New Trojan can install without password

Macintosh software/hardware discussion and troubleshooting

Moderator: James Steele

User avatar
mhschmieder
Posts: 11419
Joined: Wed Jul 06, 2005 10:01 pm
Primary DAW OS: MacOS
Location: Annandale VA

Re: New Trojan can install without password

Post by mhschmieder »

This is pretty upsetting to me because I do Java programming for a living, and I hate it when the language itself gets faulted across-the-board due to how it is used in browsers vs. the desktop (or, more often, gets confused with JavaScript, which has no relation to Java).

I am generally opposed to Java being used in browsers, and see no value in that, but it is how things started so there's a lot of legacy there (not so sure it shows up as much in newer stuff as it became more common to use Java server-side to produce HTML and other client content).

Anyway, the irony is that I disable Java in my browsers on Windows at work, but never bothered on the Mac as I didn't see the Mac as vulnerable or flakey. But it sounds like we have to disable Java on the DESKTOP to get around this trojan, so hopefully the "off then on" switching is sufficient, as I'm screwed otherwise.
Mac Studio 2025 14-Core Apple M4 Max (36 GB RAM), OSX 15.5, MOTU DP 11.34, SpectraLayers 11
RME Babyface Pro FS, Radial JDV Mk5, Hammond XK-4, Moog Voyager

Eugenio Upright, 60th Anniversary P-Bass, USA Geddy Lee J-Bass, Yamaha BBP35
Select Strat, 70th Anniversary Esquire, Johnny Marr Jaguar, 57 LP, Danelectro 12
Eastman T486RB, T64/V, Ibanez PM2, D'angelico Deluxe SS Bari, EXL1
Guild Bari, 1512 12-string, M20, Martin OM28VTS, Larivee 0040MH
User avatar
mikehalloran
Posts: 16261
Joined: Sun Jan 25, 2009 5:08 pm
Primary DAW OS: MacOS
Location: Sillie Con Valley

Re: New Trojan can install without password

Post by mikehalloran »

mikehalloran wrote:Here's how to yell if you are affected and what to do about it.

http://gizmodo.com/5899352/mac-flashbac ... 0-infected

If you have any of the following installed, it won't get you.

/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app

If any of these are found, the malware will skip the rest of its routine and proceed to delete itself.
Read the above.

Also, Apple has released two patches since April 3rd.
DP 11.34; 828mkII FW, micro lite, M4, MTP/AV USB Firmware 2.0.1
2023 Mac Studio M2 8TB, 192GB RAM, OS Sequoia 15.4, USB4 8TB externals, Neumann MT48, M-Audio AIR 192|14, Mackie ProFxv3, Zoom F3 & UAC 232 32bit float recorder & interface; 2012 MBPs (x2) Catalina, Mojave
IK-NI-Izotope-PSP-Garritan-Antares, LogicPro X, Finale 27.4, Dorico 5, Notion 6, Overture 5, TwistedWave, DSP-Q 5, SmartScore64 NE Pro, Toast 20 Pro
User avatar
mhschmieder
Posts: 11419
Joined: Wed Jul 06, 2005 10:01 pm
Primary DAW OS: MacOS
Location: Annandale VA

Re: New Trojan can install without password

Post by mhschmieder »

I like James' Freudian slip: "here's how to YELL if you are affected... " :-)

My co-workers got back to me this weekend and don't think we'll experience an end user freak-out. My own systems are invulnerable as they all have XCode installed, since I am a registered Apple developer.

It's funny to see Apple issuing almost instantaneous updates to fix the problem, after reading all those "scare" articles trying to get us to think Apple won't know how to respond.
Mac Studio 2025 14-Core Apple M4 Max (36 GB RAM), OSX 15.5, MOTU DP 11.34, SpectraLayers 11
RME Babyface Pro FS, Radial JDV Mk5, Hammond XK-4, Moog Voyager

Eugenio Upright, 60th Anniversary P-Bass, USA Geddy Lee J-Bass, Yamaha BBP35
Select Strat, 70th Anniversary Esquire, Johnny Marr Jaguar, 57 LP, Danelectro 12
Eastman T486RB, T64/V, Ibanez PM2, D'angelico Deluxe SS Bari, EXL1
Guild Bari, 1512 12-string, M20, Martin OM28VTS, Larivee 0040MH
User avatar
cuttime
Posts: 4516
Joined: Sun May 15, 2005 10:01 pm
Primary DAW OS: MacOS

Re: New Trojan can install without password

Post by cuttime »

mhschmieder wrote: My own systems are invulnerable as they all have XCode installed, since I am a registered Apple developer.
Interesting. How does this prevent a Java vulnerability? I've been polling my Mac using acquaintances, and I've yet to find a single infection. The estimated 600,000 infections seems high to me. Does anybody know of any actual infections first hand?
828x MacOS 15.5 M1 Studio Max 1TB 64G DP11.34
User avatar
mikehalloran
Posts: 16261
Joined: Sun Jan 25, 2009 5:08 pm
Primary DAW OS: MacOS
Location: Sillie Con Valley

Re: New Trojan can install without password

Post by mikehalloran »

>How does this prevent...?<

I've posted the answer twice now. This particular malware uninstalls itself in the presence of certain applications. I have iAntivirus installed on all the Intel systems I maintain so none were infected. XCode was also on that list.

Apple just released a third Java update in 10 days. This one disables the automatic running of applets without permission. Close your browser before installing.
DP 11.34; 828mkII FW, micro lite, M4, MTP/AV USB Firmware 2.0.1
2023 Mac Studio M2 8TB, 192GB RAM, OS Sequoia 15.4, USB4 8TB externals, Neumann MT48, M-Audio AIR 192|14, Mackie ProFxv3, Zoom F3 & UAC 232 32bit float recorder & interface; 2012 MBPs (x2) Catalina, Mojave
IK-NI-Izotope-PSP-Garritan-Antares, LogicPro X, Finale 27.4, Dorico 5, Notion 6, Overture 5, TwistedWave, DSP-Q 5, SmartScore64 NE Pro, Toast 20 Pro
rhythm_kitchen
Posts: 126
Joined: Sun Oct 10, 2010 11:26 am
Primary DAW OS: MacOS
Location: SF, S.South Bay

Re: New Trojan can install without password

Post by rhythm_kitchen »

Most important thing is to not freak out and download just any code or trust that an email link is legit.

Apple's solution is to sandbox all third party apps in the future since I don't work for apple I'll just say, the JAVA hack (tabbed browser hack) has been around a long time and a Cisco Brand router can block Java (check with Pace).

http://lacquer.fi/pauli/blog/2011/11/wh ... es-me-sad/

What's to come is inevitable.

Save OS from evil!
rhythm_kitchen
Posts: 126
Joined: Sun Oct 10, 2010 11:26 am
Primary DAW OS: MacOS
Location: SF, S.South Bay

Re: New Trojan can install without password

Post by rhythm_kitchen »

I would not trust Little Snitch btw there are Mac only infections that disable outbound rule-sets.

PPC users at the moment must do this detection work manually. However ClamXav 2.0 (10.5 on up is available)!

---> Flashback.G on Tiger search your shared folder for an invisible file with a suffix of .so

Most infections will crash your browser.

http://threatpost.com/en_us/blogs/new-v ... its-022412

2nd stage of infection:

If you see an JAVA popup with the forged 'signed by apple certificate' DO NOT INSTALL.

So now besides the stolen DigiNotar Root certificate (SSL for your browser) there is this forged JAVA certificate.

Also apply the update for the audio file hack (Apple only).

There is talk about a PPC flashback removal tool from Apple in the works (virtual) but f-secure or the Apple removal tool is 10.6.8 or Lion only.
User avatar
mhschmieder
Posts: 11419
Joined: Wed Jul 06, 2005 10:01 pm
Primary DAW OS: MacOS
Location: Annandale VA

Re: New Trojan can install without password

Post by mhschmieder »

BTW, after more research I found that it really is the Java plug-in version for the browser that is at fault after all, and not Java on the desktop.

Interesting timing though, with Oracle taking Google to court over Android's use of Java.
Mac Studio 2025 14-Core Apple M4 Max (36 GB RAM), OSX 15.5, MOTU DP 11.34, SpectraLayers 11
RME Babyface Pro FS, Radial JDV Mk5, Hammond XK-4, Moog Voyager

Eugenio Upright, 60th Anniversary P-Bass, USA Geddy Lee J-Bass, Yamaha BBP35
Select Strat, 70th Anniversary Esquire, Johnny Marr Jaguar, 57 LP, Danelectro 12
Eastman T486RB, T64/V, Ibanez PM2, D'angelico Deluxe SS Bari, EXL1
Guild Bari, 1512 12-string, M20, Martin OM28VTS, Larivee 0040MH
rhythm_kitchen
Posts: 126
Joined: Sun Oct 10, 2010 11:26 am
Primary DAW OS: MacOS
Location: SF, S.South Bay

Re: New Trojan can install without password

Post by rhythm_kitchen »

This is just the tip of the proverbial iceberg.

What is mind blowing is Camino developers had removed the java plug-in at 2.1 then w/ 2.2 disabled all global Mac internet plug-ins for security reasons.

But why Fx removed the option to disable the java plug-in feature still found in Safari or earlier versions of Camino?

Polar opposite of the Camino developers.
Last edited by rhythm_kitchen on Mon Jun 18, 2012 10:46 am, edited 1 time in total.
User avatar
zed
Posts: 3193
Joined: Sun Jun 19, 2005 10:01 pm
Primary DAW OS: MacOS
Location: Vancouver, BC

Re: New Trojan can install without password

Post by zed »

mikehalloran wrote:If you have any of the following installed, it won't get you.

/Library/Little Snitch
I recommend Little Snitch. I like my computer asking permission before doing stuff.

I'm gonna have to trust that it is protecting me in this case.
MacPro 2.8 GHz 8-Core Intel Xeon | 14 GB RAM | OS 10.11.6 | DP 8
rhythm_kitchen
Posts: 126
Joined: Sun Oct 10, 2010 11:26 am
Primary DAW OS: MacOS
Location: SF, S.South Bay

Re: New Trojan can install without password

Post by rhythm_kitchen »

(edit) Apparently this is an Intel Only trojan.
rhythm_kitchen
Posts: 126
Joined: Sun Oct 10, 2010 11:26 am
Primary DAW OS: MacOS
Location: SF, S.South Bay

Re: New Trojan can install without password

Post by rhythm_kitchen »

For Snow Leopard users:

Apple releases a Java update, dated June 12, 2012
http://support.apple.com/kb/DL1550

10.6.8(v1.1) update prior to Safari 5.1.1

http://reviews.cnet.com/8301-13727_7-20 ... -updaters/
User avatar
mikehalloran
Posts: 16261
Joined: Sun Jan 25, 2009 5:08 pm
Primary DAW OS: MacOS
Location: Sillie Con Valley

Re: New Trojan can install without password

Post by mikehalloran »

Apple released a patch for Lion that removes this Trojan a few weeks ago through Software Update. I don't know about SL.
DP 11.34; 828mkII FW, micro lite, M4, MTP/AV USB Firmware 2.0.1
2023 Mac Studio M2 8TB, 192GB RAM, OS Sequoia 15.4, USB4 8TB externals, Neumann MT48, M-Audio AIR 192|14, Mackie ProFxv3, Zoom F3 & UAC 232 32bit float recorder & interface; 2012 MBPs (x2) Catalina, Mojave
IK-NI-Izotope-PSP-Garritan-Antares, LogicPro X, Finale 27.4, Dorico 5, Notion 6, Overture 5, TwistedWave, DSP-Q 5, SmartScore64 NE Pro, Toast 20 Pro
User avatar
MIDI Life Crisis
Posts: 26285
Joined: Wed May 18, 2005 10:01 pm
Primary DAW OS: MacOS
Contact:

New Trojan can install without password

Post by MIDI Life Crisis »

There was a SL update as well.
2013 Mac Pro 2TB/32GB RAM

OSX 10.14.6; Track 16; DP 12; Finale 28

LinkTree (events & peformances)
Instagram
Facebook

MIDI LIFE CRISIS
rhythm_kitchen
Posts: 126
Joined: Sun Oct 10, 2010 11:26 am
Primary DAW OS: MacOS
Location: SF, S.South Bay

Re: New Trojan can install without password

Post by rhythm_kitchen »

July 9th is supposedly the date when DNS changers begin wreaking havoc again.

(edit - most of this post was confusing. Deleted) Here's the list of security updates from Apple.) http://support.apple.com/kb/HT1222

Lion https://discussions.apple.com/docs/DOC-2465

Snow Leopard Conundrum. Confusing as the patch is where? The 10.6.8 security update or these recent java updates?

Firefox 3.6.28 changes in which java version it supports.
http://www.java.com/en/download/faq/fir ... plugin.xml

Java test http://www.java.com/en/download/installed.jsp
Last edited by rhythm_kitchen on Tue Jun 19, 2012 12:14 pm, edited 2 times in total.
Post Reply