New Trojan can install without password
Moderator: James Steele
- mhschmieder
- Posts: 11419
- Joined: Wed Jul 06, 2005 10:01 pm
- Primary DAW OS: MacOS
- Location: Annandale VA
Re: New Trojan can install without password
This is pretty upsetting to me because I do Java programming for a living, and I hate it when the language itself gets faulted across-the-board due to how it is used in browsers vs. the desktop (or, more often, gets confused with JavaScript, which has no relation to Java).
I am generally opposed to Java being used in browsers, and see no value in that, but it is how things started so there's a lot of legacy there (not so sure it shows up as much in newer stuff as it became more common to use Java server-side to produce HTML and other client content).
Anyway, the irony is that I disable Java in my browsers on Windows at work, but never bothered on the Mac as I didn't see the Mac as vulnerable or flakey. But it sounds like we have to disable Java on the DESKTOP to get around this trojan, so hopefully the "off then on" switching is sufficient, as I'm screwed otherwise.
I am generally opposed to Java being used in browsers, and see no value in that, but it is how things started so there's a lot of legacy there (not so sure it shows up as much in newer stuff as it became more common to use Java server-side to produce HTML and other client content).
Anyway, the irony is that I disable Java in my browsers on Windows at work, but never bothered on the Mac as I didn't see the Mac as vulnerable or flakey. But it sounds like we have to disable Java on the DESKTOP to get around this trojan, so hopefully the "off then on" switching is sufficient, as I'm screwed otherwise.
Mac Studio 2025 14-Core Apple M4 Max (36 GB RAM), OSX 15.5, MOTU DP 11.34, SpectraLayers 11
RME Babyface Pro FS, Radial JDV Mk5, Hammond XK-4, Moog Voyager
Eugenio Upright, 60th Anniversary P-Bass, USA Geddy Lee J-Bass, Yamaha BBP35
Select Strat, 70th Anniversary Esquire, Johnny Marr Jaguar, 57 LP, Danelectro 12
Eastman T486RB, T64/V, Ibanez PM2, D'angelico Deluxe SS Bari, EXL1
Guild Bari, 1512 12-string, M20, Martin OM28VTS, Larivee 0040MH
RME Babyface Pro FS, Radial JDV Mk5, Hammond XK-4, Moog Voyager
Eugenio Upright, 60th Anniversary P-Bass, USA Geddy Lee J-Bass, Yamaha BBP35
Select Strat, 70th Anniversary Esquire, Johnny Marr Jaguar, 57 LP, Danelectro 12
Eastman T486RB, T64/V, Ibanez PM2, D'angelico Deluxe SS Bari, EXL1
Guild Bari, 1512 12-string, M20, Martin OM28VTS, Larivee 0040MH
- mikehalloran
- Posts: 16260
- Joined: Sun Jan 25, 2009 5:08 pm
- Primary DAW OS: MacOS
- Location: Sillie Con Valley
Re: New Trojan can install without password
Read the above.mikehalloran wrote:Here's how to yell if you are affected and what to do about it.
http://gizmodo.com/5899352/mac-flashbac ... 0-infected
If you have any of the following installed, it won't get you.
/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app
If any of these are found, the malware will skip the rest of its routine and proceed to delete itself.
Also, Apple has released two patches since April 3rd.
DP 11.34; 828mkII FW, micro lite, M4, MTP/AV USB Firmware 2.0.1
2023 Mac Studio M2 8TB, 192GB RAM, OS Sequoia 15.4, USB4 8TB externals, Neumann MT48, M-Audio AIR 192|14, Mackie ProFxv3, Zoom F3 & UAC 232 32bit float recorder & interface; 2012 MBPs (x2) Catalina, Mojave
IK-NI-Izotope-PSP-Garritan-Antares, LogicPro X, Finale 27.4, Dorico 5, Notion 6, Overture 5, TwistedWave, DSP-Q 5, SmartScore64 NE Pro, Toast 20 Pro
2023 Mac Studio M2 8TB, 192GB RAM, OS Sequoia 15.4, USB4 8TB externals, Neumann MT48, M-Audio AIR 192|14, Mackie ProFxv3, Zoom F3 & UAC 232 32bit float recorder & interface; 2012 MBPs (x2) Catalina, Mojave
IK-NI-Izotope-PSP-Garritan-Antares, LogicPro X, Finale 27.4, Dorico 5, Notion 6, Overture 5, TwistedWave, DSP-Q 5, SmartScore64 NE Pro, Toast 20 Pro
- mhschmieder
- Posts: 11419
- Joined: Wed Jul 06, 2005 10:01 pm
- Primary DAW OS: MacOS
- Location: Annandale VA
Re: New Trojan can install without password
I like James' Freudian slip: "here's how to YELL if you are affected... " 
My co-workers got back to me this weekend and don't think we'll experience an end user freak-out. My own systems are invulnerable as they all have XCode installed, since I am a registered Apple developer.
It's funny to see Apple issuing almost instantaneous updates to fix the problem, after reading all those "scare" articles trying to get us to think Apple won't know how to respond.

My co-workers got back to me this weekend and don't think we'll experience an end user freak-out. My own systems are invulnerable as they all have XCode installed, since I am a registered Apple developer.
It's funny to see Apple issuing almost instantaneous updates to fix the problem, after reading all those "scare" articles trying to get us to think Apple won't know how to respond.
Mac Studio 2025 14-Core Apple M4 Max (36 GB RAM), OSX 15.5, MOTU DP 11.34, SpectraLayers 11
RME Babyface Pro FS, Radial JDV Mk5, Hammond XK-4, Moog Voyager
Eugenio Upright, 60th Anniversary P-Bass, USA Geddy Lee J-Bass, Yamaha BBP35
Select Strat, 70th Anniversary Esquire, Johnny Marr Jaguar, 57 LP, Danelectro 12
Eastman T486RB, T64/V, Ibanez PM2, D'angelico Deluxe SS Bari, EXL1
Guild Bari, 1512 12-string, M20, Martin OM28VTS, Larivee 0040MH
RME Babyface Pro FS, Radial JDV Mk5, Hammond XK-4, Moog Voyager
Eugenio Upright, 60th Anniversary P-Bass, USA Geddy Lee J-Bass, Yamaha BBP35
Select Strat, 70th Anniversary Esquire, Johnny Marr Jaguar, 57 LP, Danelectro 12
Eastman T486RB, T64/V, Ibanez PM2, D'angelico Deluxe SS Bari, EXL1
Guild Bari, 1512 12-string, M20, Martin OM28VTS, Larivee 0040MH
Re: New Trojan can install without password
Interesting. How does this prevent a Java vulnerability? I've been polling my Mac using acquaintances, and I've yet to find a single infection. The estimated 600,000 infections seems high to me. Does anybody know of any actual infections first hand?mhschmieder wrote: My own systems are invulnerable as they all have XCode installed, since I am a registered Apple developer.
828x MacOS 15.5 M1 Studio Max 1TB 64G DP11.34
- mikehalloran
- Posts: 16260
- Joined: Sun Jan 25, 2009 5:08 pm
- Primary DAW OS: MacOS
- Location: Sillie Con Valley
Re: New Trojan can install without password
>How does this prevent...?<
I've posted the answer twice now. This particular malware uninstalls itself in the presence of certain applications. I have iAntivirus installed on all the Intel systems I maintain so none were infected. XCode was also on that list.
Apple just released a third Java update in 10 days. This one disables the automatic running of applets without permission. Close your browser before installing.
I've posted the answer twice now. This particular malware uninstalls itself in the presence of certain applications. I have iAntivirus installed on all the Intel systems I maintain so none were infected. XCode was also on that list.
Apple just released a third Java update in 10 days. This one disables the automatic running of applets without permission. Close your browser before installing.
DP 11.34; 828mkII FW, micro lite, M4, MTP/AV USB Firmware 2.0.1
2023 Mac Studio M2 8TB, 192GB RAM, OS Sequoia 15.4, USB4 8TB externals, Neumann MT48, M-Audio AIR 192|14, Mackie ProFxv3, Zoom F3 & UAC 232 32bit float recorder & interface; 2012 MBPs (x2) Catalina, Mojave
IK-NI-Izotope-PSP-Garritan-Antares, LogicPro X, Finale 27.4, Dorico 5, Notion 6, Overture 5, TwistedWave, DSP-Q 5, SmartScore64 NE Pro, Toast 20 Pro
2023 Mac Studio M2 8TB, 192GB RAM, OS Sequoia 15.4, USB4 8TB externals, Neumann MT48, M-Audio AIR 192|14, Mackie ProFxv3, Zoom F3 & UAC 232 32bit float recorder & interface; 2012 MBPs (x2) Catalina, Mojave
IK-NI-Izotope-PSP-Garritan-Antares, LogicPro X, Finale 27.4, Dorico 5, Notion 6, Overture 5, TwistedWave, DSP-Q 5, SmartScore64 NE Pro, Toast 20 Pro
-
- Posts: 126
- Joined: Sun Oct 10, 2010 11:26 am
- Primary DAW OS: MacOS
- Location: SF, S.South Bay
Re: New Trojan can install without password
Most important thing is to not freak out and download just any code or trust that an email link is legit.
Apple's solution is to sandbox all third party apps in the future since I don't work for apple I'll just say, the JAVA hack (tabbed browser hack) has been around a long time and a Cisco Brand router can block Java (check with Pace).
http://lacquer.fi/pauli/blog/2011/11/wh ... es-me-sad/
What's to come is inevitable.
Save OS from evil!
Apple's solution is to sandbox all third party apps in the future since I don't work for apple I'll just say, the JAVA hack (tabbed browser hack) has been around a long time and a Cisco Brand router can block Java (check with Pace).
http://lacquer.fi/pauli/blog/2011/11/wh ... es-me-sad/
What's to come is inevitable.
Save OS from evil!
-
- Posts: 126
- Joined: Sun Oct 10, 2010 11:26 am
- Primary DAW OS: MacOS
- Location: SF, S.South Bay
Re: New Trojan can install without password
I would not trust Little Snitch btw there are Mac only infections that disable outbound rule-sets.
PPC users at the moment must do this detection work manually. However ClamXav 2.0 (10.5 on up is available)!
---> Flashback.G on Tiger search your shared folder for an invisible file with a suffix of .so
Most infections will crash your browser.
http://threatpost.com/en_us/blogs/new-v ... its-022412
2nd stage of infection:
If you see an JAVA popup with the forged 'signed by apple certificate' DO NOT INSTALL.
So now besides the stolen DigiNotar Root certificate (SSL for your browser) there is this forged JAVA certificate.
Also apply the update for the audio file hack (Apple only).
There is talk about a PPC flashback removal tool from Apple in the works (virtual) but f-secure or the Apple removal tool is 10.6.8 or Lion only.
PPC users at the moment must do this detection work manually. However ClamXav 2.0 (10.5 on up is available)!
---> Flashback.G on Tiger search your shared folder for an invisible file with a suffix of .so
Most infections will crash your browser.
http://threatpost.com/en_us/blogs/new-v ... its-022412
2nd stage of infection:
If you see an JAVA popup with the forged 'signed by apple certificate' DO NOT INSTALL.
So now besides the stolen DigiNotar Root certificate (SSL for your browser) there is this forged JAVA certificate.
Also apply the update for the audio file hack (Apple only).
There is talk about a PPC flashback removal tool from Apple in the works (virtual) but f-secure or the Apple removal tool is 10.6.8 or Lion only.
- mhschmieder
- Posts: 11419
- Joined: Wed Jul 06, 2005 10:01 pm
- Primary DAW OS: MacOS
- Location: Annandale VA
Re: New Trojan can install without password
BTW, after more research I found that it really is the Java plug-in version for the browser that is at fault after all, and not Java on the desktop.
Interesting timing though, with Oracle taking Google to court over Android's use of Java.
Interesting timing though, with Oracle taking Google to court over Android's use of Java.
Mac Studio 2025 14-Core Apple M4 Max (36 GB RAM), OSX 15.5, MOTU DP 11.34, SpectraLayers 11
RME Babyface Pro FS, Radial JDV Mk5, Hammond XK-4, Moog Voyager
Eugenio Upright, 60th Anniversary P-Bass, USA Geddy Lee J-Bass, Yamaha BBP35
Select Strat, 70th Anniversary Esquire, Johnny Marr Jaguar, 57 LP, Danelectro 12
Eastman T486RB, T64/V, Ibanez PM2, D'angelico Deluxe SS Bari, EXL1
Guild Bari, 1512 12-string, M20, Martin OM28VTS, Larivee 0040MH
RME Babyface Pro FS, Radial JDV Mk5, Hammond XK-4, Moog Voyager
Eugenio Upright, 60th Anniversary P-Bass, USA Geddy Lee J-Bass, Yamaha BBP35
Select Strat, 70th Anniversary Esquire, Johnny Marr Jaguar, 57 LP, Danelectro 12
Eastman T486RB, T64/V, Ibanez PM2, D'angelico Deluxe SS Bari, EXL1
Guild Bari, 1512 12-string, M20, Martin OM28VTS, Larivee 0040MH
-
- Posts: 126
- Joined: Sun Oct 10, 2010 11:26 am
- Primary DAW OS: MacOS
- Location: SF, S.South Bay
Re: New Trojan can install without password
This is just the tip of the proverbial iceberg.
What is mind blowing is Camino developers had removed the java plug-in at 2.1 then w/ 2.2 disabled all global Mac internet plug-ins for security reasons.
But why Fx removed the option to disable the java plug-in feature still found in Safari or earlier versions of Camino?
Polar opposite of the Camino developers.
What is mind blowing is Camino developers had removed the java plug-in at 2.1 then w/ 2.2 disabled all global Mac internet plug-ins for security reasons.
But why Fx removed the option to disable the java plug-in feature still found in Safari or earlier versions of Camino?
Polar opposite of the Camino developers.
Last edited by rhythm_kitchen on Mon Jun 18, 2012 10:46 am, edited 1 time in total.
Re: New Trojan can install without password
I recommend Little Snitch. I like my computer asking permission before doing stuff.mikehalloran wrote:If you have any of the following installed, it won't get you.
/Library/Little Snitch
I'm gonna have to trust that it is protecting me in this case.
MacPro 2.8 GHz 8-Core Intel Xeon | 14 GB RAM | OS 10.11.6 | DP 8
-
- Posts: 126
- Joined: Sun Oct 10, 2010 11:26 am
- Primary DAW OS: MacOS
- Location: SF, S.South Bay
Re: New Trojan can install without password
(edit) Apparently this is an Intel Only trojan.
-
- Posts: 126
- Joined: Sun Oct 10, 2010 11:26 am
- Primary DAW OS: MacOS
- Location: SF, S.South Bay
Re: New Trojan can install without password
For Snow Leopard users:
Apple releases a Java update, dated June 12, 2012
http://support.apple.com/kb/DL1550
10.6.8(v1.1) update prior to Safari 5.1.1
http://reviews.cnet.com/8301-13727_7-20 ... -updaters/
Apple releases a Java update, dated June 12, 2012
http://support.apple.com/kb/DL1550
10.6.8(v1.1) update prior to Safari 5.1.1
http://reviews.cnet.com/8301-13727_7-20 ... -updaters/
- mikehalloran
- Posts: 16260
- Joined: Sun Jan 25, 2009 5:08 pm
- Primary DAW OS: MacOS
- Location: Sillie Con Valley
Re: New Trojan can install without password
Apple released a patch for Lion that removes this Trojan a few weeks ago through Software Update. I don't know about SL.
DP 11.34; 828mkII FW, micro lite, M4, MTP/AV USB Firmware 2.0.1
2023 Mac Studio M2 8TB, 192GB RAM, OS Sequoia 15.4, USB4 8TB externals, Neumann MT48, M-Audio AIR 192|14, Mackie ProFxv3, Zoom F3 & UAC 232 32bit float recorder & interface; 2012 MBPs (x2) Catalina, Mojave
IK-NI-Izotope-PSP-Garritan-Antares, LogicPro X, Finale 27.4, Dorico 5, Notion 6, Overture 5, TwistedWave, DSP-Q 5, SmartScore64 NE Pro, Toast 20 Pro
2023 Mac Studio M2 8TB, 192GB RAM, OS Sequoia 15.4, USB4 8TB externals, Neumann MT48, M-Audio AIR 192|14, Mackie ProFxv3, Zoom F3 & UAC 232 32bit float recorder & interface; 2012 MBPs (x2) Catalina, Mojave
IK-NI-Izotope-PSP-Garritan-Antares, LogicPro X, Finale 27.4, Dorico 5, Notion 6, Overture 5, TwistedWave, DSP-Q 5, SmartScore64 NE Pro, Toast 20 Pro
- MIDI Life Crisis
- Posts: 26285
- Joined: Wed May 18, 2005 10:01 pm
- Primary DAW OS: MacOS
- Contact:
New Trojan can install without password
There was a SL update as well.
2013 Mac Pro 2TB/32GB RAM
OSX 10.14.6; Track 16; DP 12; Finale 28
LinkTree (events & peformances)
Instagram
Facebook
MIDI LIFE CRISIS
OSX 10.14.6; Track 16; DP 12; Finale 28
LinkTree (events & peformances)
MIDI LIFE CRISIS
-
- Posts: 126
- Joined: Sun Oct 10, 2010 11:26 am
- Primary DAW OS: MacOS
- Location: SF, S.South Bay
Re: New Trojan can install without password
July 9th is supposedly the date when DNS changers begin wreaking havoc again.
(edit - most of this post was confusing. Deleted) Here's the list of security updates from Apple.) http://support.apple.com/kb/HT1222
Lion https://discussions.apple.com/docs/DOC-2465
Snow Leopard Conundrum. Confusing as the patch is where? The 10.6.8 security update or these recent java updates?
Firefox 3.6.28 changes in which java version it supports.
http://www.java.com/en/download/faq/fir ... plugin.xml
Java test http://www.java.com/en/download/installed.jsp
(edit - most of this post was confusing. Deleted) Here's the list of security updates from Apple.) http://support.apple.com/kb/HT1222
Lion https://discussions.apple.com/docs/DOC-2465
Snow Leopard Conundrum. Confusing as the patch is where? The 10.6.8 security update or these recent java updates?
Firefox 3.6.28 changes in which java version it supports.
http://www.java.com/en/download/faq/fir ... plugin.xml
Java test http://www.java.com/en/download/installed.jsp
Last edited by rhythm_kitchen on Tue Jun 19, 2012 12:14 pm, edited 2 times in total.