SecureMac.com
About SecureMac Advertise Security Consulting Mac Security Store Send Feedback

Site Information
Site Background
Who runs the site
Advertising
Security Consulting
Employment/Jobs
Feedback Form

SecureMac Software
PrivacyScan

 

Mac OS X Security
sudo buffer overflow exploit + fix
Disable Single User Boot Mode
Malevolence - Dumping Passwords
nidump security
Startup Security - Open Firmware Password Protection

Mac OS X Network Security
SAINT
Secure FTP Wrapper
Ettercap - sniffer interceptor logger
Snort - Network Intrusion Detection System
SSH Admin
SSH Helper
xnu - enable MAC Address spoofing


Mac OS X Virus

Mac OS X Firewalls
Firewalk Firewall Utility
NetBarrier X

Mac OS X App Sec.

Mac OS X Encryption
LittleSecrets
GPGMail - PGP Functionality

Mac OS X DoS

SecureMac Library
Mac Cable Modem Security
Mac Security Auditing
Mac OS X Security Understanding
Mac OS X Security Second Lessons
Mac OS X Security Third Lesson
Mac OS X Single User Mode Root Access
Mac OS X Shareware Firewalls
Mac OS X Secure Installation
Cable & DSL Connections - Security Measures
Better Safe than Sorry
Apple.com Security Resources
Marketing Macintosh Security Programs

New Malware

SecureMac Security Bulletin

 


Posted: March 19th, 2012

The OS X platform has seen quite a bit of activity lately, with new variants of both the Flashback Trojan Horse and the Imuler Trojan Horse making the rounds.

SecureMac has learned of a new piece of Mac malware that is currently in the wild and infecting computers running OS X. As first reported at http://labs.alienvault.com/labs/index.php/2012/alienvault-research-used-as-lure-in-targeted-attacks/ this piece of malware exploits a vulnerability in computers running older, unpatched versions of Java.

After visiting a site containing the malicious Java applet, the malware exploits CVE-2011-3544 and then downloads and runs code to create a backdoor and set it to run at startup. The backdoor then communicates with a C&C server. This malware requires no user interaction for installation aside from visiting a malicious site when running an unpatched version of Java. The site serving the malware is currently online and active at the time of this report.

The initial backdoor is installed as file.tmp, which quickly sets up a copy of the backdoor at /Library/Audio/Plug-Ins/AudioServer and sets up a LaunchAgent at /Library/LaunchAgents/com.apple.DockActions.plist to ensure the backdoor runs on startup.

The backdoor then communicates with the main C&C server.

To protect your system against this attack, make sure you are running the latest updates and security patches for OS X by selecting "Software Update" under the Apple menu in OS X. Apple released an updated version of Java that patches this vulnerability back in November. Additionally, Java can be disabled in the Safari web browser by opening the Safari Preferences, and making sure "Enable Java" is unchecked under the Security tab.

This malware is still under active investigation, and this post will be updated with more information as it becomes available. If you believe you have been infected with this malware, please contact us at macsec@securemac.com.



Security + OS
DiskLock
PowerBook Security Control Panel
Empower Pro
FileGuard
FreeGuard
FoolProof
Deus Lock Master
OnGuard
Keys Off
LockOut
MacOS Algorithm
Modem Security
Password Key
PGPuam
PPF
Shift Key Suite
Stealth Signal
SuperLock Lite
SuperLock Pro
Web-Confidential


Macintosh Viruses
Disinfectant
Sophos Anti-Virus
Norton AntiVirus
Nav 7 Nav 6 Nav X
Virex - Oct
VirusBarrier - Netupdate
vScan - Discontinued.

Mac Physical Security


Macintosh Firewalls
DoorStop Firewall
Firewall Q & A
IPNetSentry
NetBarrier
Norton Personal Firewall

Mac Spyware & Privacy
Monitorer
NetShred - Delete Files Safely

Network Security
MacAnalysis
Oyabun Tools
WDTech RAE
ToolDaemon

Application Security Issues
AIM - AOL Instant Messenger
Back Orifice
Eudora E-Mail Client
Internet Configure
IE 5.1, OE 5.1, Powerpoint, Excel Vulnerability
MS Personal webServer
NetBus
Outlook Express 4.5 Password Flaw
SubSeven
Sub7ME Server

Resource Info
AppleShare Server Info

Mac OS Encryption
EnScript
FGP
FileTwister
ForgotIt?
GenPass
MacLockSmith
My-Privacy
My Secret
PGPi
PGPhone
PGP Personal
PGP Freeware
PowerCrypt-dev
Private File
Quick Encrypt
SubRosa Utilities
Tresor

Deleting Files
Eraser Pro
ShredIt

Backups

Apple Hardware

MacOS DoS
Mac Attack


All material (c) 2014 SecureMac.com and respected owners