ISSSource White Papers

Posts Tagged ‘Flashback’

Thursday, September 6, 2012 @ 08:09 PM gHale

Malware attacks keep growing and the proof of that is McAfee found the biggest increase in samples detected in the last four years.

McAfee Labs detected a 1.5 million increase in malware since Q1 2012 and identified new threats such as mobile “drive-by downloads,” the use of Twitter for control of mobile botnets, and the appearance of mobile “ransomware.”

Malware Bypasses Defenses with Ease
Malware Disguised as Security Software
Intuit Spam Comes Back
Malware Targeting BlackBerry Users

Through proprietary research and investigation, McAfee Labs has seen rapid growth in its database or “zoo” of malware samples. With the malware sample discovery rate accelerating to nearly 100,000 per day, McAfee has identified key malware variants affecting a range of users globally.

“Over the last quarter we have seen prime examples of malware that impacted consumers, businesses, and critical infrastructure facilities,” said Vincent Weafer, senior vice president of McAfee Labs. “Attacks that we’ve traditionally seen on PCs are now making their way to other devices. For example, in Q2 we saw Flashback, which targeted Macintosh devices and techniques such as ransomware and drive-by downloads targeting mobile. This report highlights the need for protection on all devices that may be used to access the Internet.”

As PC malware writers master their craft, they continue to transfer their skills to other popular consumer and business platforms, such as Google’s Android OS. After the mobile malware explosion in Q1 2012, Android malware shows no signs of slowing down, putting users on high alert.

Virtually all new mobile malware detected in Q2 2012 went straight to the Android platform, and consisted of SMS-sending malware, mobile botnets, spyware and destructive Trojans.

Ransomware, steadily increasing quarter over quarter, has become a popular avenue for cybercriminals. Damage can range from loss of photos and personal files for home users to data encryption and demands for money for large enterprises. Ransomware is especially problematic as it can hold computers and data hostage, instantly damaging machines.

Botnets, a network of compromised computers infected with malicious software and used to generate spam, send viruses or cause Web servers to fail, have also taken center stage again this quarter with infections reaching a 12-month high. With the U.S. as the global hub of botnet control servers, new methods for control have also been uncovered, including the use of Twitter for mobile botnet command and control. As such, the attacker can tweet commands with relative anonymity and all infected devices will follow them.

Thumb drive and password-stealing malware showed significant growth in Q2. At nearly 1.2 million new samples, the AutoRun worm spreads from thumb drives by executing code embedded in AutoRun files, repeating the process on any and all drives discovered. Password-stealing malware, at nearly 1.6 million new samples, collects account names and passwords, so an attacker can pose as the victim.

This quarter McAfee Labs recorded an average of 2.7 million new bad URLs per month. In June, these new URLs related to about 300,000 bad domains, which is equivalent to 10,000 new malicious domains every day. Of the new bad-reputation URLs, 94.2 percent host malware, exploits or code specifically designed to hijack computers.

Friday, June 15, 2012 @ 04:06 PM gHale

Apple released a Java update for OS X on the same day that Oracle patched the vulnerabilities for Windows and other operating systems.

Apple issued separate updates for OS X 10.7, aka Lion, and OS X 10.6, or Snow Leopard, that hit 11 bugs in each edition. Oracle, which maintains Java for Windows, Linux and Solaris, shipped its update to patch 14 vulnerabilities.

Oracle: SSL Support Free
Critical Oracle Bug Fixed, Sort of
Oracle Fixes 88 Vulnerabilities
Oracle Flaw PoC Releases by Mistake

Of the three bugs Oracle fixed but Apple did not, two applied solely to non-Apple operating systems, Solaris and Linux. It was unclear why the third was not included in Apple’s version.

The same-day patching never happened before. Apple, still responsible for Java security updates for Lion and Snow Leopard, typically lags behind Oracle by weeks or even months.

That practice was a problem earlier this year when Apple’s Java update lagged behind Oracle’s by seven weeks. Hackers jumped at the opportunity, and quickly infected an estimated 600,000 Macs with the Flashback malware by exploiting a Java bug that Oracle patched but Apple had not.

Last year, the Cupertino, CA, company halted development on the OS X version of Java, and said it was handing the job off to Oracle. Lion, the version of OS X that launched in July 2011, was the first that did not include Java; users had to download and install the software themselves.

Oracle will be responsible for development, maintenance and the updates for Java for OS X as of Java SE 7 and later. Next month’s OS X 10.8, Mountain Lion, will follow in Lion’s footsteps, and not bundle Java.

As an additional defense, Apple in April issued an OS X update that disabled automatic execution of Java applets in the Java browser plug-in, and deactivated the Oracle software entirely if the user did not use it in the past 35 days.

Thursday, May 3, 2012 @ 04:05 PM gHale

Flashback’s latest version hitting Macs has a new command-and-control (C&C) infrastructure that used Twitter as a fallback mechanism in case the normal C&C system isn’t available.

While this is not the first time a botnet used Twitter for command and control, but it is on way attackers are always attempting to stay one step ahead of their potential victims. It also a case here users need to remain vigilant and remember today’s defense may not apply tomorrow.

Snow Leopard Falls to Flashback Infection
One Site can end up a Malicious Hive
Flashback Variant Hits Macs
Attack Vector: Phishing Real or Phony?

The most recent version of Flashback, which infects Macs through the exploitation of Java vulnerabilities, has the ability to communicate with two separate tiers of C&C servers. The first type of server is a relay for redirecting traffic from compromised machines. Those servers allow the attackers behind the Flashback botnet to hijack users’ Web search traffic and push it to servers they control. The second tier of servers sends commands to the infected machines to perform specific actions on the Macs.

When infected Macs connect to the second type of C&C server, if they don’t receive a correctly formatted reply, they will then perform a search on Twitter for a specially formatted string, according to analysts at Dr. Web, a Russian security firm that has been following the Flashback case closely.

“If the control server does not return a correct reply, the Trojan uses the current date to generate a string that serves as a hash tag in a search using For example, some Trojan versions generate a string of the “rgdgkpshxeoa” format for the date 04.13.2012 (other bot versions can generate a different string). If the Trojan manages to find a Twitter message containing bumpbegin and endbump tags enclosing a control server address, it will end up used as a domain name. Dr. Web began to take over domains of this category on April 13, but on the following day, April 14, the Twitter account registered by Dr. Web analysts for this purpose was blocked,” the company said.

Bot herders began using Twitter for C&C several years ago, with varying degrees of success. Twitter security officials were somewhat slow to catch on to that phenomenon, but have been quicker to respond.

Flashback is by no means the first piece of Mac malware, or even the most inventive, but it is the most successful. The malware infected several hundred thousand machines over the course of the last six months.

There are a number of different versions of Flashback circulating but the one that’s caused the most trouble is the one that has been exploiting Java vulnerabilities for the last couple of months. That version is going out in drive-by download attacks, which is a classic attack method for Windows vulnerabilities but has not been a big vector in the Mac world.

Tuesday, May 1, 2012 @ 05:05 PM gHale

Nearly two-thirds of the Macs infected by Flashback are running OS X 10.6, better known as Snow Leopard, a Russian antivirus company said.

Doctor Web, which first reported the malware attack earlier this month, mined data intercepted from compromised computers to come up with its findings.

One Site can end up a Malicious Hive
Flashback Variant Hits Macs
Malware Beat Down: Flashback on Wane
Attack Vector: Phishing Real or Phony?

The company, along with other security vendors, has been “sinkholing” select command-and-control (C&C) domains used by the Flashback botnet — hijacking them before the hackers could use the domains to issue orders or update their attack code — to both estimate the botnet’s size and disrupt its operation.

Doctor Web published an analysis of the communications between 95,000 Flashback-infected Macs and the sinkholed domains. Those communication attempts took place on April 13, more than a week after Doctor Web broke the news of the botnet’s massive size.

Flashback used a critical vulnerability in Java to worm its way onto Macs. Although Apple, which continues to maintain Java for its OS X users, patched the bug in early April, it did so seven weeks after Oracle disclosed the flaw when it shipped Java updates for Windows and Linux.

It is no surprise 63.4% of the Flashback-infected machines identified themselves as running OS X 10.6, or Snow Leopard, the newest version of Apple’s operating system that comes with Java.

Snow Leopard accounted for the largest share of OS X last month, according to metrics company Net Applications, making it the prime target of Flashback.

Leopard, or OS X 10.5, is the second-most-common Flashback-infected operating system, said Doctor Web: 25.5% of the 95,000 Macs harboring the malware ran that 2007 edition.

Apple bundled Java with Leopard as well, but unlike Snow Leopard and Lion, it no longer ships security updates for the OS, and so has not updated Java on those Macs.

Last month, Leopard powered 13.6% of all Macs.

But while Snow Leopard’s and Leopard’s infection rates are higher than their usage shares, the opposite’s true of OS X 10.7, or Lion. The 2011 OS accounted for 39.6% of all copies of OS X used last month, yet represented only 11.2% of the Flashback-compromised Macs.

That disparity seems to validate Apple’s 2010 decision to stop bundling the software with OS X. Lion was the first to omit Java, although users have been free to download and install it themselves.

Friday, April 27, 2012 @ 04:04 PM gHale

A new form of Java malware has a multifaceted approach as it can infect Apple and Windows machines, Symantec said.

A strain of Java Applet malware either drops a Python-based malware in Mac operating systems or an executable-form of malware in Windows computers, said Symantec researcher Takashi Katsuki. If opened, either form of malware could launch a Trojan that could trigger a back door on the computer, regardless of the platform.

Flashback Variant Hits Macs
Malware Beat Down: Flashback on Wane
Attack Vector: Phishing Real or Phony?
Tool to Counter Cyber Threats

The malware exploits the Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507) to download the malware.

The Mac back door Trojan can currently only control polling times, or “how many times it gets commands from the server at certain time intervals,” Symantec said. If enabled however, the Trojan can also download files, list files and folders, open a remote shell, sleep or upload files.

The Trojan for Windows can send information about the infected computer and disk, its memory usage, OS version and user name, in addition to downloading and executing files and opening shells to receive commands.

The news of this malware comes on the heels of Flashback and SabPub, two forms of malware that have been targeting Mac users throughout the first quarter via another vulnerability in Java.

The vulnerability CVE-2012-0507 — an older Java flaw just blocked by Mozilla’s Firefox – saw use by some Flashback variants earlier this month, before Apple patched it.

Thursday, April 26, 2012 @ 12:04 AM gHale

Contrary to popular reports, the Flashback botnet is not shrinking, said the Russian antivirus firm that first reported the massive infection three weeks ago.

Dr. Web, which was the first to report the largest-ever successful malware attack against Apple’s OS X, said the pool of Flashback-infected Macs still hovers around the 650,000 mark, and that infections are continuing.

Flashback Variant Hits Macs
Malware Beat Down: Flashback on Wane
Attack Vector: Phishing Real or Phony?
Tool to Counter Cyber Threats

Also on Friday, Liam O Murchu, manager of operations at Symantec’s security response center, confirmed Dr. Web’s numbers were correct.

Both Dr. Web’s tally and its contention that infections are ongoing flew in the face of other antivirus companies’ assertions. Kaspersky Lab and Symantec, which have each “sinkholed” select domains — hijacked them before the hackers could use them to issue orders to compromised machines — used those domains to count the Macs that try to communicate with the malware’s command-and-control centers.

Earlier this week, Symantec said the Flashback botnet had shrunk by 60% and was down to 142,000 machines. Kaspersky claimed its count registered only 30,000 infected Macs.

Not even close, said Dr. Web. “The number is still around 650,000,” said Dr. Web.

On April 16, the company continued, it said 595,000 different Macs registered on the botnet, while the next day, April 17, the count was over 582,000.

Symantec’s O Murchu said Dr. Web is right.

“We’ve been talking with them about the discrepancies in our numbers and theirs,” O Murchu said. “We now believe that their analysis is accurate, and that it explains the discrepancies.”

When asked for comment, Kaspersky Lab said it was looking into the matter.

According to Dr. Web, counts by others were incorrect because of how the malware calculates the locations of command-and-control (C&C) servers, and how it communicates, or tries to, with those domains.

Dr. Web said it had sinkholed the primary Flashback C&C domains at the beginning of the month, and after an infected Mac asks those servers — controlled by Dr. Web — for instructions, they then reach out to another domain.

Dr. Web said it did not know who controlled that follow-up domain, but O Murchu suspected it is another security company or researcher.

But Dr. Web did know what happens next in Flashback’s complex communication scheme.

“This server communicates with bots but doesn’t close a TCP connection,” wrote Dr. Web. “As [a] result, bots switch to the stand-by mode and wait for the server’s reply and no longer respond to further commands. As a consequence, they do not communicate with other command centers, many of which have been registered by information security specialists [including Kaspersky and Symantec].”

Wednesday, April 25, 2012 @ 10:04 PM gHale

The Flashback Trojan that infected 600,000 Apple Macs earlier this month still has a very high infection rate, despite the fact Apple already patched the Java vulnerability and released a removal tool.

On top of that, a new Flashback variant that installs without prompting the user for a password, said security firm Intego.

Malware Beat Down: Flashback on Wane
Attack Vector: Phishing Real or Phony?
Tool to Counter Cyber Threats
Utilities Under Daily Attack

This version, which Intego refers to as Flashback.S, places its files in the user’s home folder, at the following locations:
• ~/Library/LaunchAgents/
• ~/.jupdate

Once Flashback.S installs itself, it then deletes all files and folders in ~/Library/Caches/Java/cache to remove the applet from the infected Mac. By doing this, it is able to avoid detection or sample recovery, according to the security firm.

This recent variant is interesting compared to the one found two months ago. That one asks for administrative privileges, but does not require them. If you give it permission, it will install itself into the Applications folder where it will silently hook itself into Firefox and Safari, and launch whenever you open one of the two browsers. If you don’t give it permission, it will install itself to the user accounts folder, where it can run in a more global manner, launching itself whenever any application launches, but it is easier to detect.

Researchers first found Flashback in September 2011 masquerading as a fake Adobe Flash Player installer. A month later, a variant that disables Mac OS X antivirus signatures updates was in the wild.

In the past few months, Flashback evolved to exploiting Java vulnerabilities. This means it doesn’t require any user intervention if the user did not patch Java on his Mac. All a user has to do is visit a malicious website, and the malware will automatically download and install.

Meanwhile, two other Mac-specific Trojans are out there: One exploits Java and another exploits Microsoft Word. Security firm Kaspersky confirmed what many have been saying for years: As Macs are becoming more popular, malware writers are increasingly targeting them.

Monday, April 23, 2012 @ 08:04 AM gHale

The Mac OS X Flashback botnet spread via drive-by downloads on hacked WordPress web sites.

From September 2011 until February 2012, the Flashback creators distributed the Trojan through compromised WordPress sites that prompted users to download various iterations of a fake Adobe Flash Player update that was, in actuality, the Mac Trojan, according to Kaspersky Lab analysis.

Malware Caught: Flashback on Wane
Malware Alert: A Scareware, Ransomware Blend
Apple Picks Off Flashback Malware
Tool to Counter Cyber Threats

The attacks started using social engineering lures and it wasn’t until February the Flashback authors began using exploits to grow the botnet. They exploited known Java vulnerabilities, at least two of which date back as far as June 2009. More importantly, though, Flashback’s creators took advantage of the window of exposure between Oracle and Apple’s patch schedules.

Apple creates its own patches to fix Java vulnerabilities instead of using Oracle’s, said Kaspersky’s Alex Gostev. So, Oracle already patched the bugs, but Apple had not yet deployed its own fixes. Gostev said on average, historically speaking, there is a two-month delay between Oracle’s fixes, which come first, and Apple’s.

In March 2012, Flashback’s authors started making use of a Russian partner program that somehow injected redirect scripts into legitimate websites.

Gostev said tens of thousands of WordPress sites suffered hits in late February and early March and noted other estimates have the number as high as 100,000 infected sites. It’s unclear how the sites became infected, but Gostev believes bloggers were either using vulnerable versions of WordPress or had installed the ToolsPack plugin.

Friday, April 20, 2012 @ 03:04 PM gHale

Apple is next as Mozilla is blocking the Java plugin in Firefox running on versions 10.5 and earlier of Mac OS X, as these operating systems will not be getting an update to the installed Java on their systems.

The move comes two weeks after Mozilla blocklisted older versions of Java on Windows which had the flaw the Flashback Trojan and other malware exploited.

Yet Another Java Exploit
Malware Beat Down: Flashback on Wane
Attack Vector: Phishing Real or Phony?
Tool to Counter Cyber Threats

Mac OS X systems 10.5 and older will not be getting a Java update from Apple and this has meant that Mozilla now feels comfortable adding all Java versions on those OS versions to the blocklist.

But for 10.6 and later, the story is different: Apple has released updates which remove the vulnerability for those systems but, according to Mozilla’s Add-Ons blog, there is a bug in Firefox 11 that causes it to ignore updates and keep reporting that an old version is running.

This would, in turn, mean if the blocklist updated for 10.6 and later, it would most likely block the Java plugin on non-vulnerable systems. There should be a fix in the bug in Firefox 12, which will release April 24; expect the blocklist to update shortly after that.

The blocking applied is a “soft block” and a user can override it by going to Tools -> Add-ons -> Plugins and clicking on the enable button for the Java plugin; this should only occur where the user knows they will not be visiting any sites where Java-based malware is present though. Users can, of course, use the same window to disable the Java plugin too, a path recommended by security experts.

Thursday, April 19, 2012 @ 03:04 PM gHale

Flashback malware is on the decline for Mac machines.

Software maker and security firm Symantec lowered its estimate of machines that still have the malware to 140,000, which is down from estimates of more than 600,000 less than two weeks ago. Even with that good news, Symantec was not jumping for joy as they were expecting an even lower total.

Attack Vector: Phishing Real or Phony?
Tool to Counter Cyber Threats
Utilities Under Daily Attack
Security Firm Finds Attack Signs

“The statistics from our sinkhole are showing declining numbers on a daily basis. However, we had originally believed that we would have seen a greater decline in infections at this point in time, but this has proven not to be the case,” the company said.

The lowered expectations were due, in part to Apple releasing two separate software tools to users last week that both detect and remove the malware. Additionally, ahead of those official tools, Symantec, and security firms F-Secure and Kaspersky released their own detection and removal software.

Flashback is a form of malware designed to grab passwords and other information from users through their Web browser and other applications. A user typically mistakes it for a legitimate browser plug-in while visiting a malicious Web site. At that point, the software installs code designed to gather personal information and send it back to remote servers. In its most recent incarnation, the software used a security loophole to install itself without user interaction.

After Russian antivirus company Dr. Web found it earlier this month, several other security firms verified the malware’s prevalence. Last week Symantec estimated around 270,000 machines suffered from the infection on a worldwide basis.

The malware targeted a vulnerability in Java, making it cross-platform threat (meaning it could affect PC users). Nonetheless, estimates — particularly one from Kaspersky Lab earlier this month — pegged more than 98 percent of those infected to be running Apple’s OS X, due in no small part to the vulnerability patched for other platforms first.

Archived Entries