Tibet.A malware for OS X uses Flashback Java vulnerabilities

While the route of attack has already been identified and fixed, new malware is attempting to use it for more nefarious purposes.

Topher Kessler: One recent malware program for OS X that has caused concern has been the Flashback Trojan, which in its latest variants has taken advantage of Java security holes to embed code in programs or user accounts that will launch the malware when Web browsers are used. Once run, the malware tries taking screenshots and otherwise collect information to upload to remote servers.

Apparently the Java exploit used in this malware is catching on, and other malware have been developing that uses the same route of attack. Recently Intego reported on a new Trojan horse called Tibet.A (in its first revision), which downloads a Java applet when you visit a malicious Web page (URLs to such are apparently being sent via e-mail spam links), and installs a backdoor program. This malware works on Windows PCs and OS X. Apparently the Web page involved will determine the platform being used and will send the appropriate binaries to the computer.

As with the Flashback malware, since this vulnerability only requires access to the user's account, no password is required to run or install it, provided users are running older versions of Java and have Java enabled on their browsers. The malware is similar in other respects to the Flashback threat; however, both can be easily thwarted by disabling Java on systems that are not updated (simply unchecking Java in the Safari security preferences will do this), or by using Software Update to update the systems.

Putting the Mac Malware scene into perspective, this threat is not known to be widespread and appears to be used in a direct attack that targets Tibetan businesses and organizations. It is also a single addition to the small group of malware that has currently been developed for OS X, which at less than 70 variants is minuscule in comparison to the millions developed yearly for Windows PCs. Additionally, this and the vast majority of known malware for OS X are Trojan horse based threats, and are not viral in nature, meaning they do not spread uncontrollably on their own and require tricking the user (in this case with spam) to install.

So far, the spam e-mails, including links to the malicious Web pages, have only been sent to the Tibetan organizations; however, it is possible that they could be issued elsewhere. Despite this possibility, the chances that this will affect the average user are slim, especially if you follow some
simple (and perhaps understood) guidelines:

    Update your system
If your system is updated, then you have nothing to worry about, so be sure to regularly run Software Update and keep your system updated.

    Avoid e-mail links
E-mail clients by themselves will not open links unless you specify them to, and therefore if you get an e-mail from an unknown source (especially if it contains misspellings, requests to click links, and other requests for information), then avoid it; simply delete the message. If you are uncertain how to identify spam e-mails, then do a Web search for "How to spot spam e-mail" or similar string, and get numerous pages outlining handy tips on the details to look for.

    Turn off unnecessary features
While in some cases Java, Web plug-ins like Flash, and similar features are used quite regularly, if you do not use them regularly then turn them off. You can do this for Safari in its Security preferences by unchecking the "Enable Java" feature, and in other Web browsers such as Firefox you have access to many Plug-in management tools (which Safari unfortunately lacks at the moment), where you can enable or disable individual plug-ins. If you ultimately need a plug-in or Java, then the Web page you are visiting will notify you of this, and you can quickly enable it to view the content you are trying to see.

    While keeping plug-ins and other features disabled until needed does add a touch of inconvenience to Web browsing, it overall closes possible avenues for attack.

Overall, while this malware is new, its route of attack is not and if you have already taken measures to safeguard your system by updating it, then you are well protected from this malware. If you still have concerns, then you can block this malware further by installing a malware scanner such as Intego's VirusBarrier X6, Sophos, or numerous others, but you do not need to go overboard and have these programs continually scan your system and block all services. Above all, as with any computer system, safe browsing practices and regular updates are the easiest way to ensure you cover your bases.