New Targeted Mac OS X Trojan Requires No User Interaction

An anonymous reader writes "Another Mac OS X Trojan has been spotted in the wild; this one exploits Java vulnerabilities just like the Flashback Trojan. Also just like Flashback, this new Trojan requires no user interaction to infect your Apple Mac. Kaspersky refers to it as 'Backdoor.OSX.SabPub.a' while Sophos calls it at 'SX/Sabpab-A.'"

Missing from summary

[dr2chase]

from TFA: "if you’ve downloaded and installed the latest software updates from Apple that patch the Java vulnerabilities (or disabled Java), you’re safe" (for now).

But it looks like the good times are over.

Re:Missing from summary

Any reason to worry or to have our belief in Java security shattered?

Java has security?

Re:Missing from summary

[errandum]

Well, the general idea is that they were very secure. Not too long ago I was modded into oblivion because I said windows is, by design, more secure that Mac OS. So obviously, I dropped the subject and never posted about it again.

If no one is allowed to talk about it, the general impression will be that they are, indeed, more secure (at least here).

Re:Missing from summary

Who ever claimed immunity? The claim that OS X is immune to viruses is just a big fat straw man. It's about as retarded as "I heard your BMW broke down, so what they say about superior German engineering is a lie!".

It takes a special kind of ignorance to go there with any kind of seriousness, an inability to separate fantasy from reality as bad as those you attempt to attack.

It's a far cry from not needing to be concerned about viruses, which has actually held up in comparison to windows for example.

Re:Missing from summary

Is that Java security hole that we heard about over the last weeks Mac-specific or cross-platform? Any reason to worry or to have our belief in Java security shattered? Or just a conspiracy of several factors in the Mac environment?

The malware writers could in theory do the same thing to Linux distros. However the openjdk and java on Linux is essentially different in as much as the methods to run and install to a user home directory a downloaded .so the way this malware does cannot happen on Linux distros in as much as the user is the only one on Linux who can direct which binaries run from within a user profile at login.

I know this is a mouthful for those who do not understand but I would highly recommend looking into how exactly this malware works. Here is how the default set-up of OS X can be subverted to install a binary to a hidden user directory without user permission or knowledge. Then download a binary which is really smart that will try to get user permission to install system wide and if it does not receive this permission it just does it to the ill informed Mac user without permission. With Linux the system would not allow a .so to be loaded to a user /home directory and then set it to run at login. This is the problem with Mac security there is also a huge hole in the way binaries can run from within a /home at login without permission!

Here is a run-down of how it works and why it will only work on Mac because its method of infection does not require user interaction to install the payload to a users home directory with Mac OS. However I have the feeling that this security nightmare will be addressed by the Apple coders simply by doing things the way most Linux distros do!

From a CNET article:

How does it work?

The Flashback malware injects code into applications (specifically Web browsers) that will be executed when they run, and which then send screenshots and other personal information to remote servers.

First step: Exploiting Java
When you encounter the malicious Web page containing the malware and have an unpatched version of Java running on your system, it will first execute a small Java applet that when run will break the Java security and write a small installer program to the user's account. The program is named something like .jupdate, .mkeeper, .flserv, .null or .rserv, and the period in front of it makes it appear hidden in the default Finder view.

In addition, the Java applet will write a launcher file named something like "com.java.update.plist", "com.adobe.reader.plist", "com.adobe.flp.plist" or even "null.plist" to the current user's ~/Library/LaunchAgents/ folder, which will continually launch the .jupdate program whenever the user is logged in.

In order to avoid detection, the installer will first look for the presence of some antivirus tools and other utilities that might be present on a power user's system, which according to F-Secure include the following: /Library/Little Snitch /Developer/Applications/Xcode.app/Contents/MacOS/Xcode /Applications/VirusBarrier X6.app /Applications/iAntiVirus/iAntiVirus.app /Applications/avast!.app /Applications/ClamXav.app /Applications/HTTPScoop.app /Applications/Packet Peeper.app

If these tools are found, then the malware deletes itself in an attempt to prevent detection by those who have the means and capability to do so. Many malware programs use this behavior, as was seen in others such as the Tsunami malware bot.

Second step: Downloading the payload
When the jupdate program executes, it will connect to a remote server and download a payload program that is the

Re:Missing from summary

[Billly+Gates]

I have said this before here and will say this again.

For the Tech Support pros reading this
1. Use FoxitPDF or Summutra PDF. They will at least prompt you before blindly opening a PDF from a website and executing it in no sandbox with full javascript unlike Adobe Reader.
2. If you must support Java for corporate users create a GPO that enforces Java in Intranet only! No internet zone java if you must use crappy Kronos or ADP apps. If the users need Java in IE for an external site add it to a special custom security zone.
3. Use Chrome. It has its own PDF reader, does not support Java, and updates flash automatically without user interaction
4. Use Flashblock and keep it for sites like Pandora or youtube if you support home users or need training sessions in youtube for work.
5. Use antivirus software. THey are getting much better and no longer slow your whole computer down so much. Even the latest Norton is as light as MSE which is shocking! If you are one of the smirk users who are proud that you are virus free I have to say your an idiot and infected. How? Last week malware was hosted right here on slasdhot in an ad! If you came to slashdot last weekend or before you are infected. Avast! and MSE are both free and pretty decent and only add a few seconds more of boot time.

Java is not going away and neither is flash nor pdfs. Follow the above steps and you take care of 85% of all security issues unless you run unpatched Windows. I use Java for Eclipse and have Java disabled in all my browsers. Disable it in IE even if you do not use it. Some exploits may call to IE helper ojbects to execute so its a good idea anyway.

If you do IT and do not follow all of these procedures you are lazy and so many are as many get constant support calls for fake virus scans and slow computers through constant infection from running unpatched old versions of flash, java, and Windows. If you must run insecure old java then do it right and disable it from all sites except Kronos and ADP. That is it! Your infects will drop to near zero

Re:Missing from summary

[wmbetts]

All current versions of OSX are 100% UNIX. It received it's certification in 07 if I remember correctly.

Re:Missing from summary

[Atzanteol]

And it was patched much faster by Oracle and pushed out quicker by the Java install because Microsoft doesn't have insane control issues like Apple does.

Re:Missing from summary

[SiMac]

I'm not sure what you're talking about here. If you have access to a user's account, you can set a binary to run when a user logs in on Linux without administrator privileges. You can call gksudo to put up a dialog asking for administrative privileges so you can modify other users' files as well, or just put up the dialog yourself and hope the user enters their password. This is exactly the same level of security as on OS X. If there's a reason this doesn't work on Linux, you have not communicated it.

It's unclear to me where the .so comes in, as opposed to a regular binary, but you are aware that you can set LD_PRELOAD and LD_LIBRARY_PATH to whatever you want, right?

Re:Missing from summary

[Guy+Harris]

Blah, I should have looked it up before posting. OSX version 10.5 and higher running on Intel processors are UNIX 03 certified.

http://en.wikipedia.org/wiki/Single_UNIX_Specification#OS_X

Actually, OS X 10.5 and 10.6 running on Intel processors are UNIX 03 certified, but 10.7 isn't.

But you were probably responding to the poster distinguishing between "OS X" and "UNIX". The problem is that "UNIX" can either mean "an operating system from AT&T^WNovell^WSCO with "UNIX" in its name" or "a specification for operating system APIs and commands". The UNIX trademark refers to the latter, and, in that sense, "UNIX" is not an operating system, it's a specification, and it's not clear what it would mean to have malware targeted at it, unless the malware is portable malware that only uses Single UNIX Specification APIs.

Re:Missing from summary

[Guy+Harris]

Putting an @reboot entry in the user's crontab would start anything you want when the machine boots, without the user even logging in.

...and would do so not only on OS X, but on many Linux distributions and FreeBSD and NetBSD and OpenBSD and....

Re:Missing from summary

[kestasjk]

Here, or here. They qualify it a bit more accurately now, for obvious reasons, but people really did claim immunity.

Re:Missing from summary

[Glarimore]

I reformat my PC once a year on the off chance there is something going on I'm not aware of... and it never takes me more than an hour and a half to do so.

Re:Missing from summary

[Richard_at_work]

Really, they don't need a wake up call?

In security update 2012-001 there are 36 patched issues, almost all of which are labelled "may lead to the disclosure of sensitive information", including one TimeMachine issue where a remote attacker could gain access to backups...

And I'm a Mac user and Apple liker!

Re:Missing from summary

[TheRaven64]

It is a real shame Apple hate Java with a passion. It makes sense since Java can and does run well everywhere it is permitted to - but Steve Jobs wanted to silo Apple, so he could make more money

Wow, someone doesn't remember history very well. NeXT rewrote some of their core products (e.g. WebObjects) in Java, replacing the Objective-C version. When OS X launched, Java was one of three first-class development environments (ObjC/Cocoa and C/Carbon being the other two), including a set of Cocoa bindings for better integration with the host environment. It had a few tricks that weren't present in other JVMs at the time, such as the ability to have only one copy of the standard classes in memory even if you had multiple Java applications running. This code was eventually contributed upstream by Apple and is now present in the official JRE.

The Cocoa/Java ('Mocha') bindings were eventually deprecated because no one was using them.

IIRC the earlier iPhones had JVMs in hardware

The original iPhone had an ARM11 core with Jazelle, but even that doesn't mean 'JVM in hardware' that they had to'spend development effort to block'. It means that it had hardware that executed a subset of Java bytecodes directly and trapped to a VM for the rest. To support it they would have had to:

• Pay a license to ARM and Sun for every iPhone (the Jazelle stuff is disabled by default and must be licensed separately
• Port the Jazelle VM to iOS.

They spent effort in not doing this in the same way that I spent effort in not porting Java to BeOS.

The later iPhones have a Cortex A8 processor. The Jazelle mode in all of these chips does not exist. If you try to enter Jazelle mode, you get an error and return to ARM or Thumb mode. Thumb-2EE mode is supported, but that's just a few small extensions to Thumb-2 mode to make it a slightly more useful target for JIT compilers for Java-like languages. If they had originally supported Java, then they would have needed to spend more time and money porting a different VM to iOS for the newer devices and a lot more time testing that the pure software VM worked the same way as the hardware one.

Oh, and on devices with more than about 32MB of RAM, the hotspot JIT actually runs faster than the Jazelle VM, so using Jazelle on the iPhone would have been entirely pointless.

Re:Contradiction

[ninetyninebottles]

This Trojan further underlines the importance of protecting Macs against malware with an updated anti-virus program as well as the latest security updates.

Doesn't that seem to come off as a slightly counter-intuitive statement? Is it unreasonable to come away from this article asking yourself "Why buy anti-virus when the malware just avoids it anyway?"

It is trying to hide its similarity to other malware so that a new signature is needed to detect this specific variant. So while anti-virus programs may not detect this now, within a few days they probably will, at least until there is yet another variant. Apple is, of course, including their own signatures right in the OS so that makes antivirus less attractive as well, although Apple's response time has been hit and miss.

Re:No user interaction

No, because you still have to navigate to a web site. It is a trojan because they need to entice you to do so.

Re:No user interaction

[ninetyninebottles]

Isn't a Trojan that requires no user interaction by definition a Virus?

Not really.

Trojan - malware posing as legitimate software.

Virus - malware that copies itself either replacing or attaching to legitimate software.

Worm - malware that copies itself from system to system automatically without user interaction.

This software seems to be automatically installed when the user follows a link in their Web browser, but there is no indication that it in any way sends more links to people. So this malware does not fit neatly into any of the common categories. "Virus" seems to be a catch all term these days so you might as well call it that.

My semi-regular Mac accounts post

[93+Escort+Wagon]

Mac users need to stop running their day-to-day stuff under Administrator accounts. Create a new account (if your account is "joe", call this new one "joe_admin"); give it admin permissions; make sure you can log in with it; then (and ONLY then!) remove the admin permissions from your personal account. And then... keep using the same account you've always been using.

On those rare occasions you need to use admin permissions - such as when you are installing software - you'll be prompted to authenticate as an admin, just like you already are. The only difference is you'll need to type that new admin account's ("joe_admin") into the authentication window rather than use your own account. It's brain-dead simple.

The reason for this (in case you're saying "but the Mac already warns you to authenticate, why bother?") is, when your account is an admin account, you're in the "admin" group (duh). The "admin" group has write permissions into the /Applications and /Library folders. All a bad guy needs to do to get around those authentication warnings is to invoke a bash script (or Applescript or whatever) that makes the necessary changes outside of the GUI.

If you're not running as an admin, a malicious script can still theoretically mess with your personal files and folders; but not the system-level ones.

Just be sure not to panic & delete the wrong f

[Kenja]

You are looking for com.apple.PubSabAgent.pfile & com.apple.PubSabAGent.plist and NOT com.PubSubAgent.plist or com.PubSubAgent.pfile.

Re:Those idiots at Microsoft

[sqrt(2)]

This is a flaw in Java, which isn't an Apple or "Unix" product. Apple is only responsible for it insofar that they bundle Java with their OS, which is going to end with their next major release of OS X.

Re:No user interaction

No, viruses propagate. Worms self-propagate.

Re:No user interaction

[Altieres+Rohr]

The definition of worm is not "malware that copies itself from system to system automatically without user interaction". Worm is self-replicating code that uses a network, by some defintions, and, by others, a worm is any malware that spreads by itself but does not parasite legitimate software (thus why "USB worms").

Although the Morris worm did not require user interaction, this is not true of all future malware that would be considered a worm. Malware that copies itself to network drives, P2P software shared folders, or attaches itself to or sends e-mail, IM or IRC messages are all worms.

As for trojans, any malware that does not replicate is a trojan. Back in the day, and even today, the only way to convince a user to run such software is by advertising it as another piece of software - thus why the trojan horse definition. Exploit code changed that, but they're all still trojans, and most still fallback to advertising themselves as a Flash player plugin or video codec when the exploit doesn't work. In any case, this new malware doesn't replicate, so it is a trojan.

There is no malware category to describe code that requires no user interaction to run. Exploits, worms and viruses and trojans all can do it, but that's not required by their definitions.

Reference: http://www.f-secure.com/en/web/labs_global/threat-types

Re:No user interaction

[ninetyninebottles]

The definition of worm is not "malware that copies itself from system to system automatically without user interaction". Worm is self-replicating code that uses a network, by some defintions, and, by others, a worm is any malware that spreads by itself but does not parasite legitimate software (thus why "USB worms").

I worked in the security industry for many years and never heard anyone call something a "usb worm". If it is copying itself as the result of user interaction, we always called it a virus. If it spread on its own, it was a worm. The definition of "worm" you provide does not seem to differentiate itself from a virus in any way. Something that copies itself via shared disks is almost the classic poster child for a virus. The term originated talking about malware spread on floppies.

Darn you kids and your newfangled definitions!

Re:No user interaction

[Altieres+Rohr]

Mass-mailers requiring user interaction are called worms since forever. But many older worms used some form of exploit code, and Melissa was called a virus because it was actually an Office file infector (a macro virus). It's easy to see the reason for confusion.

Love Letter was already being called a worm without exploiting any flaws back in 2000, though*, so was Sircam in 2001 and Bugbear/Thanatos in 2002. By the time Netsky, Beagle and Mimail were around, it was pretty clear a worm was any malware that replicated itself completely over a network and without the use of a host file. When USB drives became common, the term was used for those as well. Floppy viruses infected the boot sector ("infected" being the keyword); malware that spreads over USB just use the Windows autorun function.

Any malware parasite can infect a program that will end up in a USB drive, in the same way that the Parite virus ended up spreading over e-mail when it infected a copy of Beagle (IIRC). A USB worm specifically looks for connected USB drives and copies itself to them. There's a difference.

* http://www.cert.org/advisories/CA-2000-04.html

Best protection is abstenance

[__aazsst3756]

To be specific uninstall Java. I did on my wife's mac, and she is yet to miss it. There is always the sandboxed java built into chrome if needed.