Friday, February 24, 2012

New Variant of Flashback Trojan Using Java Exploits to Infect Macs

Apple WarningThe authors behind the Flashback Trojan targeting Macs are quite the busy bunch.

Researchers at Intego have discovered a new version of the Flashback Trojan - dubbed "Flashback.G" - that’s infecting OS X via drive-by-downloads exploiting two Java vulnerabilities.

In the event that the targeted vulnerabilities have been patched, Flashback.G will attempt to trick users into installing it by displaying a self-signed certificate claiming to be issued by Apple.

Upon a successful infection, Flashback.G will inject code into Safari, Skype and other network programs in order to harvest username and passwords. Fortunately, this causes the affected applications to crash, throwing a red flag to the end-user.

“It installs itself in an invisible file in the /Users/Shared folder, and this file can bear many names, but with a .so extension.” Intego researchers explained in a blog post.

Flashback.G also comes with a built-in update feature that connects to a number of remote sites in order to automatically download updates.

According to Intego, a large portion of the Macs that are infected by Flashback.G are running OS X 10.6 Snow Leopard, which has Java pre-installed. That doesn’t mean other versions of OS X are out of the question though, as the issue lies with the vulnerabilities within Java itself.

To stay safe, Mac users should make sure that they’re running the most recent version of Java and be cautious of what files they download. Also, be sure to click ‘Cancel’ if you ever see this dialog box:

Fake Java Certificate Claiming to be Signed by Apple Inc.Screenshot Credit: Intego

Considering the fact that Intego found that Flashback.G will abort the installation process if it detects the presence of a variety of antivirus programs, it may be time to install an antivirus program on your Mac if you haven’t done so already.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

No comments:

Post a Comment