Slashdot Mirror
New Targeted Mac OS X Trojan Requires No User Interaction
An anonymous reader writes "Another Mac OS X Trojan has been spotted in the wild; this one exploits Java vulnerabilities just like the Flashback Trojan. Also just like Flashback, this new Trojan requires no user interaction to infect your Apple Mac. Kaspersky refers to it as 'Backdoor.OSX.SabPub.a' while Sophos calls it at 'SX/Sabpab-A.'"
So, what you're saying is, It Just Works?
from TFA: "if you’ve downloaded and installed the latest software updates from Apple that patch the Java vulnerabilities (or disabled Java), you’re safe" (for now).
But it looks like the good times are over.
The Java exploits appear to be pretty standard, but have been obfuscated using ZelixKlassMaster to avoid detection by anti-malware products.
then
This Trojan further underlines the importance of protecting Macs against malware with an updated anti-virus program as well as the latest security updates.
Doesn't that seem to come off as a slightly counter-intuitive statement? Is it unreasonable to come away from this article asking yourself "Why buy anti-virus when the malware just avoids it anyway?"
Sent from my MAC Mini
I hope the recent rash of Malware for the Mac will serve to change the culture of security at Apple. They have a lot of really good technology in that regard and many very good coders who work with security as a priority (they have a lot of oldschool UNIX guys these days). The problem is, it is not a priority for Apple or part of their culture. Some Apple software ships with what looks like no security review at all and no real consideration, while other software clearly was architected with that as a design goal.
They have some very nice sandboxing, but they don't apply it very widely within OS X, even when there is no pain to the user or developer. It is like they just don't want to spend money and resources on that sort of hardening. You send a security hole to Apple and sometimes you hear back the next day and it is fixed in short order. Other times you hear nothing or malware is known and spreading for weeks before Apple bothers to issue a filtering signature.
Hey Apple! Wake up and smell the coffee. Dump some of your cash reserves into expanding work in security and having some experts paying attention and getting things done. "Think Different" about security and listen to the people you already have that have created groundbreaking security systems elsewhere.
Cue the corporation-worshiping consumers willing to abandon human dignity in defense of a non-living multinational corporate person.
Thank you, Edward Snowden.
"Arguments from authority are worthless." —Carl Sagan
Unless you know you need Java, disable it. Also, install something like Noscript for whatever browser you use. You'll be safe then, at least against the types of attacks we've been seeing.
I don't recall there ever being a self-replicating worm for a *nix platform that could infect you just by being unpatched and connected to the network; please correct me if I'm wrong. You have to actually navigate to an infected site for these trojans to get you.
If you build it, nerds will come. Soylentnews.org
So... rape condom?
This is inevitable, and will continue. OSX have gone from 2% to an estimated 14% market share since 2003
Android has something like a 47% share in the smartphone space.. and there's a report of malware weekly.
I think it's fair to say that it's easier to find a hole (ugh, here comes the 12 year-old humor) than to imagine all the ways people might come up with. You simply need a large enough target to make it worth their while.
The best thing about a boolean is even if you are wrong, you are only off by a bit.
Kaspersky refers to it as 'Backdoor.OSX.SabPub.a' while Sophos calls it at 'SX/Sabpab-A.'
Those names are very un-Apple. How about just 'iTrojan'.
Or, to avoid confusion with the previous trojan...
'The New iTrojan.'
"We live in a global world" - Harvey Pitt, former Securities and Exchange Commission Chairman
"Kaspersky refers to it as 'Backdoor.OSX.SabPub.a' while Sophos calls it at 'SX/Sabpab-A.'""
G3ckoG33k calls it BotOxAss-A.
The only companies finding this "trojans" are RUSSIAN.
And BTW, Kaspersky is known for creating viruses, releasing them and then claiming to be the best at finding them.
Mac users need to stop running their day-to-day stuff under Administrator accounts. Create a new account (if your account is "joe", call this new one "joe_admin"); give it admin permissions; make sure you can log in with it; then (and ONLY then!) remove the admin permissions from your personal account. And then... keep using the same account you've always been using.
On those rare occasions you need to use admin permissions - such as when you are installing software - you'll be prompted to authenticate as an admin, just like you already are. The only difference is you'll need to type that new admin account's ("joe_admin") into the authentication window rather than use your own account. It's brain-dead simple.
The reason for this (in case you're saying "but the Mac already warns you to authenticate, why bother?") is, when your account is an admin account, you're in the "admin" group (duh). The "admin" group has write permissions into the /Applications and /Library folders. All a bad guy needs to do to get around those authentication warnings is to invoke a bash script (or Applescript or whatever) that makes the necessary changes outside of the GUI.
If you're not running as an admin, a malicious script can still theoretically mess with your personal files and folders; but not the system-level ones.
#DeleteChrome
This attack is done by taking advantage of an exploit in the Java plugin. There are also lots of exploits in Flash (unless they have all been found and fixed...) You should try using Chrome and Click to Play: https://plus.google.com/118187272963262049674/posts/Mmgbr3BcYWb
You are looking for com.apple.PubSabAgent.pfile & com.apple.PubSabAGent.plist and NOT com.PubSubAgent.plist or com.PubSubAgent.pfile.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
This is a flaw in Java, which isn't an Apple or "Unix" product. Apple is only responsible for it insofar that they bundle Java with their OS, which is going to end with their next major release of OS X.
If you build it, nerds will come. Soylentnews.org
Fix available here.
Not perfect, but less likely to be exploited and get to my host machine, I don't do much on OS X any more, moved all the video editing and audio DAW to Win7 because I can build my own boxes to my spec that way.
Hello to my fav NT4 machine at 31 jing-ring street Beijing !
"If any question why we died, Tell them because our fathers lied."
Guess it's time to start treating my Mac computers the same way I treat my Windows computers - in need of extra care and protection against external attacks.
And so I've just disabled my Java and Quicktime plugins. Java because that's where all the current attacks are focused (and I never use it anyways), Quicktime because I never use it, either, and a smaller attack area is always good. I still visit enough sites that I need Flash enabled, but that's currently my only plugin (and protected by some heavy blocking rules).
I'll also be much more strict about keeping everything up-to-date, and all the other basic security practices.
Next, guess I need a basic virus-scanner. The only GPL one I see is Clam, which, last time I used it, was completely ineffective at stopping viruses. The one I use on Windows, MSE, is naturally not available on the Mac. So, any suggestions?
Turn.
Off.
Java.
Yes, note the capital 'G' in the trojan plist file. Also, be sure to look in /Library/Preferences, and not /Users//Library/Preferences where there is a legitimate file called com.apple.PubSubAgent.plist (without the capital G).
The correct place to look for the trojan shouldn't have more than about 30 plist files listed. If there are several screens full of plist files, (I have 120+ on my OS 10.5.8 Mac) you're probably looking in the wrong place.
A large part of the blame for this rests on Sun/Oracle's idiotic decision to install the browser plugin by default when the Java runtime is installed.
Most users don't need Java at all. Of those who do, a majority of them don't need it in the browser. And of those who do need it in the browser, they only need it for a small handful of websites, not any and every site on the entire WWW. What should happen is that Java installs by default for desktop applications only with no browser plugin. If the browser plugin IS enabled, then by default it should work only on explicitly whitelisted sites or domains, not everywhere. Of course, there should be methods for system administrators to roll out custom whitelist configurations to users in bulk. But apparently no one at Oracle has heard of the principle of least privilege, so we get crap like this every couple of months.
If you have Java, please reevaluate whether or not you really need it. If you do need it, but only for desktop apps (and/or development) and not for browser based apps, then remove the browser plugin. There are virtually no legitimate public websites that use Java, but a lot of malware that exploits the plugin for evil purposes.
....so its more of a trojan than a virus, as the user did have to do SOMETHING...
---- Booth was a patriot ----
It would really be nice to think that the majority of /.ers are mature enough to just accept that other OSes exist and that some people prefer them. However, apparently most of us are children when it comes to OS preference and have to take an antagonistic and condescending approach to dealing with anyone who differs from our preference. Sad.
My first computer was an Amiga 500. Then I bought an IBM PC clone. I have used MS products for years (DOS 4 -> Windows XP). I didn't particularly like them as they were rather flaky for much of that time, but they got the job done, and my employers used them so I needed to be familiar with them as well. Eventually I bought an iMac and tried OS/X and I like it. I still use Windows XP when I want to play games, but do the majority of my actual computer using on the Mac side of bootcamp. I have used Linux on the desktop and on the server for the past few decades, plus BSD etc. I have an Android smart phone ATM.
I try to use the right tool for the job at any point. I *like* OS/X because it works for me quite well and it seems fairly reliable. Other than that I seldom think about the OS. Its a nice form of Unix and it works well, that is about it.
OS Wars are so childish, unless you are actively developing an OS yourself and can hold discussions based on merit and not personal opinion/bias...
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
Does Little Snitch give an alert when this malware calls out?
Why would anyone want Java in their browser? I don't have the JRE plugin and would never install it. There's no need for Java to run in a browser. Desktop apps is a different matter, Eclipse and such are quite useful. And it's eminently practical on the server side. But in the browser? That's completely legacy, and Apple should just stop distributing the plugin for Safari.
I guess default is that it's not installed on Chrome. Default for some bizarre reason is to install this shovelware on Safari. Quit Safari, then remove with: /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin /System/Library/Java/Support/CoreDeploy.bundle/Contents/JavaAppletPlugin.plugin
$ sudo -s
# rm -f
# rm -rf
# exit
Restart Safari. Gone!
Why would anyone want Java in their browser? . . ..
Because I like using iKVM and iLO to access my server consoles.
Wrong. Apple maintains the Mac port of Java. It's very much their fault for sitting on their asses and not getting the patch out sooner, which had been available on other platforms for some time now.
Apple's latest security update (from Thurs) turned off automatic execution of java applets. User can still turn it back on if he wants, but for nearly everybody this is going to be moot.
When the first one came out, I thought Apple might use it as a justification for dropping OS/X support for Java completely. It's always seemed like a red-headed stepchild on the platform. It seems like the only one where updates come from someone other than Sun (Well, Oracle now,) and those updates have always seemed like they're few and far between. I bet very few tears would be shed over at Apple if Java just went away.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Came here wondering the same thing.
Applets failed before they even had a chance to take off. Who the hell is still installing the Java plugin?
You're the wrong one. Apple was late with the patch to the version of Java that they maintain but it's still not an Apple product, it's from Oracle. This is a flaw in Oracle's Java, and starting with 10.8 Java will no longer be part of Apple's OS.
If you build it, nerds will come. Soylentnews.org
To be specific uninstall Java. I did on my wife's mac, and she is yet to miss it. There is always the sandboxed java built into chrome if needed.
Came here wondering the same thing.
Applets failed before they even had a chance to take off. Who the hell is still installing the Java plugin?
Yeah; Java applets were a fad in the late 1990s. Last time I saw one, I was using Windows 95.
In Norway, most banks support a java-based sign-on solution as one one of the login methods for their sites.
Java applets have still their (painful) uses.
Some banks need it for smartcard based authentication. (Do not ask me why.) Also, me like this nice chromatic guitar tuner at www.seventhstring.com.
Why would anyone want Java in their browser? I don't have the JRE plugin and would never install it. There's no need for Java to run in a browser. Desktop apps is a different matter, Eclipse and such are quite useful. And it's eminently practical on the server side. But in the browser? That's completely legacy, and Apple should just stop distributing the plugin for Safari.
My bank (and most others in my country) require Java for online banking (switching is not really an option due to debt).
- All the fanboys who lorded the "virus immunity" (I personally know of several).
Since it's not a virus, they have a point. Idiot.
No one has even claimed the system is immune from attack. Find just a single Slashdot post that claims that. Just one.
APL just does things better (despite it may be a hardware thing, like high DPI screens everyone has)
It's more about overall quality than any one feature. Idiot.
How many cases for other devices do you know have a gaping hole in the middle for the exclusive purpose to show the company logo?
Why would you want to use a device from a company you dislike so much you feel compelled to hide a logo? Who cares about the logo? Honestly.
Fashionista Idiot.
So yeah. From my perspective? They needed to be taken down a notch.
Well yeah. You are an Apple Hater. You are desperate to paint Apple with the most negative brush possible - even when it make no sense.
That technological tourette syndrome you have, to babble meaninglessly about Apple technology without understanding what you are saying - that is what makes you an idiot. And it will remain so until you can free yourself of an abnormal hatred of Apple.
I use Apple products, I like Apple products - but I also have an Android phone, and other non-Apple products. The Android phone doesn't work as well but I don't contort myself into technologically indefensible positions just to glorify one side and bury the other.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Just disabled Java on a relative's MacBook, GoToMyPC now doesn't work...
some banks need it for authentication just because the consulting contract went to asshats("and we got this extra layer of security by installing these native dll's on the users machine through running a java plugin! oh and by the way this way you can buy an iphone, android and symbian applications for mobile use, since the default netbanking solution will not let you login, sure it would work perfectly after the login but the login can only be done through this java applet, so it's really high tech buy buy buy buy").
however, java plugin can be a pretty snazzy way to distribute enterprise wide real sw that works on both macs and pc's and starts from the intranet page with one click...
world was created 5 seconds before this post as it is.
You are an idiot.
--
Marcan, asshole and proud.
'xploits - do it.
Worms - do it.
Even viruses and tro-jans do it.
Let's do it-- Let's fall in p0wn.
If you don't get it, go watch the movie Tank Girl, or just go here http://www.youtube.com/watch?v=0pvMCu_YeYU
Why not just untick the 'Enable Java' checkbox under Security in Safari Preferences?
As the next Java update will put those plugin's back.
If you need to hit a link for the exploit, I would guess this is a malicious Java applet. What role does the browser and platform play then?
Join the Slashcott! Feb 10 thru Feb 17!
Because some of use have to use Oracle's webapps and those require java.
Yes, note the capital 'G' in the trojan plist file. Also, be sure to look in /Library/Preferences, and not /Users//Library/Preferences
The user name apparently got deleted from the pathname by the posting software; you presumably meant /Users/{your_login_name}/Library/Preferences.
Thank you AC! :-)
Having been a happy user of Little Snitch for years, I see apparently I don't even need to wait for it to warn me as the malware just suicides when seeing it
Too bad LS doesn"t exist (yet?) on Ubuntu...
(the latter is no pun indended, but hope instead!)
Herve S.
And thus the end of Apple's 'security via obscurity' is coming to a close. It was nice while it lasted, but it's time to move on
This is a flaw in Java, which isn't an Apple or "Unix" product. Apple is only responsible for it insofar that they bundle Java with their OS, which is going to end with their next major release of OS X.
Not quite. Apple has been porting their own implementation of Java. Updates for java are delivered through the "Software Update" functionality of OS X. The flaw was fixed well in advance of it being exploited on the Mac, putting the responsibility square on Apple. This was outside the control of Oracle, whom had already resolved the issue, and made a patch available to anyone not using OS X.
If Apple didn't insist on this level of control, I would be inclined to agree with you, but they took responsibility when they chose to port their own Java.
Except that this requires NO user interaction which means it got superuser without asking.
This is a flaw in the base OS that happens to be abused from a Java application (since it's easier to exploit an online application then a local). Get your head out of the sand before it's too late.
My suggestion: install Little Snitch, a (non free but brilliant) system that'll alert you whenever *anything* on your mac wants to connect outside.
Of course you'll immediately allow browsers, mail etc. connect to html port 80 or pop servers.
But any other surprising attempt to join any unnatural place will be interrupted, with an alert to you, where you can allow or not (just once, up to quit, or forever) with extreme fine grain on destinations (aanywhere/just this port/just this port and address...)
Little Snitch is so efficient that I read an analysis of the last virus, who just deletes itself when detecting a "Little Snitch" folder on the mac!
H.
Herve S.