OSX/Imuler is not the only Mac OS X threat that has resurfaced this year. OSX/Flashback has been making its rounds again.
As you can remember, OSX/Flashback has appeared last year and disguised as Adobe Flash Player Installer. The previous variants connects to remote host to download its component files and installing backdoor that injects to web browsers and other applications in order to steal sensitive user information.
This time the malware author of OSX/Flashback has another trick up its sleeves. A new variant of OSX/Flashback has been discovered and it takes advantages of Java Vulnerabilities namely (CVE-2008-5353, CVE-2011-3544 and CVE-2012-0507). This new variant doesn’t need user interaction in order to infect the system successfully not like its old variants where it needs the user to input the administrator password.
When a user unknowingly visits malicious website, the attack will start by a script loading the malicious Java applet. If the Java in that system is enabled and vulnerable, then the infection will be successful.
Upon execution of the malicious Java applets, it drops a file as “~/.jupdate” in User’s Home folder. It then creates “com.java.update.plist” in the ~/Library/LaunchAgents/, to ensure that the dropped file will be active on the system.
OSX/Flashback botnet has more than 550,000 infected machines according to reports.
Some tips to avoid infection for OSX/Flashback and other malware:
1. Uncheck the “Enable Java” from Preferences in Safari as shown in Figure 1.
[Figure 1 – Safari Preferences]
2. In Snow Leopard, disable the Java by unchecking the options in General Tab (highlighted in Figure 2).
[Figure 2 – Java Preferences]
3. If Java is enabled in your system and the patch is already available from the software vendor, make sure that you apply the latest security updates.
[Figure 3 – Mac OS Software Update]
Ensure that your Software Products and Total Defense Products are updated with the latest signatures at all times.
Apple released a removal tool for the most common variants of OSX/Flashback, for more information click here