Page 2 of 3

Re: New Trojan can install without password

Posted: Sat Apr 07, 2012 12:24 pm
by mhschmieder
This is pretty upsetting to me because I do Java programming for a living, and I hate it when the language itself gets faulted across-the-board due to how it is used in browsers vs. the desktop (or, more often, gets confused with JavaScript, which has no relation to Java).

I am generally opposed to Java being used in browsers, and see no value in that, but it is how things started so there's a lot of legacy there (not so sure it shows up as much in newer stuff as it became more common to use Java server-side to produce HTML and other client content).

Anyway, the irony is that I disable Java in my browsers on Windows at work, but never bothered on the Mac as I didn't see the Mac as vulnerable or flakey. But it sounds like we have to disable Java on the DESKTOP to get around this trojan, so hopefully the "off then on" switching is sufficient, as I'm screwed otherwise.

Re: New Trojan can install without password

Posted: Sun Apr 08, 2012 12:51 am
by mikehalloran
mikehalloran wrote:Here's how to yell if you are affected and what to do about it.

http://gizmodo.com/5899352/mac-flashbac ... 0-infected

If you have any of the following installed, it won't get you.

/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app

If any of these are found, the malware will skip the rest of its routine and proceed to delete itself.
Read the above.

Also, Apple has released two patches since April 3rd.

Re: New Trojan can install without password

Posted: Sun Apr 08, 2012 6:35 pm
by mhschmieder
I like James' Freudian slip: "here's how to YELL if you are affected... " :-)

My co-workers got back to me this weekend and don't think we'll experience an end user freak-out. My own systems are invulnerable as they all have XCode installed, since I am a registered Apple developer.

It's funny to see Apple issuing almost instantaneous updates to fix the problem, after reading all those "scare" articles trying to get us to think Apple won't know how to respond.

Re: New Trojan can install without password

Posted: Sun Apr 08, 2012 7:11 pm
by cuttime
mhschmieder wrote: My own systems are invulnerable as they all have XCode installed, since I am a registered Apple developer.
Interesting. How does this prevent a Java vulnerability? I've been polling my Mac using acquaintances, and I've yet to find a single infection. The estimated 600,000 infections seems high to me. Does anybody know of any actual infections first hand?

Re: New Trojan can install without password

Posted: Sun Apr 15, 2012 9:44 am
by mikehalloran
>How does this prevent...?<

I've posted the answer twice now. This particular malware uninstalls itself in the presence of certain applications. I have iAntivirus installed on all the Intel systems I maintain so none were infected. XCode was also on that list.

Apple just released a third Java update in 10 days. This one disables the automatic running of applets without permission. Close your browser before installing.

Re: New Trojan can install without password

Posted: Sun Apr 15, 2012 12:37 pm
by rhythm_kitchen
Most important thing is to not freak out and download just any code or trust that an email link is legit.

Apple's solution is to sandbox all third party apps in the future since I don't work for apple I'll just say, the JAVA hack (tabbed browser hack) has been around a long time and a Cisco Brand router can block Java (check with Pace).

http://lacquer.fi/pauli/blog/2011/11/wh ... es-me-sad/

What's to come is inevitable.

Save OS from evil!

Re: New Trojan can install without password

Posted: Tue Apr 17, 2012 8:54 am
by rhythm_kitchen
I would not trust Little Snitch btw there are Mac only infections that disable outbound rule-sets.

PPC users at the moment must do this detection work manually. However ClamXav 2.0 (10.5 on up is available)!

---> Flashback.G on Tiger search your shared folder for an invisible file with a suffix of .so

Most infections will crash your browser.

http://threatpost.com/en_us/blogs/new-v ... its-022412

2nd stage of infection:

If you see an JAVA popup with the forged 'signed by apple certificate' DO NOT INSTALL.

So now besides the stolen DigiNotar Root certificate (SSL for your browser) there is this forged JAVA certificate.

Also apply the update for the audio file hack (Apple only).

There is talk about a PPC flashback removal tool from Apple in the works (virtual) but f-secure or the Apple removal tool is 10.6.8 or Lion only.

Re: New Trojan can install without password

Posted: Tue Apr 17, 2012 2:03 pm
by mhschmieder
BTW, after more research I found that it really is the Java plug-in version for the browser that is at fault after all, and not Java on the desktop.

Interesting timing though, with Oracle taking Google to court over Android's use of Java.

Re: New Trojan can install without password

Posted: Wed Apr 18, 2012 7:13 am
by rhythm_kitchen
This is just the tip of the proverbial iceberg.

What is mind blowing is Camino developers had removed the java plug-in at 2.1 then w/ 2.2 disabled all global Mac internet plug-ins for security reasons.

But why Fx removed the option to disable the java plug-in feature still found in Safari or earlier versions of Camino?

Polar opposite of the Camino developers.

Re: New Trojan can install without password

Posted: Wed Apr 18, 2012 11:38 am
by zed
mikehalloran wrote:If you have any of the following installed, it won't get you.

/Library/Little Snitch
I recommend Little Snitch. I like my computer asking permission before doing stuff.

I'm gonna have to trust that it is protecting me in this case.

Re: New Trojan can install without password

Posted: Thu Apr 19, 2012 10:42 am
by rhythm_kitchen
(edit) Apparently this is an Intel Only trojan.

Re: New Trojan can install without password

Posted: Mon Jun 18, 2012 10:54 am
by rhythm_kitchen
For Snow Leopard users:

Apple releases a Java update, dated June 12, 2012
http://support.apple.com/kb/DL1550

10.6.8(v1.1) update prior to Safari 5.1.1

http://reviews.cnet.com/8301-13727_7-20 ... -updaters/

Re: New Trojan can install without password

Posted: Mon Jun 18, 2012 3:02 pm
by mikehalloran
Apple released a patch for Lion that removes this Trojan a few weeks ago through Software Update. I don't know about SL.

New Trojan can install without password

Posted: Mon Jun 18, 2012 3:13 pm
by MIDI Life Crisis
There was a SL update as well.

Re: New Trojan can install without password

Posted: Tue Jun 19, 2012 8:37 am
by rhythm_kitchen
July 9th is supposedly the date when DNS changers begin wreaking havoc again.

(edit - most of this post was confusing. Deleted) Here's the list of security updates from Apple.) http://support.apple.com/kb/HT1222

Lion https://discussions.apple.com/docs/DOC-2465

Snow Leopard Conundrum. Confusing as the patch is where? The 10.6.8 security update or these recent java updates?

Firefox 3.6.28 changes in which java version it supports.
http://www.java.com/en/download/faq/fir ... plugin.xml

Java test http://www.java.com/en/download/installed.jsp