Trojan exploits Java for ‘no intervention’ Mac infection
- — 24 February, 2012 14:03
The maker of the Flashback Trojan for Mac OS X has tweaked the malware so that it can install without the user doing anything.
The new variant of the Trojan can install itself by exploiting two Java vulnerabilities but only if the Mac -- primarily OS X 10.6 Snow Leopard -- is using outdated Java software, according to Mac AV vendor Intego.
“The malware first tries to install itself using one of two Java vulnerabilities. If this is successful, users will be infected with no intervention,” the company said.
“This malware is particularly insidious, as users don’t download anything or double-click any file to launch an installer.”
The company claims it has seen a number of infections, primarily on OS X 10.6 Snow Leopard, which included Java preinstalled. Intego urged users of this operating system to update Java immediately. Java does not however come preinstalled on the later OS X Lion.
The malware has a third trick up its sleeve. If those Java vulnerabilities are not available, the malware reverts to the more common technique aimed at Mac users by attempting to trick them into clicking “continue” on a fraudulent Apple certificate.
The new Trojan builds on the first Flashback Trojan released last year, which posed as a Flash Player installer package.
Interestingly, the updated Trojan will not install if Intego’s or a number of other Mac AV engines are detected.
“It does this to avoid detection. It seems that the malware writers feel it is best to avoid Macs where the malware might be detected, and focus on the many that aren’t protected,” according to Intego. The security vendor said the malware is designed to steal user names and passwords and typically causes Safari and Skype to crash unexpectedly on infected systems.