New, sneakier Flashback malware infects Macs

New, sneakier Flashback malware infects Macs – Computerworld

A new, sneakier variant of the Flashback malware was uncovered yesterday by the French security firm Intego.

Flashback.S, which Intego described Monday, uses the same Java vulnerability as an earlier version that has infected an estimated 820,000 Macs since its appearance and still plagues over 600,000 machines.

But unlike Flashback.K, the variant that first surfaced last month and has caused consternation among Mac users, Flashback.S never asks the victim to enter an administrative password for installation, but instead relies only on the silent exploit of the Java bug to sneak onto the system.

“The differences are very subtle,” Peter James, a spokesman for Intego, said in an interview Tuesday. “There’s no password request [by Flashback.S].”

Much more in the two page article.

Apple will likely need to update their seek and destroy tool very quickly to help users stay free of this new variant.

If you think you are beginning to need an antivirus/antimalware solution, there are quite a few out there. Below are just a few:


Sophos Anti-Virus for Mac Home Edition
– Sophos has a worthy product out there and it is nice that they make their money on corporate/business computers and offer the home version for free.

ClamXav The Free Anti-Virus Solution for Mac OS X It uses the popular open source ClamAV engine as it’s back end and has the ability to detect both Windows and Mac threats.

There are other options as well for the Pay to Play crowd.

ESET Cybersecurity for Mac

And others from Intego Virus Barrier for Mac free and Pro versions available in the Mac App Store. Intego as noted above found this newest FlashBack in the wild). Other Mac antivirus firms Symantec/Norton, and many more.

Many of these come with a heavy CPU usage hit that is very annoying considering the small number of actual threats out there for the Mac. Of course some users may feel that the ones that provide real time protection are the way to go, some may feel it is worth it if their Macs are speedy enough and they have enough RAM.

For those who don’t think they need a Mac antivirus just yet, if you don’t use Java or none of your programs use Java, you could go to the ~/Applications/Utilities/Java Preferences.app and disable Java until you actually need it and then re-enable it as needed. It’s a very easy thing to do really.

Or you could set up AppleScript to monitor areas where malware might inject itself so it will alert you.

Monitor OS X LaunchAgents folders to help prevent malware attacks – CNET

Some additional locations to add can be found at MrAnderson.info here.

Also installing Piriform CCleaner for Mac is a great idea and can be run as needed very quickly every day even.

Certainly less of a system resource hit and one could still have a non-resident antivirus and scan at your convenience and respond if the Applescript tells you something is going on that you didn’t instigate by installing a program, etc.

The Applescript monitoring locations that you can set up is built with Mac OS X which is light on resources and free. The Applescript monitoring does a similar thing as WinPatrol does in Windows – but of course in a very small area comparatively. WinPatrol does so much more but the key similarity is the monitoring for changes to areas that malware can hit a Windows PC.

What we need for people who are not very savvy about these things is a MacPatrol app like WinPatrol.

Call Starkist

Advertisements

New Mac Malware – Is Mac no longer safer?

[tweetmeme source=”franscomputerservices” only_single=false]Update: 5/25/2011 – Updates to this posting from Computerworld and USAToday and Apple themselves in the form of a Support document to help users to remove the malware, and promise to provide a tool that will remove it and notify users if they attempt to download the malware. See details below.

With the equivalent of “Security Center 2011” now having a counterpart for the Mac called “MAC Defender, Mac Security, Mac Protector, or any number of knockoff names“, there is a lot of discussion as to how safe the Mac still is compared with Windows.

I have not seen any Windows variant of this type of malware that is as easy to remove from Windows as it is from the Mac.

Sure, Malwarebytes Antimalware will take care of it easily on Windows, even if you somehow are tricked through social engineering to click on it (it can get a little dicier depending on how far you let it get), but with the Mac, you just go to Applications, find Mac Defender and throw it in the trash and flush. What’s easier than that? Here‘s the full instructions in Bleeping Computer’s full removal instructions.

EDIT 5/25/2011 – IMPORTANT REMOVAL INFO: Apple has also now posted removal instructions including killing the process, removing the program, and stopping it from starting on boot, here. This was noted in Computerworld: Apple admits Mac scareware infections, promises cleaning tool and USAToday: Apple to issue Mac update to halt malware attacks, and Arstechnica: Apple acknowledges Mac Defender malware, promises software update, as well as likely other places on the web today.

The Computerworld article above notes:

Andrew Storms, director of security operations with nCircle Security, was surprised that Apple said it would embed a malware cleaning tool in Mac OS X.

“That’s new ground for Apple,” Storms said, pointing out that the move is a first for the company, which until now has only offered a bare-bones malware detection mechanism in Mac OS X 10.6, aka Snow Leopard, and then only populated it with a handful of signatures.

“Not only is Apple going to help customers remove [Mac Defender], but by doing so, they’re also admitting that there are security problems with Mac OS,” Storms said.

Even though it is very easy to remove, with Mac Defender out there, it does mean that malware, particularly on compromised websites, have begun to include other platforms. And you can bet others will follow. And they may not be as easy to remove.

So, does it mean Mac users should be installing Antivirus and/or Antimalware programs? I have, but according to the Wired.com article below:

Charlie Miller, a security researcher who has repeatedly won the annual Pwn2Own hacking contest by hacking Macs and iPhones, told Wired.com he doesn’t think so.

Ultimately, it’s up to the customer because there’s a trade-off involved. Anti-virus software will help protect your system from being infected, but it’s expensive, uses system memory and reduces battery life.

“Mac malware is still relatively rare, but is getting worse,” Miller said. “At some point soon, the scales will tip to installing antivirus, but at this point, I don’t think it’s worth it yet for most people.”

So how is this happening?

Browser choice and settings The first problem I see for Mac users is Safari and it’s settings. First for the same reason I rarely ever use Internet Explorer in Windows, I rarely use Safari on the Mac. Safari by default allows opening of files automatically after download. Bad move. This caused problems in the past with some ‘rogue’ Widgets a few years ago, but folks realized it was easy to fix this and turned it off under Safari preferences. With Safari open, Click Safari on the Menu bar, then click Preferences, on the first tab (General), at the bottom, untick Open ‘safe’ files after downloading. Personally, I prefer to use a variety of browsers, such as Firefox, Google Chrome, Opera for various things. Firefox and Chrome have some some great addons to help protect you. Opera has some as well.

Keeping programs up to date – Keeping Adobe Flash, Adobe Reader, and other addons/plugins, web browsers, and other software that touch the Internet up to date, as well as the operating system itself.

Paying attention The next biggest problem I see are people not paying close enough attention (regardless of their OS), and not familiarizing themselves with their OS as well as they could. This type of malware tries to replicate some sort of a security area on the OS to some degree and scare you into thinking they are finding malware on your system.

This type of malware requires you allow the installation.

On Windows computers, by clicking through the Administrator authentication box, and on the Mac by authenticating with your Admin password.

On Windows, way too many things ask for this kind of authentication (although it is better than it used to be), but on the Mac, which is more like UNIX/Linux in that regard, you are only asked when it could be a potential threat to the system like installing software that wants access to the system, or needs access to system areas. We should always be sure we know what is being installed and why before authenticating with our Admin password. Don’t have a password? Set one up under Accounts in the System Preferences today!

Search results People need to be able to tell the legitimate search results from the bogus ones that have managed to get into the top searches through Black Hat SEO technicques. If you don’t have a way to at least tell whether a site is good, bad or indifferent, it makes it so easy to click on the wrong one. There are programs that can help with this. They are not foolproof, use common sense as well. A free community based one is MyWOT and it works on Windows, Mac, and Linux. There are others that work on Windows as well from antivirus/firewall companies.

Keeping things cleaned up Having and using a temporary files cleaner. I run it after every single browser session, but every day or at worst case once a week would work as long as you don’t notice any issues or weirdness with your OS.

There is a good one for Windows called CCleaner (free and paid versions). For the Mac there are several available. I like MainMenu. It is not free, priced at $15 and a bit more for the Pro version. Main Menu is also available in the MacApp Store. Another favorite is free, OnyX.

You can find out more information about this “Mac Defender” malware in the following articles:

An AppleCare support rep talks: Mac malware is “getting worse” (at Ed Bott Microsoft Report on ZDNet (first article on it)

New Mac Malware Fools Customers, But Threat Still Relatively Small (Wired.com’s Gadget Labs)

Malware on the Mac: is there cause for concern? Ars investigates (Arstechnica)

Modern Mac owners need to ignore the dinosaurs and get protection (Hardware 2.0 at ZDNet)

Microsoft links fake Mac AV to Windows scareware gang (Computerworld)

Don’t Panic Over the Latest Mac Malware Story (SecurityWeek):

Now that we’ve established who benefits from Mac malware predictions — security companies and a certain type of IT professional — the second question is, do we care about the prediction that “serious” malware is coming to Macs? Only a little. It is true that Macs aren’t dusted with some sort of magic unicorn Unix-y pixie powder that makes it less vulnerable to security flaws than Windows. But it is equally true that the Mac remains a less risky platform than Windows because of the fewer strains of malware written for OS X. By “fewer” I mean 99% fewer: a hundred malware samples versus 50 million. The Mac also has a much less evolved malware supply chain. By “less evolved” I mean “nonexistent,” this one example notwithstanding.

And with that, I will close this topic for the time being…

EDIT added Bleeping Computer article on removal of Mac Defender and the last article from Hardware 2.0 at ZDNet and Microsoft links face Mac AV to Windows Scareware Gang at Computerworld and Don’t Panic Over the Latest Mac Malware Story at SecurityWeek.

How to Defeat Lizamoon in One Easy Step

[tweetmeme source=”franscomputerservices” only_single=false]Lizamoon is a social engineering trick. Don’t fall for it.

PCWorld’s David Murphy, has the best solution for users surfing the Internet with this Lizamoon crap out and about on websites and posted it in an article entitled, “How to Defeat Lizamoon in One Easy Step“:

The simple solution: Don’t install unknown files! The more complex solution: Know what antivirus programs already exist on your system, and know what they look like when they scan for and find files. If something says you have malware on your system, and this something looks nothing like applications you already have on your system, be suspicious!

Much more in the article. Must read.

Yep, we are the biggest defense against many malware infections from websites, including this one. Just say no. 😉

And of course immediately run your temporary Internet files (TIF) cleaner, such as CCleaner, etc. as soon as you close your browser to remove anything that might have copied itself to your temporary Internet files. And run your security software to make sure nothing has gotten a foothold on your system right away.

If something like this happens, do yourself a favor and make a preemptive scan with your antimalware program, such as a great one called Malwarebytes Antimalware. Just because your antivirus didn’t pick up on it, doesn’t mean you don’t have a problem. No single program can pickup on everything.

Another great program option to help prevent this sort of thing would likely be WinPatrol, which can alert you to changes in your HOSTS file, items that are injecting themselves into your system through placing them in the auto run on boot, or other system changes that may be injected that you may not know are happening otherwise.

An ounce of prevention is worth a pound of cure.