security updates have been working.

On April 12, ZDNet reported the results of a study conducted by security software developer Symantec, which found that the number of infected Macs has dropped to around 270,000 from more than 600,000 just last week.

Then again, it's just as likely the drop in infected devices is due to increasing awareness of the Flashback trojan's existence and to the release of tools to fight the malware by such Internet security companies as F-Secure, Symantec and Dr. Web, the firm that first discovered just how widely the trojan had spread back on April 4.

[De Master Yoda]

I have spoken to some apple techs and they all say that the new apple updates for mac os will detect and eliminate this virus.

************************************************** *************

http://www.sophos.com/en-us/products...e-edition.aspx

This is a FREE anti virus for mac. Sophos has been a leader in internet security and I think they have another winner with this easy to install and use program.

I have delayed posting this for a couple of days as it was showing a virus on my scans. I have been in touch with Sophos lab technicians and the scan is showing a false positive. It is safe to use this Sophos program.

Sophos Support support@sophos.com

6:54 PM (17 hours ago)


Dear xxxxxx

Thank you for waiting for me to get back to you. I have a reply from our sophos labs and this is being wrongly detected by this vendor it is a False Positive.

[Kat]

Sabpab Trojan: Mac Users Have Another Foe To Look Out For

The Huffington Post | By Courteney Palis Posted: 04/16/2012

http://www.huffingtonpost.com/2012/0...n_1428156.html

If you have yet to equip your Mac with Apple's latest Java update to protect it from the Flashback trojan said to infect over 600,000 devices, now might be a good time to do it. Apparently, there's another trojan making rounds on unprotected Macs.

Graham Cluley, a senior technology consultant at computer security firm Sophos explained in an April 13 blog post that this new backdoor trojan, dubbed "Sabpab," connects to a control server using HTTP and follows the orders of hackers who can enter a victim's computer, upload and download files, run commands and take screenshots.

This malware is similar to the Flashback trojan, writes Cluley, in that it doesn't require user interaction to infect a device and it takes advantage of the same vulnerabilities in Java software.

According to Costin Raiu, director of global research and analysis at IT security company Kaspersky Lab, the malware is being spread through Word documents that exploit these Java vulnerabilities. Raiu published his own findings on the trojan, which he calls Backdoor.OSX.SabPub.a.

Raui discovered that there are actually two variants of the trojan in existence -- the earliest version was supposedly created in February, while the more recent one was created in March. As Cult of Mac pointed out, Raiu believes the more recent version of the trojan may have been released as part of the Pro-Tibetan attacks on Mac OSX users that also took place in March and spawned malware like "Luckycat." Raui also notes that the IP address of the website from which hackers are controlling and commanding the trojan was also used in the "Luckycat" malware attacks.

To check if your Mac has been infected with this new trojan, Forbes suggests that users search for these files on their devices:

/Library/Preferences/com.apple.PubSabAgent.pfile
/Library/LaunchAgents/com.apple.PubSabAGent.plist

But whether you're sure your Mac has been hit or not, it's best to be proactive with your Mac's security by keeping its software up to date. You can access Apple's most recent updates by downloading them here http://support.apple.com/downloads/ or manually updating your software by following these instructions here http://support.apple.com/kb/HT1338.

[Miyuki]

Mac Security After Flashback: 5 Key Points
Where does the Apple security situation stand in the wake of the Flashback Trojan outbreak? Consider these important data points.

By Mathew J. Schwartz InformationWeek
April 24, 2012 12:50 PM

http://www.informationweek.com/news/...acks/232900859

[De Master Yoda]

http://www.v3.co.uk/v3-uk/news/22008...to-apple-users

Dirt cheap Mac malware points up growing threat to Apple users

by Alastair Stevenson 24 Aug 2012.

The Apple zombie malware NetWeird is reportedly selling on the black market for as little as $60, reflecting growing interest in the Mac platform from cyber criminals.

French anti-virus outfit Intego, which specialises in Macs and other Apple systems, reported finding the malware on a number of cyber black markets on Wednesday.

Before NetWeird, numerous vendors, including F-Secure and Microsoft's Trustworthy Computing division, had reported observing a marked increase in the number of automated exploit kits and malware samples available for sale online.

The surprise here, however, is the malware's low $60 price tag, when compare with other samples selling for several thousands of dollars.

"Perhaps the price tag tells us all we need to know: OSX/Crisis sells for €200,000, and OSX/NetWeirdRC starts at $60," wrote and Intego.

"The website for the developers of OSX/NetWeirdRC also lists the undetected nature of this tool as a selling point. It would seem that you get what you pay for, even in the malware world."

NetWeird was uncovered targeting the Apple Mac operating system earlier in August. It works by installing itself into the user's home directory as an application bundle called WIFIADAPT.app.app.

The malware is designed to operate as a bot, letting its controller run processes on infected machines without the owner's knowledge or consent.

This means that the remote attacker can carry out actions such as taking screenshots, extract files and attempt to steal passwords by searching through data stored by web browsers and email clients like Opera, Firefox, SeaMonkey and Thunderbird.

NetWeird is listed as being an incredibly basic, ineffective bot and as a result many security experts have been more concerned about its strategic implications, citing it as further proof that criminals' interest in the Apple ecosystem is increasing.

"It adds itself to your login items, presumably with the intention of loading up every time you reboot your Mac. But a bug means that it adds itself as a folder, not an application. All that happens when you log back in is that Finder pops up and displays your home directory," wrote Sophos researcher, Paul Ducklin.

"Crooks really are getting into the habit of churning out new Mac malware, not to show how clever they are, but merely to see if they can repeat the trick that's worked on Windows for years: making money out of next to nothing. Those who remember the past often choose to repeat it, especially if there's money to be made."

Before NetWeird's appearance, Kaspersky researcher David Emm issued a similar warning regarding criminals' increased interest in Apple's Mac OS during an exclusive interview with V3.