“Flashback”, Java trojans, “SabPub”, “LuckyCat” and “Tibet” Microsoft Office trojans target Mac OSX

Updated Apr 17 2012

April 17: Another Word Trojan Backdoor.OSX.SabPub.a akaLuckyCathas been described by Kapersky Labs, which is different malware code, assumed to be delivered in a similar way as “Tibet” through Word 2004/2008 documents or by targeted “spearphishing” attacks. The Trojan uses an older Java exploit to install once it has arrived in the Word .DOC.  Updating or removing Java as outlined below will prevent the code from installing, however will not cure an already-infected machine.  To check if you are infected you can search for

  • /Library/Preferences/com.apple.PubSabAgent.pfile
  • /Library/LaunchAgents/com.apple.PubSabAGent.plist

The number of attacked machines should be small, given the narrow method of spreading.

Flashback Trojan: Scroll down this post for information on Flashback/FlashFake and its variants

Tibet Trojan: According to the websites AlienVault.com, ESET.com and Intego.com, a malware author has exploited a vulnerability in Microsoft Office Word 2004 and 2008. The Tibet.C Trojan rides along with a seemingly normal Word .DOC file (Word 2011 and .DOCX files are not affected). The Word .DOC file would be delivered with an email and some kind of subject that encourages you to open the document – the first example is an email to do with Tibet.  Earlier variants of the Tibet trojan fooled viewers into visiting an infected web page.

If the DOC file is opened, it can use a security flaw in Word to install a back-door remote access to an outside server. It does not require password permission to install, and there is no indication to the user that there is malware installing.

The first line of defense is, as always:
Never open unsolicited emails, and never open any attachment to an email unless you know 100% for sure who it is from and why you are receiving it.  Delete spam emails immediately without opening.

The second line of defense is to keep your software up to date with all Software Update patches. Word 2011 is not affected by this particular attack, (which doesn’t mean that it is immune from any future attacks).  Presumably Microsoft will distribute additional updates for Word 2008 and 2011 through Microsoft AutoUpdate . If you are using the obsolete version 2004, you should consider upgrading to 2011 or switching to OpenOffice.
Note: there is a security update for Microsoft Word 2008 that was released Dec 2011 http://support.microsoft.com/kb/2644354 – make sure you have this installed.

The third line of defense is to update or turn off Java on your Mac browser.
Run this updater released April 3 by Apple http://support.apple.com/kb/HT5228 and a second updater released April 5 which is available through Apple Software Update under the Apple menu (or should be set to automatically update) Lion: support.apple.com/kb/DL1515  10.6: support.apple.com/kb/HT5056

Java is Off by default in OSX 10.7  but on by default in OSX 10.6 Although Java is not implicated in the Tibet Word trojan horse, it is used by other related malware attempts such as the Flashback.K trojan which can load as a drive-by download from a poisoned web page. The latest update of Java from Apple Software Update patches the vulnerability.

NOTE: Apple has not released an update for Java for OSX 10.5 and earlier.  If you are running 10.5 or earlier, then either turn off Java immediately or update to 10.6.

If you are not doing Web or App development, chances are you don’t need Java anyway. You can disable it globally from Applications > Utilities > Java Preferences
If you do need Java (such as for OpenOffice) you can still disable it from running in your Web browser.

Safari: click Preferences, then Security tab  uncheck “Enable Java”.
Also uncheck the “Open ‘safe’ files after downloading” box in Safari Preferences > General tab.
Google Chrome: open Preferences, type “Java” in the search text box. Scroll down until you reach Plug-ins, click “Disable individual plug-ins.” If Java is installed, you’ll see a “disable” link for it.
Firefox: While in Firefox, from the top menu, choose Tools, Add-ons, disable the Java plugin(s)
www.maclife.com/article/howtos/how_disable_java_your_mac_web_browser

Flashback, FlashFake and variants:

There are numerous variations of the Flashback Trojan being reported.

If you see this screen below, this is a phony “un-trusted self signed certificate” notification supposedly from Apple. It is really a malware installer for Flashback,G, so do not click Continue, instead shut down the machine.

Note that Java is not the same as JavaScript. You will want JavaScript available in your browser if you do online shopping or banking or many other web based activities.  The best way I know to manage JavaScript is to switch to Firefox as your web browser and install NoScript, which allows you to approve or reject JavaScripts from specific web servers.

FlashFake: Beware also of phony program installers like FlashPlayer.pkg (masquerades as an updater for Adobe Flash Player, this has been around since the Fall of 2011.

It looks plausible but is not the same as the official Adobe installer screen, below.

Also watch out for fake Video CoDec downloads, which are used to deliver browser redirect trojans.

Never download a program update or program installer from an unknown website, a pop-up browser window or an email, always go to the manufacturer’s site (adobe.com in this case) to get your updater and installer files.

Flashback can also be installed via a drive-by download (silently) from a poisoned Website if an unpatched Java installation is active. See above for updating instructions.

Information and manual removal instructions for particular variants:

(Note that just turning off or updating Java will not delete the Trojan if the Mac is already infected)

Apple has released the third software update within a week, which is designed to remove the Flashback trojan – For Lion 10.7 support.apple.com/kb/HT5242 or use Software Update. It will automatically disable Java after it has been unused for 35 days, so if you rely on Java be aware you may need to re-enable it in the future.
Apple also has a new update for Snow Leopard OSX 10.6 in Software Updates

Flashfake Removal tool from Kapersky: www.kaspersky.com/virus-removal-tools

Flashback.A www.f-secure.com/v-descs/trojan-downloader_osx_flashback_a.shtml
Flashback.C www.f-secure.com/v-descs/trojan-downloader_osx_flashback_c.shtml
Flashback.I www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml
Flashback.K www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

Kapersky Labs has confirmed the trojan: www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed and they have a 30 day free trial of their product usa.kaspersky.com/downloads/free-home-trials/anti-virus-for-mac

Intego also has a 30 day free trial of VirusBarrier, which is claimed to detect Tibet www.intego.com/virusbarrier

The Flashback Trojans can be detected by searching for the presence of certain files in Terminal:

In Terminal, copy and paste in one of the following commands and hit Return:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

The correct response should be “does not exist” if your machine is clean.

An open-source application has been released that automates those searches and reports the presence or not of the infected files.  Note that this App does nothing to remove the infection, it just reports status, and it would not detect new mutations that use differently named files FlashbackChecker 1.0 github.com/jils/FlashbackChecker/wiki

There are several free and commercial antivirus programs available for Macintosh, and interestingly, this particular Flashback Trojan seems to commit suicide if it detects anti-virus programs like ClamXAV or network reporting programs like Little Snitch on the machine. This is perhaps an attempt to be stealthy and conceal the botnet Command and Control (C&C) servers from being revealed and tracked.

More Mac antivirus information is here and

Information on securing a Macintosh is here

AVComparatives paper comparing Mac antivirus programs (PDF)

osxdaily.com tips on securing a Mac

Although these malware are not viruses, strictly speaking they are trojan horses, they do illustrate the point that a Macintosh OSX system is vulnerable to attack if the user can be tricked into installing it, or a flaw in a third party program (such as Word 2008 or Java) permits programs to be installed.

The arguments whether these are viruses or trojans, and whether the Macintosh operating system is faulty or the third party software is faulty, or whether this is a Windows virus that opportunistically had Mac OSX and or Linux payloads added to is, are academic. The fact is that there is a threat, there will be more, and they have the potential to do real damage.

Other Trojans or Advertising/Malware to look out for an avoid are:
MacDefender/MacProtector/MacSecurity/MacGuard (FakeMacDef),  MacShield, which are phony utility or antivirus programs. A trojan called OSX/Imuler or OSX/Revir.C  is embedded in a sample of erotic pictures that are offered for free (example “Covergirl Irina Shayk”).

This entry was posted in Computer Questions and Answers, Mac questions, News, Security and tagged , , , , , , , , , , , , , , , , , . Bookmark the permalink.

One Response to “Flashback”, Java trojans, “SabPub”, “LuckyCat” and “Tibet” Microsoft Office trojans target Mac OSX

  1. Pingback: Q. How can I secure my Mac? | CanadaRAM: Memory and Computer Q&A

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.