Posts Tagged ‘Flashback’
Thursday, September 6, 2012 @ 08:09 PM gHale
Malware attacks keep growing and the proof of that is McAfee found the biggest increase in samples detected in the last four years.
McAfee Labs detected a 1.5 million increase in malware since Q1 2012 and identified new threats such as mobile “drive-by downloads,” the use of Twitter for control of mobile botnets, and the appearance of mobile “ransomware.”
Through proprietary research and investigation, McAfee Labs has seen rapid growth in its database or “zoo” of malware samples. With the malware sample discovery rate accelerating to nearly 100,000 per day, McAfee has identified key malware variants affecting a range of users globally.
“Over the last quarter we have seen prime examples of malware that impacted consumers, businesses, and critical infrastructure facilities,” said Vincent Weafer, senior vice president of McAfee Labs. “Attacks that we’ve traditionally seen on PCs are now making their way to other devices. For example, in Q2 we saw Flashback, which targeted Macintosh devices and techniques such as ransomware and drive-by downloads targeting mobile. This report highlights the need for protection on all devices that may be used to access the Internet.”
As PC malware writers master their craft, they continue to transfer their skills to other popular consumer and business platforms, such as Google’s Android OS. After the mobile malware explosion in Q1 2012, Android malware shows no signs of slowing down, putting users on high alert.
Virtually all new mobile malware detected in Q2 2012 went straight to the Android platform, and consisted of SMS-sending malware, mobile botnets, spyware and destructive Trojans.
Ransomware, steadily increasing quarter over quarter, has become a popular avenue for cybercriminals. Damage can range from loss of photos and personal files for home users to data encryption and demands for money for large enterprises. Ransomware is especially problematic as it can hold computers and data hostage, instantly damaging machines.
Botnets, a network of compromised computers infected with malicious software and used to generate spam, send viruses or cause Web servers to fail, have also taken center stage again this quarter with infections reaching a 12-month high. With the U.S. as the global hub of botnet control servers, new methods for control have also been uncovered, including the use of Twitter for mobile botnet command and control. As such, the attacker can tweet commands with relative anonymity and all infected devices will follow them.
Thumb drive and password-stealing malware showed significant growth in Q2. At nearly 1.2 million new samples, the AutoRun worm spreads from thumb drives by executing code embedded in AutoRun files, repeating the process on any and all drives discovered. Password-stealing malware, at nearly 1.6 million new samples, collects account names and passwords, so an attacker can pose as the victim.
This quarter McAfee Labs recorded an average of 2.7 million new bad URLs per month. In June, these new URLs related to about 300,000 bad domains, which is equivalent to 10,000 new malicious domains every day. Of the new bad-reputation URLs, 94.2 percent host malware, exploits or code specifically designed to hijack computers.
Thursday, May 3, 2012 @ 04:05 PM gHale
Flashback’s latest version hitting Macs has a new command-and-control (C&C) infrastructure that used Twitter as a fallback mechanism in case the normal C&C system isn’t available.
While this is not the first time a botnet used Twitter for command and control, but it is on way attackers are always attempting to stay one step ahead of their potential victims. It also a case here users need to remain vigilant and remember today’s defense may not apply tomorrow.
The most recent version of Flashback, which infects Macs through the exploitation of Java vulnerabilities, has the ability to communicate with two separate tiers of C&C servers. The first type of server is a relay for redirecting traffic from compromised machines. Those servers allow the attackers behind the Flashback botnet to hijack users’ Web search traffic and push it to servers they control. The second tier of servers sends commands to the infected machines to perform specific actions on the Macs.
When infected Macs connect to the second type of C&C server, if they don’t receive a correctly formatted reply, they will then perform a search on Twitter for a specially formatted string, according to analysts at Dr. Web, a Russian security firm that has been following the Flashback case closely.
“If the control server does not return a correct reply, the Trojan uses the current date to generate a string that serves as a hash tag in a search using http://mobile.twitter.com/searches?q=
Bot herders began using Twitter for C&C several years ago, with varying degrees of success. Twitter security officials were somewhat slow to catch on to that phenomenon, but have been quicker to respond.
Flashback is by no means the first piece of Mac malware, or even the most inventive, but it is the most successful. The malware infected several hundred thousand machines over the course of the last six months.
There are a number of different versions of Flashback circulating but the one that’s caused the most trouble is the one that has been exploiting Java vulnerabilities for the last couple of months. That version is going out in drive-by download attacks, which is a classic attack method for Windows vulnerabilities but has not been a big vector in the Mac world.
Tuesday, May 1, 2012 @ 05:05 PM gHale
Nearly two-thirds of the Macs infected by Flashback are running OS X 10.6, better known as Snow Leopard, a Russian antivirus company said.
Doctor Web, which first reported the malware attack earlier this month, mined data intercepted from compromised computers to come up with its findings.
The company, along with other security vendors, has been “sinkholing” select command-and-control (C&C) domains used by the Flashback botnet — hijacking them before the hackers could use the domains to issue orders or update their attack code — to both estimate the botnet’s size and disrupt its operation.
Doctor Web published an analysis of the communications between 95,000 Flashback-infected Macs and the sinkholed domains. Those communication attempts took place on April 13, more than a week after Doctor Web broke the news of the botnet’s massive size.
Flashback used a critical vulnerability in Java to worm its way onto Macs. Although Apple, which continues to maintain Java for its OS X users, patched the bug in early April, it did so seven weeks after Oracle disclosed the flaw when it shipped Java updates for Windows and Linux.
It is no surprise 63.4% of the Flashback-infected machines identified themselves as running OS X 10.6, or Snow Leopard, the newest version of Apple’s operating system that comes with Java.
Snow Leopard accounted for the largest share of OS X last month, according to metrics company Net Applications, making it the prime target of Flashback.
Leopard, or OS X 10.5, is the second-most-common Flashback-infected operating system, said Doctor Web: 25.5% of the 95,000 Macs harboring the malware ran that 2007 edition.
Apple bundled Java with Leopard as well, but unlike Snow Leopard and Lion, it no longer ships security updates for the OS, and so has not updated Java on those Macs.
Last month, Leopard powered 13.6% of all Macs.
But while Snow Leopard’s and Leopard’s infection rates are higher than their usage shares, the opposite’s true of OS X 10.7, or Lion. The 2011 OS accounted for 39.6% of all copies of OS X used last month, yet represented only 11.2% of the Flashback-compromised Macs.
That disparity seems to validate Apple’s 2010 decision to stop bundling the software with OS X. Lion was the first to omit Java, although users have been free to download and install it themselves.
Friday, April 27, 2012 @ 04:04 PM gHale
A new form of Java malware has a multifaceted approach as it can infect Apple and Windows machines, Symantec said.
A strain of Java Applet malware either drops a Python-based malware in Mac operating systems or an executable-form of malware in Windows computers, said Symantec researcher Takashi Katsuki. If opened, either form of malware could launch a Trojan that could trigger a back door on the computer, regardless of the platform.
The malware exploits the Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507) to download the malware.
The Mac back door Trojan can currently only control polling times, or “how many times it gets commands from the server at certain time intervals,” Symantec said. If enabled however, the Trojan can also download files, list files and folders, open a remote shell, sleep or upload files.
The Trojan for Windows can send information about the infected computer and disk, its memory usage, OS version and user name, in addition to downloading and executing files and opening shells to receive commands.
The news of this malware comes on the heels of Flashback and SabPub, two forms of malware that have been targeting Mac users throughout the first quarter via another vulnerability in Java.
The vulnerability CVE-2012-0507 — an older Java flaw just blocked by Mozilla’s Firefox – saw use by some Flashback variants earlier this month, before Apple patched it.
Thursday, April 26, 2012 @ 12:04 AM gHale
Contrary to popular reports, the Flashback botnet is not shrinking, said the Russian antivirus firm that first reported the massive infection three weeks ago.
Dr. Web, which was the first to report the largest-ever successful malware attack against Apple’s OS X, said the pool of Flashback-infected Macs still hovers around the 650,000 mark, and that infections are continuing.
Also on Friday, Liam O Murchu, manager of operations at Symantec’s security response center, confirmed Dr. Web’s numbers were correct.
Both Dr. Web’s tally and its contention that infections are ongoing flew in the face of other antivirus companies’ assertions. Kaspersky Lab and Symantec, which have each “sinkholed” select domains — hijacked them before the hackers could use them to issue orders to compromised machines — used those domains to count the Macs that try to communicate with the malware’s command-and-control centers.
Earlier this week, Symantec said the Flashback botnet had shrunk by 60% and was down to 142,000 machines. Kaspersky claimed its count registered only 30,000 infected Macs.
Not even close, said Dr. Web. “The number is still around 650,000,” said Dr. Web.
On April 16, the company continued, it said 595,000 different Macs registered on the botnet, while the next day, April 17, the count was over 582,000.
Symantec’s O Murchu said Dr. Web is right.
“We’ve been talking with them about the discrepancies in our numbers and theirs,” O Murchu said. “We now believe that their analysis is accurate, and that it explains the discrepancies.”
When asked for comment, Kaspersky Lab said it was looking into the matter.
According to Dr. Web, counts by others were incorrect because of how the malware calculates the locations of command-and-control (C&C) servers, and how it communicates, or tries to, with those domains.
Dr. Web said it had sinkholed the primary Flashback C&C domains at the beginning of the month, and after an infected Mac asks those servers — controlled by Dr. Web — for instructions, they then reach out to another domain.
Dr. Web said it did not know who controlled that follow-up domain, but O Murchu suspected it is another security company or researcher.
But Dr. Web did know what happens next in Flashback’s complex communication scheme.
“This server communicates with bots but doesn’t close a TCP connection,” wrote Dr. Web. “As [a] result, bots switch to the stand-by mode and wait for the server’s reply and no longer respond to further commands. As a consequence, they do not communicate with other command centers, many of which have been registered by information security specialists [including Kaspersky and Symantec].”
Wednesday, April 25, 2012 @ 10:04 PM gHale
The Flashback Trojan that infected 600,000 Apple Macs earlier this month still has a very high infection rate, despite the fact Apple already patched the Java vulnerability and released a removal tool.
On top of that, a new Flashback variant that installs without prompting the user for a password, said security firm Intego.
This version, which Intego refers to as Flashback.S, places its files in the user’s home folder, at the following locations:
Once Flashback.S installs itself, it then deletes all files and folders in ~/Library/Caches/Java/cache to remove the applet from the infected Mac. By doing this, it is able to avoid detection or sample recovery, according to the security firm.
This recent variant is interesting compared to the one found two months ago. That one asks for administrative privileges, but does not require them. If you give it permission, it will install itself into the Applications folder where it will silently hook itself into Firefox and Safari, and launch whenever you open one of the two browsers. If you don’t give it permission, it will install itself to the user accounts folder, where it can run in a more global manner, launching itself whenever any application launches, but it is easier to detect.
Researchers first found Flashback in September 2011 masquerading as a fake Adobe Flash Player installer. A month later, a variant that disables Mac OS X antivirus signatures updates was in the wild.
In the past few months, Flashback evolved to exploiting Java vulnerabilities. This means it doesn’t require any user intervention if the user did not patch Java on his Mac. All a user has to do is visit a malicious website, and the malware will automatically download and install.
Meanwhile, two other Mac-specific Trojans are out there: One exploits Java and another exploits Microsoft Word. Security firm Kaspersky confirmed what many have been saying for years: As Macs are becoming more popular, malware writers are increasingly targeting them.
Thursday, April 19, 2012 @ 03:04 PM gHale
Flashback malware is on the decline for Mac machines.
Software maker and security firm Symantec lowered its estimate of machines that still have the malware to 140,000, which is down from estimates of more than 600,000 less than two weeks ago. Even with that good news, Symantec was not jumping for joy as they were expecting an even lower total.
“The statistics from our sinkhole are showing declining numbers on a daily basis. However, we had originally believed that we would have seen a greater decline in infections at this point in time, but this has proven not to be the case,” the company said.
The lowered expectations were due, in part to Apple releasing two separate software tools to users last week that both detect and remove the malware. Additionally, ahead of those official tools, Symantec, and security firms F-Secure and Kaspersky released their own detection and removal software.
Flashback is a form of malware designed to grab passwords and other information from users through their Web browser and other applications. A user typically mistakes it for a legitimate browser plug-in while visiting a malicious Web site. At that point, the software installs code designed to gather personal information and send it back to remote servers. In its most recent incarnation, the software used a security loophole to install itself without user interaction.
After Russian antivirus company Dr. Web found it earlier this month, several other security firms verified the malware’s prevalence. Last week Symantec estimated around 270,000 machines suffered from the infection on a worldwide basis.
The malware targeted a vulnerability in Java, making it cross-platform threat (meaning it could affect PC users). Nonetheless, estimates — particularly one from Kaspersky Lab earlier this month — pegged more than 98 percent of those infected to be running Apple’s OS X, due in no small part to the vulnerability patched for other platforms first.