New Trojan can install without password

[mhschmieder]

This is pretty upsetting to me because I do Java programming for a living, and I hate it when the language itself gets faulted across-the-board due to how it is used in browsers vs. the desktop (or, more often, gets confused with JavaScript, which has no relation to Java).

I am generally opposed to Java being used in browsers, and see no value in that, but it is how things started so there's a lot of legacy there (not so sure it shows up as much in newer stuff as it became more common to use Java server-side to produce HTML and other client content).

Anyway, the irony is that I disable Java in my browsers on Windows at work, but never bothered on the Mac as I didn't see the Mac as vulnerable or flakey. But it sounds like we have to disable Java on the DESKTOP to get around this trojan, so hopefully the "off then on" switching is sufficient, as I'm screwed otherwise.

[mikehalloran]

Here's how to yell if you are affected and what to do about it.

http://gizmodo.com/5899352/mac-flashbac ... 0-infected

If you have any of the following installed, it won't get you.

/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app

If any of these are found, the malware will skip the rest of its routine and proceed to delete itself.

Read the above.

Also, Apple has released two patches since April 3rd.

[mhschmieder]

I like James' Freudian slip: "here's how to YELL if you are affected... "

My co-workers got back to me this weekend and don't think we'll experience an end user freak-out. My own systems are invulnerable as they all have XCode installed, since I am a registered Apple developer.

It's funny to see Apple issuing almost instantaneous updates to fix the problem, after reading all those "scare" articles trying to get us to think Apple won't know how to respond.

[cuttime]

My own systems are invulnerable as they all have XCode installed, since I am a registered Apple developer.

Interesting. How does this prevent a Java vulnerability? I've been polling my Mac using acquaintances, and I've yet to find a single infection. The estimated 600,000 infections seems high to me. Does anybody know of any actual infections first hand?

[mikehalloran]

>How does this prevent...?<

I've posted the answer twice now. This particular malware uninstalls itself in the presence of certain applications. I have iAntivirus installed on all the Intel systems I maintain so none were infected. XCode was also on that list.

Apple just released a third Java update in 10 days. This one disables the automatic running of applets without permission. Close your browser before installing.

[rhythm_kitchen]

Most important thing is to not freak out and download just any code or trust that an email link is legit.

Apple's solution is to sandbox all third party apps in the future since I don't work for apple I'll just say, the JAVA hack (tabbed browser hack) has been around a long time and a Cisco Brand router can block Java (check with Pace).

http://lacquer.fi/pauli/blog/2011/11/wh ... es-me-sad/

What's to come is inevitable.

Save OS from evil!

[rhythm_kitchen]

I would not trust Little Snitch btw there are Mac only infections that disable outbound rule-sets.

PPC users at the moment must do this detection work manually. However ClamXav 2.0 (10.5 on up is available)!

---> Flashback.G on Tiger search your shared folder for an invisible file with a suffix of .so

Most infections will crash your browser.

http://threatpost.com/en_us/blogs/new-v ... its-022412

2nd stage of infection:

If you see an JAVA popup with the forged 'signed by apple certificate' DO NOT INSTALL.

So now besides the stolen DigiNotar Root certificate (SSL for your browser) there is this forged JAVA certificate.

Also apply the update for the audio file hack (Apple only).

There is talk about a PPC flashback removal tool from Apple in the works (virtual) but f-secure or the Apple removal tool is 10.6.8 or Lion only.

[mhschmieder]

BTW, after more research I found that it really is the Java plug-in version for the browser that is at fault after all, and not Java on the desktop.

Interesting timing though, with Oracle taking Google to court over Android's use of Java.

[rhythm_kitchen]

This is just the tip of the proverbial iceberg.

What is mind blowing is Camino developers had removed the java plug-in at 2.1 then w/ 2.2 disabled all global Mac internet plug-ins for security reasons.

But why Fx removed the option to disable the java plug-in feature still found in Safari or earlier versions of Camino?

Polar opposite of the Camino developers.

[zed]

If you have any of the following installed, it won't get you.

/Library/Little Snitch

I recommend Little Snitch. I like my computer asking permission before doing stuff.

I'm gonna have to trust that it is protecting me in this case.

[rhythm_kitchen]

(edit) Apparently this is an Intel Only trojan.

[rhythm_kitchen]

For Snow Leopard users:

Apple releases a Java update, dated June 12, 2012
http://support.apple.com/kb/DL1550

10.6.8(v1.1) update prior to Safari 5.1.1

http://reviews.cnet.com/8301-13727_7-20 ... -updaters/

[mikehalloran]

Apple released a patch for Lion that removes this Trojan a few weeks ago through Software Update. I don't know about SL.

[MIDI Life Crisis]

There was a SL update as well.

[rhythm_kitchen]

July 9th is supposedly the date when DNS changers begin wreaking havoc again.

(edit - most of this post was confusing. Deleted) Here's the list of security updates from Apple.) http://support.apple.com/kb/HT1222

Lion https://discussions.apple.com/docs/DOC-2465

Snow Leopard Conundrum. Confusing as the patch is where? The 10.6.8 security update or these recent java updates?

Firefox 3.6.28 changes in which java version it supports.
http://www.java.com/en/download/faq/fir ... plugin.xml

Java test http://www.java.com/en/download/installed.jsp