Infection by the Trojan BackDoor.Flashback.39 performed using infected Web sites and intermediate TDS (Traffic Direction System, distribution systems, traffic), wwwecting Mac OS X users to a malicious site. These pages, the specialists of "Doctor Web" found quite a lot - they all contain Java-script, which loads the user's browser Java-applet, which in turn contains the exploit. 

It should be noted that the malware uses a very interesting mechanism for generating addresses of managing servers, allowing, if necessary, dynamically adjust the load between them, switching from one command center to another. After receiving a response management server, BackDoor.Flashback.39 checks passed to the command center at the post match signatures RSA, and then, if the test proves successful, loads and runs on the infected machine payload, as which can be any executable file specified in the resulting Trojan directive.  

Cách đây không lâu, cháu nhớ có lần chú conmale đã nói, cho dù là dùng MAC hay Linux hay gì gì đi nữa, có security đến đâu nhưng không có sự nhận thức rõ ràng từ người dùng thì vẫn bị dính mailware , virus , trojan như thường. Flashback này chính là 1 bằng chứng cho những điều đó  

Nếu xét về lỗi bảo mật, khi Mac user gõ Username + password cho phép cài software (tốt hay xấu) thì chủ quyền cài sẽ là "root" và nó sẽ được cài. Đây là quyết định của người dùng cho phép cài nhưng về phía Mac, OS phải có một cơ chế kiểm soát xem software được cài là cái gì để warning và cản trở.  

Vì vậy nên theo khuyến cáo thì người dùng chỉ nên tải App từ App Store thôi mà anh? Về loại trojan này, như trên blog có đề là dịch lại từ 1 bản tiếng Nga của đám Dr. Web nên cũng không mô tả chi tiết vấn đề generating dynamic managing server thế nào. Theo ý kiến riêng của em, nếu OSX đi theo mô hình của iOS, sandboxing/chroot các ứng dụng thì khả năng nhiễm malware còn thấp hơn nữa và cũng dễ uninstall ra khỏi system hơn là Windows malware. 

Reports of new Mac malware variants exploiting CVE-2012-0507 surfaced last week. The Java vulnerability is the same one used by Flashback to infect more than 600 thousand Macs. The first new threat was analyzed by the folks at Trend Micro. The Java applet for Mac actually exploits CVE-2012-0507, and if successful, the payload is the same malware that AlienVault Labs discovered last month (being used in targeted attacks against human rights NGOs). The second threat seems to be a completely new piece of malware at first. However, succeeding samples that have been collected reveal that the malware is also being dropped by the same word documents exploiting MS09-027/CVE-2009-0563, used to drop Backdoor:OSX/Olyx.C and Backdoor:OSX/MacKontrol.A. Which was also reported by AlienVault last month. Both malware seem to be active at the moment and are controlled manually as observed by ESET and Kaspersky respectively. Both use the same malicious Java class dropper component. MD5: 5a7bafcf8f0f5289d079a9ce25459b4b F-Secure antivirus detects these threats as Backdoor:OSX/Olyx.B and Backdoor:OSX/Sabpab.A. MD5: 78f9bc441727544ebdc8374da4a48d3f – Backdoor:OSX/Olyx.B (also known as Lamadai.A) MD5: 40c8786a4887a763d8f3e5243724d1c9 – Backdoor:OSX/Sabpab.A (also known as Lamadai.B) MD5: 3aacd24db6804515b992147924ed3811 – Backdoor:OSX/Sabpab.A These malware variants are being used in targeted attacks against Tibetan focused NGOs and are therefore very unlikely to be encountered "in-the-wild" by day to day Mac users. If you're a Mac using human rights lawyer however… your odds of exposure are another matter entirely. If you don't it already, now is the time to install antivirus on your Mac.  

Chưa thấy nơi nào có cái technical analysis cho đến nơi đến chốn nhưng đọc chung chung thì thấy có khá nhiều điểm phi lý, ví dụ: "It is being distributed via infected websites as a Java applet that pretends to be an update for the Adobe Flash Player. The Java applet then executes the first stage downloader that subsequently downloads and installs the main component of the Trojan. The main component is a Trojan-Downloader that continuously connects to one of its command-and-control (C&C) servers and waits for new components to download and execute." Làm sao những site pretends là "Adobe Flash Player" có thể intercept máy để force người dùng update đồ dỏm? Muốn trigger cái Java Applet, ngườu dùng phải access một URL nào đó và những sites đó là site nào? Cho đến nay vẫn không có những thông tin cụ thể và chính xác. 

How this malware infects Macs This new variant of the Flashback Trojan horse uses three methods to infect Macs. The malware first tries to install itself using one of two Java vulnerabilities. If this is successful, users will be infected with no intervention. If these vulnerabilities are not available – if the Macs have Java up to date – then it attempts a third method of installation, trying to fool users through a social engineering trick. The applet displays a self-signed certificate, claiming to be issued by Apple. Most users won’t understand what this means, and click on Continue to allow the installation to continue.

It is worth noting that Flashback.G will not install if VirusBarrier X6 is present, or if a number of other security programs are installed on the Mac in question. It does this to avoid detection. It seems that the malware writers feel it is best to avoid Macs where the malware might be detected, and focus on the many that aren’t protected. 

The new version of the Flashback malware installs after Mac users visit infected web sites. In Intego’s tests, the installation procedure was somewhat odd, as web sites display a spinning gear for some time, before finally displaying a password request dialog pretending to be from Software Update, Apple’s tool for downloading and installing software.

Flashback forces Safari to quit, installs a file at /tmp/Software Update, then installs two invisible files in Safari’s resources, taking advantage of the root rights it obtained when the user entered his or her administrator’s password. Next, Flashback injects code in Safari when the browser is launched.  

In addition, it is now clear that the Flashback malware has been created by the same people who were behind the Mac Defender fake antivirus which infected many Mac users beginning in May, 2011. Websense Security Labs published a blog post pointing out that tens of thousands of WordPress blogs were infected by code that wwwected them to web sites serving fake antiviruses, including Mac Defender. Sucuri Security narrowed this down to a plugin called ToolsPack, which installs a backdoor on servers where it is installed. But David Dede of Sucuri Security said, “Many of the blogs compromised in these recent attacks were running outdated WordPress versions, had vulnerable plug-ins installed or had weak administrative passwords susceptible to brute force attacks.” Intego has examined some of the WordPress blogs infected with this code and found that they wwwect Mac users to sites that serve the Flashback malware. It is important that people running WordPress sites ensure that their installation is up to date, that they have secure passwords, and that they especially don’t use this ToolsPack plugin. 

As of this writing, this Trojan is targeted at vulnerable Java plug-ins related to the CVE-2012-0507 vulnerability. When a user visits a compromised page, it often uses an iframe tag that wwwects the user to another malicious page, where the actual exploit is triggered by the malicious Java applet. OSX/Flashfake (the official detection name) is dropped by malicious Java applets that exploit CVE-2012-0507. On execution, the malware prompts the unsuspecting victim for the administrator password. Regardless whether the user inputs the password, the malware attempts to infect the system; entering the password only changes the method of infection. The Trojan may arrive as the PKG file comadobefp.pkg and comes disguised as a Flash player installer:

It prompts the user for administrative rights:

Once the malware package is successfully installed, it tries to make contact with its remote sites to download any necessary configuration files:

Another characteristic of this malware is that it checks whether a firewall is installed on the target system. If one is found, it will remove the installation. (Other versions of Flashback are delivered via the sinkhole exploit.) 

Muốn trigger cái Java Applet, ngườu dùng phải access một URL nào đó và những sites đó là site nào? Cho đến nay vẫn không có những thông tin cụ thể và chính xác. 

godofwar3.rr.nu
ironmanvideo.rr.nu
killaoftime.rr.nu
gangstasparadise.rr.nu
mystreamvideo.rr.nu
bestustreamtv.rr.nu
ustreambesttv.rr.nu
ustreamtvonline.rr.nu
ustream-tv.rr.nu
ustream.rr.nu

Systems get infected with BackDoor.Flashback.39 after a user is wwwected to a bogus site from a compromised resource or via a traffic distribution system. JavaScript code is used to load a Java-applet containing an exploit. Doctor Web's virus analysts discovered a large number of web-sites containing the code. The recently discovered ones include: godofwar3.rr.nu ironmanvideo.rr.nu killaoftime.rr.nu gangstasparadise.rr.nu mystreamvideo.rr.nu bestustreamtv.rr.nu ustreambesttv.rr.nu ustreamtvonline.rr.nu ustream-tv.rr.nu ustream.rr.nu According to some sources, links to more than four million compromised web-pages could be found on a Google SERP at the end of March. In addition, some posts on Apple user forums described cases of infection by BackDoor.Flashback.39 when visiting dlink.com. 

Similarly to the older versions, the launched malware first searches the hard drive for the following components: /Library/Little Snitch /Developer/Applications/Xcode.app/Contents/MacOS/Xcode /Applications/VirusBarrier X6.app /Applications/iAntiVirus/iAntiVirus.app /Applications/avast!.app /Applications/ClamXav.app /Applications/HTTPScoop.app /Applications/Packet Peeper.app If the files are not found, the Trojan uses a special routine to generate a list of control servers, sends an installation success notification to intruders' statistics server and sends consecutive queries at control server addresses. It should be noted that the malware utilizes a very peculiar routine for generating such addresses. It can also switch between several servers for better load balancing. After receiving a reply from a control server, BackDoor.Flashback.39 verifies its RSA signature and then, if successful, downloads and runs payload on the infected machine. It may get and run any executable specified in a directive received from a server. Each bot includes a unique ID of the infected machine into the query string it sends to a control server. Doctor Web's analysts employed the sinkhole technology to wwwect the botnet traffic to their own servers and thus were able to count infected hosts. Over 550 000 infected machines running Mac OS X have been a part of the botnet on April 4. These only comprise a segment of the botnet set up by means of the particular BackDoor.Flashback modification. 

Flashback evolved a lot in the last few months. The authors moved fast and added obfuscation and fallback methods in case the main C&C server is taken down. The dropper now generates 5 domain names per day and tries to get an executable file from those websites. The latest variants of the dropper and the library encrypt its important strings with the Mac hardware UUID. This makes it difficult for researchers to analyze a variant reported by a customer if they don’t also have access to the UUID. The fallback mechanism that Flashback uses when it is unable to contact its C&C servers is quite interesting. Each day, it will generate a new Twitter hashtag and search for any tweet containing that hashtag. A new C&C address can be provided to an infected system this way. Intego reported this last month, but the latest version uses new strings. Twitter has been notified of the new hashtags and are working on remediations to make sure the operator of the botnet cannot take back control of his botnet through Twitter. 

When it comes to disclosing a realistic number of unique infected hosts, we strive to be as accurate and objective as possible. Defining a unique host is not trivial, even if OSX/Flashback uses hardware UUIDs. Our data indicates many UUIDs that connected to our sinkhole (a server we set up to capture incoming traffic from bot-infected machines trying to communicate with their command-and-control servers), came from a big range of IP addresses, indicating that there may be UUID duplicates. Virtual Machines or so-called Hack-intosh installations may explain this. When browsing Hack-intosh forums, we found out that everyone who is using the fourth release candidate of a special distribution has the same hardware UUID (XXXXXXXX-C304-556B-A442-960AB835CB5D) and even discuss ways to arbitrarily modify it. Oddly enough, we found this UUID connected to our sinkhole from 20 different IP addresses. This indicates that those who considered UUID to count the number of distinct infected hosts probably have underestimated the botnet size. 

Until it was revealed last week that more than half a million Macs were infected with Flashback malware, Apple had little experience working with the community of security researchers who aim to dissect and shut down botnets. And according to the firm that discovered this new outbreak, it could use a lesson in teamwork. Boris Sharov, chief executive of the Moscow-based security firm Dr. Web says he learned Monday from the Russian Web registrar Reggi.ru that Apple had requested the registrar shut down one of its domains, which Apple said was being used as a “command and control” server for the hundreds of thousands of PCs infected with Flashback. In fact, that domain was one of three that Dr. Web has been using as a spoofed command and control server–what researchers call a “sinkhole”–to monitor the collection of hijacked machines and try to understand their behavior, the technique which allowed the firm to first report the size of Apple’s botnet last week. “They told the registrar this [domain] is involved in a malicious scheme. Which would be true if we weren’t the ones controlling it and not doing any harm to users,” says Sharov. “This seems to mean that Apple is not considering our work as a help. It’s just annoying them.” Sharov believes that Apple’s attempt to shut down its monitoring server was an honest mistake. But it’s a symptom of the company’s typically tight-lipped attitude. In fact, Sharov says that since Dr. Web first contacted Apple to share its findings about the unprecedented Mac-based botnet, it hasn’t received a response. “We’ve given them all the data we have,” he says. “We’ve heard nothing from them until this.” I’ve contacted Apple for comment, but haven’t yet heard back from the company either. In Apple’s defense, it may not have recognized Dr. Web as a credible security firm when the company contacted Apple earlier this month–I hadn’t heard of the firm either until its discovery and analysis of the Flashback botnet. But the better-known security firm Kaspersky confirmed Dr. Web’s findings on Friday. A Kaspersky representative said it hadn’t contacted Apple with its findings and hadn’t had any direct communication with Apple, and Kaspersky researcher Kurt Baumgartner wrote in a statement that “from what we’ve seen, Apple is taking appropriate action by working with the larger internet security community to shut down the Flashfake [also known as Flashback] C2 domains. Apple works vigorously to protect its brand and wants to rectify this.” Kaspersky wouldn’t offer more details on how Apple is working with the security community.  

Update: Apple now says it will release a Flashback removal tool and is “working with ISPs worldwide” to disable the botnet’s command and control servers. Locating and shutting down command and control servers is typical practice for a company trying to behead and cripple a botnet targeting its computers. Sharov says that Dr. Web has worked with Microsoft several times in the past on those efforts. But Apple, which has never dealt with a botnet the size of the Flashback infection, has fewer ties to firms like Dr. Web, Sharov says. “For Microsoft, we have all the security response team’s addresses,” he says. “We don’t know the antivirus group inside Apple.” Sharov, like others, criticizes Apple for its delay in issuing a patch for a security vulnerability in Java that the Flashback malware exploited to invisibly install itself on Macs when users visit infected web pages. The bug was patched by Oracle in February, but Apple didn’t fix the flaw until earlier this month. “Their response should have been much earlier when they should have updated their Java,” says Sharov. “Now calling registrars to shut down domains is not as important. The infection has already taken place. There are dozens of domains [controlling] the botnet. Shutting down one does nothing.”  

Apple’s less-than-diplomatic handling of Dr. Web’s work wouldn’t be the first time it’s raised the hackles of the security research community. When well-known Apple researcher Charlie Miller created a proof-of-concept app demonstrating a flaw in Apple’s security restrictions, the company responded by revoking his developer’s license. Sharov says he can understand Apple’s brusque response to his researchers’ work. “These are not pleasant days for them,” he says. “They’re not thinking about us. The safety of Macintosh computers is going down very quickly, and they’re thinking what to do next. They’re thinking about how to manage a future where the Mac is no longer safe.”