April 27, 2012
Sophos Finds Traces Of New Mac Malware, Windows Users Should Also Take Note
Michael Harper for RedOrbit.com
Mac users who haven´t already installed the recent system updates should take this story as a very stern reminder that they are still at high risk of contracting malware on their machines.
English security firm Sophos has identified a new malware attack which not only targets Mac users, but Windows users as well. Just like the 2 recent malware attacks which topped the headlines for weeks now, this new malware attack takes advantage of the same Java vulnerability which has been patched on Linux, Mac and Windows operating systems. Those who have yet to install these Java patches remain vulnerable to infection.
This newly identified malware takes advantage of the vulnerability in order to download malicious code onto the computer. Once there, the malicious code installs further code, depending on the operating system. Not to be outdone, this code once more installs another round of malicious code, downloading a backdoor Trojan on Windows machines and a Python script on Macs.
The Python script also acts as a backdoor to the system, giving hackers the ability to remotely access the infected computer and sends commands, steal files, run processes and install even more malicious code, all without the user´s knowledge or permission.
While this new malware uses the same “gateway” into a vulnerable system as previous exploits, what it does once it´s there is quite different. Rather than connect an infected computer to a botnet, which is then used to further infect other computers, this new malware appears to be used to access and control machines remotely.
Catching this malware is as easy as refusing to update ones computer and visiting compromised websites, as this malware can install itself without permission, unbeknownst to the user.
According to Sophos, the easiest way to check your system for this infection is to run an up-to-date anti-virus product, such as theirs.
Users wanting to check for this Trojan by hand can simply search /Users/Shared/ and look for files called update.sh and update.py.
According to Sophos, “update.sh is a shell script that will execute update.py, the Python script. These files can be safely deleted.”
Claims of a newly identified security threat by anti-virus software makers should always be taken with a grain of salt. After all, these companies only stand to benefit from breaking such news. However, even the rumor of new exploits should serve as a reminder to exercise caution on the web and update the machine´s software.
Apple makes this process painless, rolling out new software updates on a frequent but not-too-frequent basis.
When news broke earlier this month about the new Flashback trojan, Mac users were stunned to hear more than 500,000 of their peers were connected to the resulting botnet, including many Macs located at Apple´s own headquarters.
Since then, Apple has released 2 updates to repair the Java vulnerability as well as a tool to remove the trojan, should you have contracted it.
The best way to ensure your Mac steers clear of these Java vulnerabilities, however, is to simply disable the plug-in altogether. Very few websites and web apps use Java, and as such, will likely never be missed in your internet browsing.
The Mac experts at CultofMac.com have explained this process here. As is often true, a ounce of prevention is worth a pound of cure, and disabling java from your system might be the most painless form of cure available.