“Flashback”, Java trojans, “SabPub”, “LuckyCat” and “Tibet” Microsoft Office trojans target Mac OSX

Updated Apr 17 2012

April 17: Another Word Trojan Backdoor.OSX.SabPub.a akaLuckyCathas been described by Kapersky Labs, which is different malware code, assumed to be delivered in a similar way as “Tibet” through Word 2004/2008 documents or by targeted “spearphishing” attacks. The Trojan uses an older Java exploit to install once it has arrived in the Word .DOC.  Updating or removing Java as outlined below will prevent the code from installing, however will not cure an already-infected machine.  To check if you are infected you can search for

  • /Library/Preferences/com.apple.PubSabAgent.pfile
  • /Library/LaunchAgents/com.apple.PubSabAGent.plist

The number of attacked machines should be small, given the narrow method of spreading.

Flashback Trojan: Scroll down this post for information on Flashback/FlashFake and its variants

Tibet Trojan: According to the websites AlienVault.com, ESET.com and Intego.com, a malware author has exploited a vulnerability in Microsoft Office Word 2004 and 2008. The Tibet.C Trojan rides along with a seemingly normal Word .DOC file (Word 2011 and .DOCX files are not affected). The Word .DOC file would be delivered with an email and some kind of subject that encourages you to open the document – the first example is an email to do with Tibet.  Earlier variants of the Tibet trojan fooled viewers into visiting an infected web page.

If the DOC file is opened, it can use a security flaw in Word to install a back-door remote access to an outside server. It does not require password permission to install, and there is no indication to the user that there is malware installing.

The first line of defense is, as always:
Never open unsolicited emails, and never open any attachment to an email unless you know 100% for sure who it is from and why you are receiving it.  Delete spam emails immediately without opening.

The second line of defense is to keep your software up to date with all Software Update patches. Word 2011 is not affected by this particular attack, (which doesn’t mean that it is immune from any future attacks).  Presumably Microsoft will distribute additional updates for Word 2008 and 2011 through Microsoft AutoUpdate . If you are using the obsolete version 2004, you should consider upgrading to 2011 or switching to OpenOffice.
Note: there is a security update for Microsoft Word 2008 that was released Dec 2011 http://support.microsoft.com/kb/2644354 – make sure you have this installed.

The third line of defense is to update or turn off Java on your Mac browser.
Run this updater released April 3 by Apple http://support.apple.com/kb/HT5228 and a second updater released April 5 which is available through Apple Software Update under the Apple menu (or should be set to automatically update) Lion: support.apple.com/kb/DL1515  10.6: support.apple.com/kb/HT5056

Java is Off by default in OSX 10.7  but on by default in OSX 10.6 Although Java is not implicated in the Tibet Word trojan horse, it is used by other related malware attempts such as the Flashback.K trojan which can load as a drive-by download from a poisoned web page. The latest update of Java from Apple Software Update patches the vulnerability.

NOTE: Apple has not released an update for Java for OSX 10.5 and earlier.  If you are running 10.5 or earlier, then either turn off Java immediately or update to 10.6.

If you are not doing Web or App development, chances are you don’t need Java anyway. You can disable it globally from Applications > Utilities > Java Preferences
If you do need Java (such as for OpenOffice) you can still disable it from running in your Web browser.

Safari: click Preferences, then Security tab  uncheck “Enable Java”.
Also uncheck the “Open ‘safe’ files after downloading” box in Safari Preferences > General tab.
Google Chrome: open Preferences, type “Java” in the search text box. Scroll down until you reach Plug-ins, click “Disable individual plug-ins.” If Java is installed, you’ll see a “disable” link for it.
Firefox: While in Firefox, from the top menu, choose Tools, Add-ons, disable the Java plugin(s)

Flashback, FlashFake and variants:

There are numerous variations of the Flashback Trojan being reported.

If you see this screen below, this is a phony “un-trusted self signed certificate” notification supposedly from Apple. It is really a malware installer for Flashback,G, so do not click Continue, instead shut down the machine.

Note that Java is not the same as JavaScript. You will want JavaScript available in your browser if you do online shopping or banking or many other web based activities.  The best way I know to manage JavaScript is to switch to Firefox as your web browser and install NoScript, which allows you to approve or reject JavaScripts from specific web servers.

FlashFake: Beware also of phony program installers like FlashPlayer.pkg (masquerades as an updater for Adobe Flash Player, this has been around since the Fall of 2011.