Two Mac Trojans: Apple Patching Fast Enough?Attackers behind the Flashback and SabPub malware likely reverse-engineered a Java vulnerability patched for Windows almost two
months ago by Oracle.
Apple Friday released a Java security update to battle the Apple OS X malware known as Flashback.
"This Java security update removes the most common variants of the Flashback malware," according to a support document released by Apple, which recommends that all Java users install the update for Mac OS X 10.6 and 10.7. (Apple has yet to release a related security fix for any previous versions of OS X.)
Apple, which normally refuses to comment on any vulnerabilities in its products until after it's released a fix, broke with tradition by last week confirming that it was coding an OS X upgrade to nuke Flashback. According to various security firms, approximately 600,000 Macs had been infected by Flashback, which makes it the largest malware infection to ever hit OS X users.
In addition, for users of OS X 10.7, the Java security update from Apple--"Java for OS X Lion 2012-003," which includes Oracle's Java SE 6 version 1.6.0_31--doesn't just disable the malware. In fact, Apple has also configured its Java Web plug-in to stop automatically executing Java applets if it hasn't been used for 35 days. "Users may re-enable automatic execution of Java applets using the Java Preferences application," according to Apple. "If the Java Web plug-in detects that no applets have been run for an extended period of time, it will again disable Java applets."
[ Keep your corporate data safe. Consider these Security Practices From The Front Lines. ]
That feature drew praise from Wolfgang Kandek, CTO of security firm Qualys. "This is exciting, and to my knowledge nobody has done something like this before. It makes total sense to me: We have been telling users to disable or uninstall Java if they do not need it, but we know very well that only very security conscious users will do so," he said in a blog post. "[Giving] the task of monitoring Java use to the computer itself is a great idea and an excellent experiment in computer security. It will be interesting to see how user acceptance of such a measure will work out."
Flashback targets a flaw in the Java Runtime Environment, which fails to fully protect its built-in sandbox. "This vulnerability is found in Java versions (up to and including) version 7 update 2, version 6 update 30, and version 5 update 33," according to a Sophos virus analysis. Interestingly, security researchers think that whoever built Flashback found the vulnerability by reverse-engineering the Windows-only fix released by Oracle in mid-February. (That Windows update is available from java.com.)
That revelation is sure to raise questions over the speed with which Apple creates and releases its Java-related updates. According to Bloomberg News, for example, the Java flaw was first spotted by Dutch software engineer Jeroen Frijters in July 2011, who immediately reported it to Oracle. But while Oracle works closely with Microsoft when writing patches for Windows, Apple reportedly prefers to write patches on its own, and that adds time to the vulnerability-remediation process.
Is Flashback a one-off? Apparently not, as late last week, researchers discovered new, related malware, dubbed Sabpab or SabPub, that also targets the Java vulnerability in Apple OS X. "The Sabpab Trojan horse exploits the same drive-by Java vulnerability used to create the Flashback botnet," said Graham Cluley, senior technology consultant at Sophos, in a blog post.
As with Flashback, the new Trojan is designed to add infected Macs to the command and control (C&C) server for a botnet. "This new threat is a custom OS X backdoor, which appears to have been designed for use in targeted attacks," said Costin Rau, a security researcher at Kaspersky Lab, in a blog post. "After it is activated on an infected system, it connects to a remote website in typical C&C fashion to fetch instructions. The backdoor contains functionality to make screenshots of the user's current session and execute commands on the infected machine."
Rau said that a "fake" infected system, set up by Kaspersky to monitor how the botnet-infected machine was communicating with its command and control server, was accessed by the botnet controllers over the weekend, meaning that it remains active. "They listed the contents of the root and home folders and even stole some of the goat documents we put in there," he said. "We are pretty confident the operation of the bot was done manually--which means a real attacker, who manually checks the infected machines and extracts data from them," he said. It's also further evidence that the malware was designed for targeted attacks.
In addition, Kaspersky managed to tie the botnet to six malicious Microsoft Word documents that it's seen in the wild, two of which drop the SabPub vulnerability, and four of which drop the MaControl bot, which appears to be an earlier effort by the same virus writers. One key difference, however, is that MaControl didn't target the Java vulnerability exploited by Flashback and SabPub. Another is that SabPub managed to remain active for about six weeks before anyone detected it.
What's the purpose of SabPub? According to Rau, the name of the two SabPub-dropping Microsoft Word documents (which include a misspelling) offer a China-related clue. "The name of the file ("10th March Statemnet") is directly linked with the Dalai-Lama and Tibetan community. On March 10, 2011, the Dalai-Lama released a special statement related to Anniversary of the Tibetan People's National Uprising Day--hence the name," he said.
Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)