New Flashback Malware Variant Found by Intego

By CIOinsight  |  Posted 04-24-2012

The Mac Flashback malware continues to haunt users, with a new variant recently found in operation, according to Mac security software vendor Intego.

The new variant, Flashback.S, uses the same vulnerability in Java that the previous versions had exploited, but it operates in a slightly different way, Intego researchers said in an April 23 post on the company s Mac Security Blog. The new variant doesn t require a password to be installed, according to Intego researchers.

In addition, the malware places its files in the user s home folder, at these locations:

/Library/LaunchAgents/com.java.update.plist

/.jupdate

"It then deletes all files and folders in /Library/Caches/Java/cache in order to delete the applet from the infected Mac, and avoid detection or sample recovery," the researchers wrote. "Intego has several samples of this new Flashback variant, which is actively being distributed in the wild."

The detection of the Flashback.S variant is only the latest news indicating that the malware, which earlier this month had infected more than 600,000 Macs worldwide, is still a problem. Last week, researchers from Symantec and Kaspersky Lab indicated that the number of Macs compromised by the Flashback malware had declined, to between 30,000 (Kaspersky) to 140,000 (Symantec).

However, late last week, officials with Intego and Dr. Web, the small Russian antivirus vendor that initially detected the high rate of Flashback infections, said the malware was still going strong, with infection numbers still at more than 650,000. Dr. Web researchers said their sinkhole operation--designed to highjack communications from infected Macs and to enable researchers to monitor the malware--indicated the Flashback malware was still widespread, and both they and their counterparts at Intego said the discrepancies in the numbers were caused by how the malware finds and communicates with command-and-control (C&C) servers, which sends out instructions to the compromised Macs.

Symantec officials reportedly now agree with Dr. Web s findings.

Intego has analyzed the malware, and, following discussions with other security companies, has determined that not only are these earlier lower numbers incorrect, they are underestimating the number of infected Macs, Intego officials wrote in an April 20 blog. W e conclude that not only are a larger number of Macs infected than what is being reported, but it is very likely that infections are continuing.


To read the original eWeek article, click here: New Mac Flashback Malware Variant Detected by Intego