SecureMac, Inc.

Computer security news. Just for Macs.

Get the latest computer security news for Macs and be the first to be informed about critical updates. Industry news, security events and all you need right at your fingertips. Malware threats change daily, so keep up to date on the latest developments to help ensure your privacy and protection. You can never be too safe.

New Malware Security Bulletin

Posted on March 20, 2012

The OS X platform has seen quite a bit of activity lately, with new variants of both the Flashback Trojan Horse and the Imuler Trojan Horse making the rounds.

SecureMac has learned of a new piece of Mac malware that is currently in the wild and infecting computers running OS X. As first reported at http://labs.alienvault.com/labs/index.php/2012/alienvault-research-used-as-lure-in-targeted-attacks/ this piece of malware exploits a vulnerability in computers running older, unpatched versions of Java.

After visiting a site containing the malicious Java applet, the malware exploits CVE-2011-3544 and then downloads and runs code to create a backdoor and set it to run at startup. The backdoor then communicates with a C&C server. This malware requires no user interaction for installation aside from visiting a malicious site when running an unpatched version of Java. The site serving the malware is currently online and active at the time of this report.

The initial backdoor is installed as file.tmp, which quickly sets up a copy of the backdoor at /Library/Audio/Plug-Ins/AudioServer and sets up a LaunchAgent at /Library/LaunchAgents/com.apple.DockActions.plist to ensure the backdoor runs on startup.

The backdoor then communicates with the main C&C server.

To protect your system against this attack, make sure you are running the latest updates and security patches for OS X by selecting “Software Update” under the Apple menu in OS X. Apple released an updated version of Java that patches this vulnerability back in November. Additionally, Java can be disabled in the Safari web browser by opening the Safari Preferences, and making sure “Enable Java” is unchecked under the Security tab.

This malware is still under active investigation, and this post will be updated with more information as it becomes available. If you believe you have been infected with this malware, please contact us at macsec@securemac.com.

Share on Facebook0Tweet about this on TwitterShare on Google+0Email this to someonePrint this page

Join our mailing list for the latest security news and deals