xkcd

[KnightExemplar]

http://www.informationweek.com/news/sec ... /232800374

Spoiler:

Apple earlier this week released an update for its version of Oracle's Java software to limit the spread of a Flashback trojan variant that has already infected over 600,000 Macs.

Russian security company Dr. Web said on Wednesday that it estimates over 600,000 Macs have been hijacked by the malware and joined in a botnet. About half of the infected computers are located in the U.S., the company said, and about 20% are located in Canada.

F-Secure chief research offiicer Mikko Hypponen via Twitter observed that with an installed base of about 45 million Macs, Flashback appears to have infected about 1% of the Macs out there, making it comparable in terms of reach to the Conficker malware in the Windows world.

The Flashback trojan is able to take over computers by exploiting vulnerabilities in Java. Visiting or being directed to a compromised website might allow the malware to take over your Mac. The malware relies on JavaScript code to load a malicious Java applet. Disabling Java--via one's Web browser security settings or via the Java Preferences file likely to be found in Applications/Utilities/--should protect against this particular threat.

[ Read Apple Investigating New iPad Wi-Fi Problem. ]

Dr. Web says that attackers first began using the CVE-2011-3544 and CVE-2008-5353 vulnerabilities in February, and then moved to another vulnerability, CVE-2012-0507, in March.

Apple often has been criticized for not responding fast enough to security vulnerabilities and this incident shows the tradition continues. Security reporter Brian Krebs notes that "[Apple's] lackadaisical (and often plain puzzling) response to patching dangerous security holes perpetuates the harmful myth that Mac users don't need to be concerned about malware attacks."

Oracle patched CVE-2012-0507 in February. However, Apple distributes its own version of Java, previously bundled with OS X and presently as an optional download in Lion (OS X 10.7).

Apple used to claim, "Mac OS X isn't plagued by constant attacks from viruses and malware" because the operating system was "designed with security in mind." It has since qualified its assertions about security and now states, "A Mac isn't susceptible to the thousands of viruses plaguing Windows-based computers."

Even that statement appears to be questionable given that software such as Oracle's Java, Adobe's Flash, and Apple's own iTunes--all of which have had publicly exploited vulnerabilities--can be found on both Mac and Windows machines.

A few things.

1. Screw you Oracle. Java is just not the same anymore. (The virus's method of attack is the Java plugin in Safari).
2. Nonetheless, its still Apple's problem because Oracle did issue a patch to the Java plugin, and Apple didn't push out an update to Safari fast enough. So I can't let apple off the hook on this one either. The vulnerability was fixed by Oracle in February, but no patch was pushed forward until this week. Shame on them on taking so long.

Apparently this virus has infected the same percentage of Macs as Conficker did against Windows. Freaking Conflicker. Anyway, for those out in the Mac community, update that Java plugin. If you can't update it, then be sure to get a virus scanner or disable it.

[Jplus]

This is an unconfirmed number from an antivirus company.

That said, always updating to the latest versions of your software is a good idea.

[Triangle_Man]

That is a good habit that I have got to get into regularly.

And I use a PC, so I guess I'm fine.

...Is there a chance this thing could infect my PC?

[sardia]

That is a good habit that I have got to get into regularly.

And I use a PC, so I guess I'm fine.

...Is there a chance this thing could infect my PC?

Did you update your java?

[KnightExemplar]

This is an unconfirmed number from an antivirus company.

That said, always updating to the latest versions of your software is a good idea.

Perhaps true last time you read the story. But two different antivirus companies have reported this by now. Dr. Web was the first company to report this (the one in the original story). Now Kaspersky Labs has also independently verified the facts today.

https://www.securelist.com/en/blog/2081 ... _confirmed

We reverse engineered the first domain generation algorithm and used the current date, 06.04.2012, to generate and register a domain name, "krymbrjasnof.com". After domain registration, we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots. Our logs indicate that a total of 600 000+ unique bots connected to our server in less than 24 hours. They used a total of 620 000+ external IP addresses. More than 50% of the bots connected from the United States.

Mind you, that 600,000 figure was only collected over the period of a day. IE: Infected Macs that were turned off between April 5th through April 6th weren't counted in that 600,000 figure. So this attack is definitely serious business and a wake up call to Apple.

That is a good habit that I have got to get into regularly.

And I use a PC, so I guess I'm fine.

...Is there a chance this thing could infect my PC?

Portable viruses are possible, but are uncommon for the same reasons that portable programs are uncommon. The virus writer would have to write twice the programs to support both operating systems. Considering the specificity of the attack, (which looks for Mac specific files, among other things), I can safely say that this particular virus is Mac only.

The Kaspersky labs link also has some information as far as which OSes can be affected.

We have used passive OS fingerprinting techniques to get a rough estimation. More than 98% of incoming network packets were most likely sent from Mac OS X hosts. Although this technique is based on heuristics and can’t be completely trusted, it can be used for making order-of-magnitude estimates. So, it is very likely that most of the machines running the Flashfake bot are Macs.

So they have a very rough estimate (ie: an estimate that could easily be faked). Still, their rough estimate shows that over 98% of the infected computers are Mac OSX computers. Considering that this information is somewhat unreliable, the 0.06% estimate for Windows Boxes is probably within the margin of error. Hell, the Linux estimate is probably within the margin of error as well. (If someone went through the trouble of making a cross-platform trojan... I doubt they'd target Mac + Linux but not Windows).

(I'd expect those Linux boxes to be DD-WRT routers, which may screw up the fingerprinting process.)

That said, while this specific Flashback virus is Mac only (Flashback is the name of the virus), the vulnerability existed on every machine with Java. So Windows, Linux, and Macs were all vulnerable at some point. However, the patch to fix the vulnerability was released for both Windows and Linux in February. The big story is that Mac OSX computers weren't fixed until this week. Basically, if you hit yes on that annoying "Java update button" in February, you're safe from this attack on both Windows and Linux. But even if you were completely up to date on Mac OSX, you were vulnerable for the entire month of March... and there was nothing you could do about it.

EDIT: Based on further blog posts by f-secure, I think we can safely assume that this virus is Mac-Only.
http://www.f-secure.com/weblog/archives/00002336.html

To better understand the steps below, it is better to also know a bit about Flashback. It's an OS X malware family that modifies the content displayed by web browsers. To achieve this, it interposes functions used by the Mac's browsers. The hijacked functions vary between variants but generally include CFReadStreamRead and CFWriteStreamWrite:

I guess this was before they knew about the new attack the virus was using. Note that the f-secure description doesn't mention the new Java vulnerability CVE-2012-0507. They only mention the older vulnerabilities.

[Arariel]

So were these 0.7% infected Linux machines (less than 4,300) running GNU/Linux or Android/Linux? Android does use a lot of Java in apps...

So can't tell from that data about Linux. But FreeBSD has a mysteriously disproportionately large share in that data. Compared to Windows, that is. You'd expect FreeBSD users to be more tech-savvy. And Windows XP is not on there, while Windows 7 is? I'm actually finding those numbers pretty sketchy.

[KnightExemplar]

Read up on how the fingerprinting technique works.

http://old.honeynet.org/papers/finger/

By analyzing these factors of a packet, you may be able to determine the remote operating system. This system is not 100% accurate, and works better for some operating systems then others. No single signature can reliably determine the remote operating system. However, by looking at several signatures and combining the information, you increase the accuracy of identifying the remote host.

The specific fingerprinter they used was this: http://lcamtuf.coredump.cx/p0f3/

For TCP/IP, the tool fingerprints the client-originating SYN packet and the
first SYN+ACK response from the server, paying attention to factors such as the
ordering of TCP options, the relation between maximum segment size and window
size, the progression of TCP timestamps, and the state of about a dozen possible
implementation quirks (e.g. non-zero values in "must be zero" fields).

Basically, its unreliable like hell (lol timing information) and easily faked (raw sockets anyone?). But its a very easy technique to use. So don't pay attention to the numbers very much, you gotta "squint" a bit due to the unreliability of the technique. Based on that, I'm willing to bet that FreeBSD, Linux, and Windows are all within the margin of error. And that Macs actually account for 100% of the traffic.

I'm not exactly an expert aspect of computing though. But I'd also be worried about routers and similar devices. Linux-based routers are somewhat common for instance. So if the Mac machine was accessing the internet through a Linux router... would they identify the machine as a Linux machine?

Anyway, based on the descriptions of the virus... we know it looks for Mac Specific files and attacks the Mac's web browser, and attacks a vulnerability that was unpatched in Macs. So I'm certain that 100% of the infected machines are Macs. The above statistic was just another way to get an estimate of the infected machines. It certainly isn't accurate to 0.3%.

[Jplus]

I'm not exactly an expert aspect of computing though. But I'd also be worried about routers and similar devices. Linux-based routers are somewhat common for instance. So if the Mac machine was accessing the internet through a Linux router... would they identify the machine as a Linux machine?

Probably not always, because otherwise the Linux share in the table would be much larger.

[NoodleIncident]

Updating my software now, thanks!

What did the virus do? Standard botnet?

[KnightExemplar]

Wow... bad month for Mac OSX security. A Second Virus has been detected that uses this Java flaw... and also another one in Microsoft Office for Mac.

http://securitywatch.pcmag.com/none/296 ... oft-office

Spoiler:

Over the weekend, security vendors discovered another information-stealing Trojan in the wild, targeting Tibetan sympathizers with vulnerabilities in Java and Microsoft Word.

Two versions of SabPub were discovered in the wild this past weekend, flying undedected for about two months now. Kaspersky's Costin Raiu wrote in a blog post that SabPub was probably written by the LuckyCat authors.

Version 1: Microsoft Office
One version of SabPub traps Mac (and potentially Windows) users with booby-trapped Microsoft Word documents which exploit the vulnerability 'MSWord.CVE-2009-00563.a.'

The spear-phishing emails containment a malicious Word attachment entitled '10thMarch Statemnet' (with typo) to Tibet sympathizers. March 10, 2011 refers to the day the Dalai Lama delivered his annual speech observing the Tibetan Uprising of 1959.

The Word doc was created in August 2010 and updated in February with SabPub thrown in; "quite normal" for such attacks and seen in other APT's like Duqu, Raiu notes.

Version 2: Java
A March version of Sabpub also discovered last weekend exploits the same drive-by Java vulnerability seen in Flashback, one of the biggest botnet attacks seen in OS X. Once the backdoor Trojan is downloaded, a victim's system is connected to a command-and-control center via HTTP. From there the botnet can grab screenshots, upload/download files, and remotely execute commands, Sophos' Graham Cluley writes. SabPub drops the following two files on a user's system, so if you are concerned about infection Cluley recommends searching for these files:

/Users//Library/Preferences/com.apple.PubSabAgent.pfile
/Users//Library/LaunchAgents/com.apple.PubSabAGent.plist

In late March, vendors discovered another OS X Trojan, Tibet.C, that exploited Microsoft Word to spy on the computers of Tibetan sympathizers. It was believed come from the GhostNet group of Chinese cyber spies.

You may not be a key target of SabPub, but one day the same malware can be used to target your system. Our advice is the same as always: make sure you've downloaded the latest security patches for Windows, MacOS, and Java. Also make sure your antivirus protection is up to date. Due to the MS Office exploit, households with both PCs and Macs would benefit from cross protection from products like Norton One and McAfee All Access.

Kaspersky Labs has come out with another blog-post that details this Mac Virus.
http://www.securelist.com/en/blog/20819 ... PT_attacks

To summarize:

- At least two variants of the SabPub bot exist today.

- The earliest version of the bot appears to have been created and used in February 2012.

- The malware is being spread through Word documents that exploit the CVE-2009-0563 vulnerability.

- SabPub is different from MaControl, another bot used in APT attacks in February 2012; SabPub was more effective because it stayed undetected for more than 1.5 months.

- the APT behind SabPub is active at the time of writing.

I never thought I'd see the term "Advanced Persistent Threat" being used to describe a Mac Virus! But the SabPub virus is interesting in that it specifically targeted people connected with the Dalai-Lama. (Because SabPub is a Word Document... all you have to do is read the document to see who they are targeting. Then you reformat your computer, lol)

Only people who open up Email Attachments from the Dalai-Lama on a machine with Microsoft Office for Mac would be infected with the virus. Considering the specificity of the attack, it does seem to fit the description of an APT. Furthermore, Kaspersky Labs managed to keylog a hacker manually hacking the machine! (read the blog post, seriously)

For me, its the first time that I get to see the words "Advanced Persistent Threat" describe something legitimate. Normally, you hear the acronym "APT" and its a bunch of computer security firms just beating the drums so that they get more funding. But APT perfectly describes whats going on here. Someone, somewhere... wants to form a botnet of Mac computers connected with Tibetan Activists. Those guys want the botnet so bad... that they wrote a new virus that escaped detection for almost two months!

Anyway, its such a specific virus that the vast vast majority of people do not have to worry about SabPub at all. But I find it interesting nonetheless. Its rare to see hackers of this skill level doing their work... and SabPub shows that Macs definitely aren't safe from those guys. (But then again... who is?)

Updating my software now, thanks!

What did the virus do? Standard botnet?

First... a standard disclaimer: I'm not an expert on this subject. If you want to know more, I suggest reading the information directly from the experts using the links I placed earlier.

Based on the blogposts that I've read... Flashback seems to be just a delivery system as far as I know. FlashBack itself doesn't actually keylog you or anything... but the hackers who own the botnet can have full remote control over your computer. If the virus managed to get Administrator permissions, then it makes itself more stable and harder to remove. Otherwise, it settles for user-permissions.

Basically, it does nearly full remote control of your computer, and it gives that remote control to some unknown entity somewhere.

[Velict]

Sophos is a good, free anti-virus for OS X.

I will miss the days of not having to worry about viruses on my Macbook, though.

[KnightExemplar]

Sophos is a good, free anti-virus for OS X.

I will miss the days of not having to worry about viruses on my Macbook, though.

Antivirus is always good advice, but its important to remember that anti-virus is a reaction to the problem. For example, both SabPub and Flashback were in the wild for nearly two months before they were detected... which means no anti-virus in the world could have protected you from them. (Antivirus can't protect you from a threat it doesn't know about)

While I dunno of any Mac Virus with this level of sophistication... Conficker disabled antivirus and destroyed your system restore points. Basically, if you got infected with Conflicker back in 2009 when it came out... it was nearly impossible to remove without reformatting your hard drive. Even if you had anti-virus running, Conflicker got around that. I expect that as Mac users get more and more anti-virus on their systems... these viruses are going to have anti-antivirus techniques in them, much like Conflicker did.

Basically, anti-virus is just one part of computer security... one that Virus Writers can avoid if they are skilled enough. Ultimately, you'll need to keep patches up-to-date (update Java if you haven't already. Flashback and SabPub are stopped cold if you applied the April patches to Java). And you'll just need to remember to practice safe browsing.

Ex: I do a lot of my web-browsing in Sandboxie when I'm on a Windows system. Even if a virus gets loaded inside of Sandboxie, I can always just delete the entire sandbox and create a new one.

I dunno of an equivalent on Macs, but you probably can just load some OS (Mac, Windows, or Linux) into a Virtual Machine (ex: VirtualBox) and do web browsing from there. I admit its a bit pedantic to use Sandboxie or VMs... but its the only thing I can think of that prevents the Drive-by-download attack that Flashback used. (Especially if the patch comes late and the virus was unknown for a month)

[Jplus]

Sophos is a good, free anti-virus for OS X.

I'm not going to install AV software yet, but I do like the picture with the worm in the apple.