NEWS FROM THE LAB - Monday, March 19, 2012

Mac Malware at the Moment Posted by Brod @ 14:47 GMT

It's been a while since we last wrote about Mac malware, so I thought it would be good to give our readers an update on what's been happening during the last few months. Last year we detailed a possible Mac trojan in the making. At that time we were still speculating whether it would be part of a bundle or just a standalone binary. Now it's clear: a new variant was discovered and it is a full-blown application, complete with an icon.

The author calls this variant version 1.0 ("FILEAGENTVer1.0" in little-endian) as seen from the binary's code:


The sample I analyzed uses thumbnail images/icons of Irina Shayk, apparently taken from the March 2012 issue of FHM (South Africa) magazine. The malicious application bundle is being spread inside an archive file together with other images taken from the magazine hoping that its file type will be overlooked by users.

FHM Feb Cover Girl Irina Shayk H-Res Pics

Nothing else is new besides the implementation. The backdoor payload is still the same but uses a new C&C server. The server is currently active (at time of publication). It is important to take note that the new C&C server still points to the same IP address as the previous variant as mentioned by the folks at ESET. We have reported the server to CERT-FI. Hopefully they will be able notify the proper authorities.

We detect this new variant as Trojan-Dropper:OSX/Revir.C, MD5: 7DBA3A178662E7FF904D12F260F0FFF3.

Moving along — there's another more serious OS X malware threat lurking out there. The Flashback trojan, which first appeared around the same time as Revir, is still in the wild. It is using exploits to infect systems without user interaction. Though what it's exploiting are old Java vulnerabilities (CVE-2011-3544 and CVE-2008-5353), we might begin seeing a real OS X outbreak if the gang upgrades their operation a notch higher and start targeting unpatched vulnerabilities.

In a future post, I will detail how to locate a Flashback infection. In the meantime, the easiest way to avoid infection is to just disable Java from your browser(s). Based on our surveys, most users don't really need Java when browsing the Web. If for some reasons you do need Java, say for online banking, turn it on only when you need it. And then turn it off again after you're done.

In Safari, you can disable Java by unchecking "Enable Java" in Safari Preferences, Security tab.

Safari, Java settings

Or you can disable Java from the Snow Leopard (Lion doesn't come with Java by default) by going to Applications, Utilities, Java Preferences. Uncheck everything in the General tab.

Java Preferences