Slashdot Mirror
New Targeted Mac OS X Trojan Requires No User Interaction
An anonymous reader writes "Another Mac OS X Trojan has been spotted in the wild; this one exploits Java vulnerabilities just like the Flashback Trojan. Also just like Flashback, this new Trojan requires no user interaction to infect your Apple Mac. Kaspersky refers to it as 'Backdoor.OSX.SabPub.a' while Sophos calls it at 'SX/Sabpab-A.'"
So, what you're saying is, It Just Works?
from TFA: "if you’ve downloaded and installed the latest software updates from Apple that patch the Java vulnerabilities (or disabled Java), you’re safe" (for now).
But it looks like the good times are over.
First post!!
The Java exploits appear to be pretty standard, but have been obfuscated using ZelixKlassMaster to avoid detection by anti-malware products.
then
This Trojan further underlines the importance of protecting Macs against malware with an updated anti-virus program as well as the latest security updates.
Doesn't that seem to come off as a slightly counter-intuitive statement? Is it unreasonable to come away from this article asking yourself "Why buy anti-virus when the malware just avoids it anyway?"
Sent from my MAC Mini
I hope the recent rash of Malware for the Mac will serve to change the culture of security at Apple. They have a lot of really good technology in that regard and many very good coders who work with security as a priority (they have a lot of oldschool UNIX guys these days). The problem is, it is not a priority for Apple or part of their culture. Some Apple software ships with what looks like no security review at all and no real consideration, while other software clearly was architected with that as a design goal.
They have some very nice sandboxing, but they don't apply it very widely within OS X, even when there is no pain to the user or developer. It is like they just don't want to spend money and resources on that sort of hardening. You send a security hole to Apple and sometimes you hear back the next day and it is fixed in short order. Other times you hear nothing or malware is known and spreading for weeks before Apple bothers to issue a filtering signature.
Hey Apple! Wake up and smell the coffee. Dump some of your cash reserves into expanding work in security and having some experts paying attention and getting things done. "Think Different" about security and listen to the people you already have that have created groundbreaking security systems elsewhere.
Cue the corporation-worshiping consumers willing to abandon human dignity in defense of a non-living multinational corporate person.
Thank you, Edward Snowden.
"Arguments from authority are worthless." —Carl Sagan
Unless you know you need Java, disable it. Also, install something like Noscript for whatever browser you use. You'll be safe then, at least against the types of attacks we've been seeing.
I don't recall there ever being a self-replicating worm for a *nix platform that could infect you just by being unpatched and connected to the network; please correct me if I'm wrong. You have to actually navigate to an infected site for these trojans to get you.
If you build it, nerds will come. Soylentnews.org
serves to reinfo/rce long term survival
So... rape condom?
This is inevitable, and will continue. OSX have gone from 2% to an estimated 14% market share since 2003
Android has something like a 47% share in the smartphone space.. and there's a report of malware weekly.
I think it's fair to say that it's easier to find a hole (ugh, here comes the 12 year-old humor) than to imagine all the ways people might come up with. You simply need a large enough target to make it worth their while.
The best thing about a boolean is even if you are wrong, you are only off by a bit.
Kaspersky refers to it as 'Backdoor.OSX.SabPub.a' while Sophos calls it at 'SX/Sabpab-A.'
Those names are very un-Apple. How about just 'iTrojan'.
Or, to avoid confusion with the previous trojan...
'The New iTrojan.'
"We live in a global world" - Harvey Pitt, former Securities and Exchange Commission Chairman
"Kaspersky refers to it as 'Backdoor.OSX.SabPub.a' while Sophos calls it at 'SX/Sabpab-A.'""
G3ckoG33k calls it BotOxAss-A.
The only companies finding this "trojans" are RUSSIAN.
And BTW, Kaspersky is known for creating viruses, releasing them and then claiming to be the best at finding them.
Mac users need to stop running their day-to-day stuff under Administrator accounts. Create a new account (if your account is "joe", call this new one "joe_admin"); give it admin permissions; make sure you can log in with it; then (and ONLY then!) remove the admin permissions from your personal account. And then... keep using the same account you've always been using.
On those rare occasions you need to use admin permissions - such as when you are installing software - you'll be prompted to authenticate as an admin, just like you already are. The only difference is you'll need to type that new admin account's ("joe_admin") into the authentication window rather than use your own account. It's brain-dead simple.
The reason for this (in case you're saying "but the Mac already warns you to authenticate, why bother?") is, when your account is an admin account, you're in the "admin" group (duh). The "admin" group has write permissions into the /Applications and /Library folders. All a bad guy needs to do to get around those authentication warnings is to invoke a bash script (or Applescript or whatever) that makes the necessary changes outside of the GUI.
If you're not running as an admin, a malicious script can still theoretically mess with your personal files and folders; but not the system-level ones.
#DeleteChrome
This attack is done by taking advantage of an exploit in the Java plugin. There are also lots of exploits in Flash (unless they have all been found and fixed...) You should try using Chrome and Click to Play: https://plus.google.com/118187272963262049674/posts/Mmgbr3BcYWb
If they hadn't written this crappy code and had used *nix instead, this wouldn't have happened.
You are looking for com.apple.PubSabAgent.pfile & com.apple.PubSabAGent.plist and NOT com.PubSubAgent.plist or com.PubSubAgent.pfile.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
There are no viruses / trojans that affect Macs
Even if there were, it wouldn't matter because Macs are immune due to their inherent superiority.
After all, the Mac fanboys have been telling us this for more than 10 years now,. they couldn't possibly be wrong.
Fix available here.
Not perfect, but less likely to be exploited and get to my host machine, I don't do much on OS X any more, moved all the video editing and audio DAW to Win7 because I can build my own boxes to my spec that way.
Hello to my fav NT4 machine at 31 jing-ring street Beijing !
"If any question why we died, Tell them because our fathers lied."
Guess it's time to start treating my Mac computers the same way I treat my Windows computers - in need of extra care and protection against external attacks.
And so I've just disabled my Java and Quicktime plugins. Java because that's where all the current attacks are focused (and I never use it anyways), Quicktime because I never use it, either, and a smaller attack area is always good. I still visit enough sites that I need Flash enabled, but that's currently my only plugin (and protected by some heavy blocking rules).
I'll also be much more strict about keeping everything up-to-date, and all the other basic security practices.
Next, guess I need a basic virus-scanner. The only GPL one I see is Clam, which, last time I used it, was completely ineffective at stopping viruses. The one I use on Windows, MSE, is naturally not available on the Mac. So, any suggestions?
Turn.
Off.
Java.
Yes, note the capital 'G' in the trojan plist file. Also, be sure to look in /Library/Preferences, and not /Users//Library/Preferences where there is a legitimate file called com.apple.PubSubAgent.plist (without the capital G).
The correct place to look for the trojan shouldn't have more than about 30 plist files listed. If there are several screens full of plist files, (I have 120+ on my OS 10.5.8 Mac) you're probably looking in the wrong place.
A large part of the blame for this rests on Sun/Oracle's idiotic decision to install the browser plugin by default when the Java runtime is installed.
Most users don't need Java at all. Of those who do, a majority of them don't need it in the browser. And of those who do need it in the browser, they only need it for a small handful of websites, not any and every site on the entire WWW. What should happen is that Java installs by default for desktop applications only with no browser plugin. If the browser plugin IS enabled, then by default it should work only on explicitly whitelisted sites or domains, not everywhere. Of course, there should be methods for system administrators to roll out custom whitelist configurations to users in bulk. But apparently no one at Oracle has heard of the principle of least privilege, so we get crap like this every couple of months.
If you have Java, please reevaluate whether or not you really need it. If you do need it, but only for desktop apps (and/or development) and not for browser based apps, then remove the browser plugin. There are virtually no legitimate public websites that use Java, but a lot of malware that exploits the plugin for evil purposes.
....so its more of a trojan than a virus, as the user did have to do SOMETHING...
---- Booth was a patriot ----
It would really be nice to think that the majority of /.ers are mature enough to just accept that other OSes exist and that some people prefer them. However, apparently most of us are children when it comes to OS preference and have to take an antagonistic and condescending approach to dealing with anyone who differs from our preference. Sad.
My first computer was an Amiga 500. Then I bought an IBM PC clone. I have used MS products for years (DOS 4 -> Windows XP). I didn't particularly like them as they were rather flaky for much of that time, but they got the job done, and my employers used them so I needed to be familiar with them as well. Eventually I bought an iMac and tried OS/X and I like it. I still use Windows XP when I want to play games, but do the majority of my actual computer using on the Mac side of bootcamp. I have used Linux on the desktop and on the server for the past few decades, plus BSD etc. I have an Android smart phone ATM.
I try to use the right tool for the job at any point. I *like* OS/X because it works for me quite well and it seems fairly reliable. Other than that I seldom think about the OS. Its a nice form of Unix and it works well, that is about it.
OS Wars are so childish, unless you are actively developing an OS yourself and can hold discussions based on merit and not personal opinion/bias...
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
Does Little Snitch give an alert when this malware calls out?
A couple weeks ago, while taking my asian girlfriend shopping at the local mall, I had to take a piss. As I entered the john, Steve Jobs -- the messiah himself -- came out of one of the booths. I stood at the urinal looking at him out of the corner of my eye as he washed his hands. He didn't once look at me. He was busy and in any case I was sure the security guards wouldn't even let me shake his hand.
As soon as he left I darted into the booth he'd vacated, hoping there might be a lingering smell of shit and even a seat still warm from his sturdy ass. I found not only the smell but the shit itself. He'd forgotten to flush. And what a treasure he had left behind. Three or four beautiful specimens floated in the bowl. It apparently had been a fairly dry, constipated shit, for all were fat, stiff, and ruggedly textured. The real prize was a great feast of turd -- a nine inch gastrointestinal triumph as thick as his cock -- or at least as I imagined it!
I knelt before the bowl, inhaling the rich brown fragrance and wondered if I should obey the impulse building up inside me. I'd always been a liberal thinker and had been an Apple customer since 1984. Of course I'd had fantasies of meeting Jobs, sucking his cock and balls, not to mention sucking his asshole clean, but I never imagined I would have the chance. Now, here I was, confronted with the most beautiful five-pound turd I'd ever feasted my eyes on, a sausage fit to star in any fantasy and one I knew to have been hatched from the asshole of Steve Jobs, the chosen one.
Why not? I plucked it from the bowl, holding it with both hands to keep it from breaking. I lifted it to my nose. It smelled like rich, ripe limburger (horrid, but thrilling), yet had the consistency of cheddar. What is cheese anyway but milk turning to shit without the benefit of a digestive tract?
I gave it a lick and found that it tasted better then it smelled.
I hesitated no longer. I shoved the fucking thing as far into my mouth as I could get it and sucked on it like a big half nigger cock, beating my meat like a madman, and thrusting my pink iPod Shuffle into my ass. I wanted to completely engulf it and bit off a large chunk, flooding my mouth with the intense, bittersweet flavor. To my delight I found that while the water in the bowl had chilled the outside of the turd, it was still warm inside. As I chewed I discovered that it was filled with hard little bits of something I soon identified as peanuts. He hadn't chewed them carefully and they'd passed through his body virtually unchanged. I ate it greedily, sending lump after peanutty lump sliding scratchily down my throat. My only regret was that Steve Jobs wasn't there to see my loyalty and wash it down with his piss.
I soon reached a terrific climax. I caught my cum in the cupped palm of my hand and drank it down. Believe me, there is no more delightful combination of flavors than the hot sweetness of cum with the rich bitterness of shit. It's even better than reading an Apple press release!
Afterwards I was sorry that I hadn't made it last longer. But then I realized that I still had a lot of fun in store for me. There was still a clutch of virile turds left in the bowl. I tenderly fished them out, rolled them into my handkerchief, and stashed them in my briefcase. In the week to come I found all kinds of ways to eat the shit without bolting it right down. Once eaten it's gone forever unless you want to filch it third hand out of your own asshole. Not an unreasonable recourse in moments of desperation or simple boredom.
I stored the turds in the refrigerator when I was not using them but within a week they were all gone. The last one I held in my mouth without chewing, letting it slowly dissolve. I had liquid shit trickling down my throat for nearly four hours. I must have had six orgasms in the process.
I often think of Steve Jobs dropping solid gold out of his sweet, pink asshole every day, never knowing what joy it could, and at least once did, bring to a grateful Apple customer.
Why would anyone want Java in their browser? I don't have the JRE plugin and would never install it. There's no need for Java to run in a browser. Desktop apps is a different matter, Eclipse and such are quite useful. And it's eminently practical on the server side. But in the browser? That's completely legacy, and Apple should just stop distributing the plugin for Safari.
I guess default is that it's not installed on Chrome. Default for some bizarre reason is to install this shovelware on Safari. Quit Safari, then remove with: /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin /System/Library/Java/Support/CoreDeploy.bundle/Contents/JavaAppletPlugin.plugin
$ sudo -s
# rm -f
# rm -rf
# exit
Restart Safari. Gone!
Why would anyone want Java in their browser? . . ..
Because I like using iKVM and iLO to access my server consoles.
Apple's latest security update (from Thurs) turned off automatic execution of java applets. User can still turn it back on if he wants, but for nearly everybody this is going to be moot.
When the first one came out, I thought Apple might use it as a justification for dropping OS/X support for Java completely. It's always seemed like a red-headed stepchild on the platform. It seems like the only one where updates come from someone other than Sun (Well, Oracle now,) and those updates have always seemed like they're few and far between. I bet very few tears would be shed over at Apple if Java just went away.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Came here wondering the same thing.
Applets failed before they even had a chance to take off. Who the hell is still installing the Java plugin?
To be specific uninstall Java. I did on my wife's mac, and she is yet to miss it. There is always the sandboxed java built into chrome if needed.
Where the fuck is Steve Jobs? Guess counting iTrojans in iHeaven. Stupid moron.
"Doing what i can, with what i have." ~ Burt Gummer
Came here wondering the same thing.
Applets failed before they even had a chance to take off. Who the hell is still installing the Java plugin?
Yeah; Java applets were a fad in the late 1990s. Last time I saw one, I was using Windows 95.
In Norway, most banks support a java-based sign-on solution as one one of the login methods for their sites.
Java applets have still their (painful) uses.
Some banks need it for smartcard based authentication. (Do not ask me why.) Also, me like this nice chromatic guitar tuner at www.seventhstring.com.
Why would anyone want Java in their browser? I don't have the JRE plugin and would never install it. There's no need for Java to run in a browser. Desktop apps is a different matter, Eclipse and such are quite useful. And it's eminently practical on the server side. But in the browser? That's completely legacy, and Apple should just stop distributing the plugin for Safari.
My bank (and most others in my country) require Java for online banking (switching is not really an option due to debt).
- All the fanboys who lorded the "virus immunity" (I personally know of several).
Since it's not a virus, they have a point. Idiot.
No one has even claimed the system is immune from attack. Find just a single Slashdot post that claims that. Just one.
APL just does things better (despite it may be a hardware thing, like high DPI screens everyone has)
It's more about overall quality than any one feature. Idiot.
How many cases for other devices do you know have a gaping hole in the middle for the exclusive purpose to show the company logo?
Why would you want to use a device from a company you dislike so much you feel compelled to hide a logo? Who cares about the logo? Honestly.
Fashionista Idiot.
So yeah. From my perspective? They needed to be taken down a notch.
Well yeah. You are an Apple Hater. You are desperate to paint Apple with the most negative brush possible - even when it make no sense.
That technological tourette syndrome you have, to babble meaninglessly about Apple technology without understanding what you are saying - that is what makes you an idiot. And it will remain so until you can free yourself of an abnormal hatred of Apple.
I use Apple products, I like Apple products - but I also have an Android phone, and other non-Apple products. The Android phone doesn't work as well but I don't contort myself into technologically indefensible positions just to glorify one side and bury the other.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Just disabled Java on a relative's MacBook, GoToMyPC now doesn't work...
some banks need it for authentication just because the consulting contract went to asshats("and we got this extra layer of security by installing these native dll's on the users machine through running a java plugin! oh and by the way this way you can buy an iphone, android and symbian applications for mobile use, since the default netbanking solution will not let you login, sure it would work perfectly after the login but the login can only be done through this java applet, so it's really high tech buy buy buy buy").
however, java plugin can be a pretty snazzy way to distribute enterprise wide real sw that works on both macs and pc's and starts from the intranet page with one click...
world was created 5 seconds before this post as it is.
'xploits - do it.
Worms - do it.
Even viruses and tro-jans do it.
Let's do it-- Let's fall in p0wn.
If you don't get it, go watch the movie Tank Girl, or just go here http://www.youtube.com/watch?v=0pvMCu_YeYU
Why not just untick the 'Enable Java' checkbox under Security in Safari Preferences?
As the next Java update will put those plugin's back.
If you need to hit a link for the exploit, I would guess this is a malicious Java applet. What role does the browser and platform play then?
Join the Slashcott! Feb 10 thru Feb 17!
Because some of use have to use Oracle's webapps and those require java.
Yes, note the capital 'G' in the trojan plist file. Also, be sure to look in /Library/Preferences, and not /Users//Library/Preferences
The user name apparently got deleted from the pathname by the posting software; you presumably meant /Users/{your_login_name}/Library/Preferences.
Thank you AC! :-)
Having been a happy user of Little Snitch for years, I see apparently I don't even need to wait for it to warn me as the malware just suicides when seeing it
Too bad LS doesn"t exist (yet?) on Ubuntu...
(the latter is no pun indended, but hope instead!)
Herve S.
And thus the end of Apple's 'security via obscurity' is coming to a close. It was nice while it lasted, but it's time to move on
Except that this requires NO user interaction which means it got superuser without asking.
This is a flaw in the base OS that happens to be abused from a Java application (since it's easier to exploit an online application then a local). Get your head out of the sand before it's too late.
My suggestion: install Little Snitch, a (non free but brilliant) system that'll alert you whenever *anything* on your mac wants to connect outside.
Of course you'll immediately allow browsers, mail etc. connect to html port 80 or pop servers.
But any other surprising attempt to join any unnatural place will be interrupted, with an alert to you, where you can allow or not (just once, up to quit, or forever) with extreme fine grain on destinations (aanywhere/just this port/just this port and address...)
Little Snitch is so efficient that I read an analysis of the last virus, who just deletes itself when detecting a "Little Snitch" folder on the mac!
H.
Herve S.