Intego reported on Monday afternoon that Flashback has already evolved into a new variant, exploiting the same Java vulnerability that earlier this month had infected more than half a million Macs.
This time, however the user does not even need to enter a password to complete the install.
"It's an entirely silent install now," Intego researcher Lysa Myers told Security Watch. "We've seen silent installs on OS X before, but this is the first time we've seen something to this extent."
Flashback.S drops two files in the user's home folder, then deletes cached Java files to avoid detection.
"It's just making better use of the Java vulnerability," she said.
Although infection rates are low in actual numbers, security researchers say Flashback is significant because it is one of the first cases of a drive-by exploitation on OS X. Flashback doesn't require user interaction to infect a system. In fact, the massive botnet attack relied on hacked and malware-rigged WordPress blog sites to spread and infect users, Kaspersky Lab researchers reported recently.
Whack-a-mole ExpertsSophos Labs's Chester Wisniewski said that as far as his researchers could tell, the difference between Flashback.S and the previous variant is so minor that Sophos and other sophisticated Mac anti-virus products, he surnises, still detect it with the previous signature.
However the new variant eludes Apple's built-in anti-malware tool, XProtect, which relies on exact fingerprints of the malware. XProtect was originally released last May as part of Snow Leopard OS X 10.6, in response to weeks of media coverage over another enduring piece of Mac malware called MacDefender.
"Looks like the authors just tweaked it a little bit to bypass [XProtect]," Wisniewski said.
Does this all sound too familiar? Last Spring, Apple played the whack-a-mole game with the authors of Mac Defender/Mac Guard malware. In that case, hours after Apple updated its signature the authors released a slightly-tweaked version that bypassed XProtect. As soon as Apple released another patch, the authors would release another tweaked variant. Rinse and repeat.
Patching Isn't Easy Apple released a Java patch in early April, as well as a Flashback removal tool, but clearly not all Mac users patched.
"We've been testing on the patch, and it does close the hole, but that doesn’t mean eveyrone's installed the patch," Meyers said. "On Windows we still see vulnerabilities from years ago because not eveyrone's installed the patch."
But many Mac users don't even qualify for the patch—it was only available to systems running OS X 10.6 (from 2009) and later.
Mac users running OS X v.10.5 and earlier were advised to disable Java altogether. However, it's quite possible that many users of these older systems just didn't get the memo and are still running insecure software.
Intego VirusBarrier X6, Xcode, and Little Snitch will block this variant, as will Sophos Anti-Virus for Mac Home.
In the wake of Flashback, another Mac malware called 'Sabpub' was discovered targeting Tibetan sympathizers with vulnerabilites in Java and Word.
