Mac - ponad 600 tysięcy zainfekowanych maszyn

[ichito]

Nie wiem...nie znam się na Macu, ale nie wydaje mi się, że ten nowy Flashback jest tak "prosty w obsłudze"...według opisów jego działania ten trojan nie wymaga uprawnień, choć może o nie zapytać. Z tego, co czytałem nie jest to jeden tylko trojan - ma kilka odmian i nieco odmienne zachowanie w związku z tym. Intego tak pisze na swoim blogu (podkreślenia moje)

This new variant of the Flashback Trojan horse uses three methods to infect Macs . The malware first tries to install itself using one of two Java vulnerabilities. If this is successful, users will be infected with no intervention . If these vulnerabilities are not available – if the Macs have Java up to date – then it attempts a third method of installation, trying to fool users through a social engineering trick. The applet displays a self-signed certificate, claiming to be issued by Apple . Most users won’t understand what this means, and click on Continueto allow the installation to continue .
(...)
It is important to note that this version of the FlashbackTrojan horse does not present an installer, as previous versions did . If a user visits a web page, and their Java is not up to date, the installation will occur without their intervention . If their Java is up to date, they will only see the certificate alert that we show above: they will never be asked for a password, and won’t have to launch any other software to allow the installation to take place.

[Aby zobaczyć linki, zarejestruj się tutaj]

Natomiast na Cnet jest nowy artykuł na ten temat w kontekście mechanizmu infekcji

First step: Exploiting Java
When you encounter the malicious Web page containing the malware and have an unpatched version of Java running on your system, it will first execute a small Java applet that when run will break the Java security and write a small installer program to the user''s account . The program is named something like .jupdate, .mkeeper, .flserv, .null or .rserv, and the period in front of it makes it appear hidden in the default Finder view.

In addition, the Java applet will write a launcher filenamed something like "com.java.update.plist", "com.adobe.reader.plist", "com.adobe.flp.plist" or even "null.plist" to the current user''s ~/Library/LaunchAgents/ folder, which will continually launch the .jupdate programwhenever the user is logged in .

In order to avoid detection, the installer will first look for the presence of some antivirus tools and other utilities that might be present on a power user''s system(...)

Second step: Downloading the payload
When the jupdate program executes, it will connect to a remote server and download a payload program that is the malware itself , and which consists of two components. The first is the main part of the malware that performs the capture and upload of personal information, and the second is a filter component that is used to prevent the malware from running unless specific programs like Web browsers are being used.

Third step: Infection
Once the malware and the filter are downloaded, the malware is run to infect the system. This is where users will see an alert about a software update and will be prompted to supply their passwords. Unfortunately at this point there is nothing to stop the infection, and whether or not a password is supplied only changes the mode of infection .

The first modeof infection is if a password is supplied, in which case the malware alters the Info.plist files in Safari and Firefox to run the malware whenever these programs are opened. This is the malware''s preferred mode of infection, but if a password is not supplied, then the malware resorts to its second mode of infection , where it alters the "environment.plist" file.

By using the environment.plist file, the malware will run whenever any application is opened, and this will lead to crashes and other odd behavior that might cause alarm to the user, so the malware then uses its filter component to only run when certain applications are launched, such as Safari, Firefox, Skype, and even Office installations.

Either way, once downloaded the malware will infect the system using one of these approaches and will run whenever target applications like Web browsers are used. In more recent variants of the malware, when installed using the "environment.plist" file it will further check the system to ensure complete installations of programs such as Office or Skype are present, and potentially delete itself if these programs are not fully or properly installed. F-Secure speculates this is an attempt to prevent early detection of the malware.

Całość artykułu

[Aby zobaczyć linki, zarejestruj się tutaj]