Attacks/Breaches
4/16/2012
01:53 PM
Connect Directly
RSS
E-Mail
50%
50%

Two Mac Trojans: Apple Patching Fast Enough?

Attackers behind the Flashback and SabPub malware likely reverse-engineered a Java vulnerability patched for Windows almost two months ago by Oracle.

Apple Friday released a Java security update to battle the Apple OS X malware known as Flashback.

"This Java security update removes the most common variants of the Flashback malware," according to a support document released by Apple, which recommends that all Java users install the update for Mac OS X 10.6 and 10.7. (Apple has yet to release a related security fix for any previous versions of OS X.)

Apple, which normally refuses to comment on any vulnerabilities in its products until after it's released a fix, broke with tradition by last week confirming that it was coding an OS X upgrade to nuke Flashback. According to various security firms, approximately 600,000 Macs had been infected by Flashback, which makes it the largest malware infection to ever hit OS X users.

In addition, for users of OS X 10.7, the Java security update from Apple--"Java for OS X Lion 2012-003," which includes Oracle's Java SE 6 version 1.6.0_31--doesn't just disable the malware. In fact, Apple has also configured its Java Web plug-in to stop automatically executing Java applets if it hasn't been used for 35 days. "Users may re-enable automatic execution of Java applets using the Java Preferences application," according to Apple. "If the Java Web plug-in detects that no applets have been run for an extended period of time, it will again disable Java applets."

[ Keep your corporate data safe. Consider these Security Practices From The Front Lines. ]

That feature drew praise from Wolfgang Kandek, CTO of security firm Qualys. "This is exciting, and to my knowledge nobody has done something like this before. It makes total sense to me: We have been telling users to disable or uninstall Java if they do not need it, but we know very well that only very security conscious users will do so," he said in a blog post. "[Giving] the task of monitoring Java use to the computer itself is a great idea and an excellent experiment in computer security. It will be interesting to see how user acceptance of such a measure will work out."

Flashback targets a flaw in the Java Runtime Environment, which fails to fully protect its built-in sandbox. "This vulnerability is found in Java versions (up to and including) version 7 update 2, version 6 update 30, and version 5 update 33," according to a Sophos virus analysis. Interestingly, security researchers think that whoever built Flashback found the vulnerability by reverse-engineering the Windows-only fix released by Oracle in mid-February. (That Windows update is available from java.com.)

That revelation is sure to raise questions over the speed with which Apple creates and releases its Java-related updates. According to Bloomberg News, for example, the Java flaw was first spotted by Dutch software engineer Jeroen Frijters in July 2011, who immediately reported it to Oracle. But while Oracle works closely with Microsoft when writing patches for Windows, Apple reportedly prefers to write patches on its own, and that adds time to the vulnerability-remediation process.

Is Flashback a one-off? Apparently not, as late last week, researchers discovered new, related malware, dubbed Sabpab or SabPub, that also targets the Java vulnerability in Apple OS X. "The Sabpab Trojan horse exploits the same drive-by Java vulnerability used to create the Flashback botnet," said Graham Cluley, senior technology consultant at Sophos, in a blog post.

As with Flashback, the new Trojan is designed to add infected Macs to the command and control (C&C) server for a botnet. "This new threat is a custom OS X backdoor, which appears to have been designed for use in targeted attacks," said Costin Rau, a security researcher at Kaspersky Lab, in a blog post. "After it is activated on an infected system, it connects to a remote website in typical C&C fashion to fetch instructions. The backdoor contains functionality to make screenshots of the user's current session and execute commands on the infected machine."

Rau said that a "fake" infected system, set up by Kaspersky to monitor how the botnet-infected machine was communicating with its command and control server, was accessed by the botnet controllers over the weekend, meaning that it remains active. "They listed the contents of the root and home folders and even stole some of the goat documents we put in there," he said. "We are pretty confident the operation of the bot was done manually--which means a real attacker, who manually checks the infected machines and extracts data from them," he said. It's also further evidence that the malware was designed for targeted attacks.

In addition, Kaspersky managed to tie the botnet to six malicious Microsoft Word documents that it's seen in the wild, two of which drop the SabPub vulnerability, and four of which drop the MaControl bot, which appears to be an earlier effort by the same virus writers. One key difference, however, is that MaControl didn't target the Java vulnerability exploited by Flashback and SabPub. Another is that SabPub managed to remain active for about six weeks before anyone detected it.

What's the purpose of SabPub? According to Rau, the name of the two SabPub-dropping Microsoft Word documents (which include a misspelling) offer a China-related clue. "The name of the file ("10th March Statemnet") is directly linked with the Dalai-Lama and Tibetan community. On March 10, 2011, the Dalai-Lama released a special statement related to Anniversary of the Tibetan People's National Uprising Day--hence the name," he said.

Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/17/2012 | 1:44:32 AM
re: Two Mac Trojans: Apple Patching Fast Enough?
The only thing that really comes to mind... Pride goeth before the fall. The "invincible" platform from Apple is showing holes in the armor and those who write malware are more than willing to take advantage of a company that seems more interested in getting more products to market (i.e. increasing their profits) as opposed to supporting users who have already purchased their products.

I've always maintained that it's the end user's (or end user's IT department's) responsibility to keep their systems secure, patched and up to date - but what happens when your vendor doesn't care about releasing patches or the security of the installed base of their systems?

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0607
Published: 2014-07-24
Unrestricted file upload vulnerability in Attachmate Verastream Process Designer (VPD) before R6 SP1 Hotfix 1 allows remote attackers to execute arbitrary code by uploading and launching an executable file.

CVE-2014-1419
Published: 2014-07-24
Race condition in the power policy functions in policy-funcs in acpi-support before 0.142 allows local users to gain privileges via unspecified vectors.

CVE-2014-2360
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules allow remote attackers to execute arbitrary code via packets that report a high battery voltage.

CVE-2014-2361
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules, when BreeZ is used, do not require authentication for reading the site security key, which allows physically proximate attackers to spoof communication by obtaining this key after use of direct hardware access or manual-setup mode.

CVE-2014-2362
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.