Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

New Java-Based Malware Targets Mac OS X, But Threat Level Disputed

mcmlxix said:
Is this something that a simple Java update from Apple can fix?
Click to expand...

It's not a bug - it's a feature. Java applets are allowed to read and write your computer's hard drive under certain circumstances. This is by design.

When an applet is signed with a certificate, the user can be asked whether it's OK that the applet accesses the computer. The user can either click yes, no, or view the certificate to get information on the people that signed the applet. If you click no, the applet is not allowed access.

If you click yes, the applet has the same access as you have. That is, it can change all the things you can change without an admin password. It can also ask you for the admin password and if you provide it, it has full control over the system.

The problem is that people have a tendency to click yes whenever a popup box comes along.
 
mcmlxix said:
Is this something that a simple Java update from Apple can fix?
Click to expand...

macsmurf said:
It's not a bug - it's a feature. Java applets are allowed to read and write your computer's hard drive under certain circumstances. This is by design.

When an applet is signed with a certificate, the user can be asked whether it's OK that the applet accesses the computer. The user can either click yes, no, or view the certificate to get information on the people that signed the applet. If you click no, the applet is not allowed access.

If you click yes, the applet has the same access as you have. That is, it can change all the things you can change without an admin password. It can also ask you for the admin password and if you provide it, it has full control over the system.

The problem is that people have a tendency to click yes whenever a popup box comes along.
Click to expand...

To clarify for mcmlxix,

When a user clicks the infected link, the trojan initially runs as a Java applet, which downloads other files to the computer, including an installer, which launches automatically. When run, the installer modifies system files to bypass the need for passwords, allowing outside access to all files on the system.
Click to expand...

So, you get a Java applet prompt.

You click "allow" and it downloads an installer or you click "deny" and the trojan fails because it cannot download the installer.

If you clicked "allow", the installer launches automatically and asks for your password to install the trojan with root privileges.

If you provide your password, it can install that trojan and do all the malicious stuff stated in the article.

If you do not provide your password, the trojan fails.
 
Ok. So not a Java update then. But I thought that Snow Leopard was supposed to manage/protect against known trojans better. I forget what Apple called this.
 
mcmlxix said:
Ok. So not a Java update then. But I thought that Snow Leopard was supposed to manage/protect against known trojans better. I forget what Apple called this.
Click to expand...

It is called XProtect but just like anti-virus software, it requires a definition of the malware to provide protection. Apple may update XProtect with a definition of this new trojan in the near future. Until then, user knowledge is the only protection from this trojan. This limitation in protection from novel trojans is a caveat of all operating systems.
 
When run, the installer modifies system files to bypass the need for passwords, allowing outside access to all files on the system.
Click to expand...
Is it doing this when it runs or when you enter your admin password? I'd be worried if it's the former.
 
Easy fix.
content
 
Yvan256 said:
The first, fastest and easiest way to counter such a problem is to uncheck the "Enable Java" checkbox in your Safari preferences. I haven't enabled Java in well over four years anyway.
Click to expand...

manu chao said:
I would think disabling Java in your browser preferences should be enough (unless the trojan exploits another hole to get executed after being downloaded).
Click to expand...

Not really going to work in this case.
Javascript (what the browsers run) is not exactly Java.That applet is more of true java code and could easily run independent of the browser.
 
Lucky736 said:
If you're dumb enough to type your admin password, and sometimes username, along with clicking enter to something you have no idea about.... you deserve it.
Click to expand...

I've read the Intego note. It does not specifically say whether or not a person must type an administrator password to get this particular infection. Does anyone have confirmation that it does require an admin password, or have the malware writers figured out a way around that.

I think about Default Folder. I install it for the current user only, which happens to be an administrator user, and it installs without a password being required. So there are ways under OS X to avoid the administrator password, although I don't begin to know when those are. Any insight?

Plus I thought the articles, as well as the Intego note, were a bit misleading. A trojan is not self replicating and masquerades as a good program while a worm is generally self-replicating, right? So, is it a worm, a trojan, a virus, or something else?
 
Some people in this thread seem to think this situation is an indication of security problems with Java.

It is not. It really has NOTHING to do with Java.

This sort of thing could be done with ANY language. The security hole is not in Java, it's when the user says YES to the installation.

Like every other Trojan Horse, the only way this works is if the user holds the door open for them to come in.

You can lock the system down as much as you want, but if it ultimately comes down to the user saying "yes" or "no" to things being installed, then we'll get some users who give the wrong answer.
 
Rodimus Prime said:
Not really going to work in this case.
Javascript (what the browsers run) is not exactly Java.That applet is more of true java code and could easily run independent of the browser.
Click to expand...

The articles state that disabling Java in your browser is effective in preventing infection.

Edgejr said:
I've read the Intego note. It does not specifically say whether or not a person must type an administrator password to get this particular infection. Does anyone have confirmation that it does require an admin password, or have the malware writers figured out a way around that.

I think about Default Folder. I install it for the current user only, which happens to be an administrator user, and it installs without a password being required. So there are ways under OS X to avoid the administrator password, although I don't begin to know when those are. Any insight?

Plus I thought the articles, as well as the Intego note, were a bit misleading. A trojan is not self replicating and masquerades as a good program while a worm is generally self-replicating, right? So, is it a worm, a trojan, a virus, or something else?
Click to expand...

It is referred to as a trojan because it installs via a trojan horse. It installs a rootkit and other elements which by definition require superuser privileges to install given that even the default admin account in Mac OS X follows the principle of least privilege (more so than the default admin account in Windows).
 

Attachments

  • Screen shot 2010-10-27 at 8.42.36 PM.png
    Screen shot 2010-10-27 at 8.42.36 PM.png
    11.7 KB · Views: 125
  • Screen shot 2010-10-27 at 8.46.48 PM.png
    Screen shot 2010-10-27 at 8.46.48 PM.png
    16.5 KB · Views: 126
munkery said:
The articles state that disabling Java in your browser is effective in preventing infection.
Click to expand...

Disabling Java if you don't use it is always good advice. An even more effective advice is the following: When you encounter a button that says "Yes", "Allow", "I'm sure", "I'm really really sure", or "Pay", don't just click it right away. Instead, read the accompanying text. Don't click yet! Now think about what the text says. If you think you understand what it says and it seems reasonable in the context of what you're doing right now, click it. If you don't understand it or if you are in doubt, don't click it!.

Of course, anyone who is vulnerable to these kinds of of attack will probably skip the above paragraph. In fact, they'll probably not use this forum or be able to disable Java either.
 
Yep....

But for all the people claiming such B.S. as "You deserve this for using social networking sites!", or alternately, "If you're so stupid you click to allow something like this to run, you deserve it!" .... come down from your ivory tower or high horse and re-join reality, please!

Maybe THIS time, the trojan isn't designed well enough to fool you, personally ... but there's no reason a bright trojan horse writer couldn't eventually come up with something you really are tricked into running.

It's a well known fact that on today's Internet, many web sites require plug-ins or other add-ons to be downloaded and run, to enable some functionality. Where do you run across this the most? Usually, it has to do with trying to either A) play an online game, or B) view some images/video or listen to some audio.

A lot of you want to write this off as only a problem for the "fool who just clicks yes to every dialog box that pops up". But in my experience, most people aren't just mindlessly clicking these boxes. Rather, they learn by experience what feels "normal" and what doesn't. After a year or more of using web sites and running across many legitimate sites that need "helper" apps downloaded for viewing content? They'd feel like it was just another standard situation if a Facebook video link they tried to view requested permission to install some photo-related add-in first!

The REAL problem is probably the lack of foresight by the developers of Internet standards to provide people with enough built-in tools! If we had things like the new HTML 5 standards from day 1? The majority of 3rd. party web plug-ins and add-ons you see probably would never have existed. But hindsight is 20-20, and things are what they are.



macsmurf said:
It's not a bug - it's a feature. Java applets are allowed to read and write your computer's hard drive under certain circumstances. This is by design.

When an applet is signed with a certificate, the user can be asked whether it's OK that the applet accesses the computer. The user can either click yes, no, or view the certificate to get information on the people that signed the applet. If you click no, the applet is not allowed access.

If you click yes, the applet has the same access as you have. That is, it can change all the things you can change without an admin password. It can also ask you for the admin password and if you provide it, it has full control over the system.

The problem is that people have a tendency to click yes whenever a popup box comes along.
Click to expand...
 
munkery said:
The articles state that disabling Java in your browser is effective in preventing infection.
Click to expand...

Oh I know what the article stated. What I pointed out that is it really does not matter as it easy off loaded into true Java code. It is not javascript but java. It could easily be written to use Java and run in a java based application.
For example that could could easily be put into something like limewire (java based) and be embedded in in that.
 
Rodimus Prime said:
Oh I know what the article stated. What I pointed out that is it really does not matter as it easy off loaded into true Java code. It is not javascript but java. It could easily be written to use Java and run in a java based application.
For example that could could easily be put into something like limewire (java based) and be embedded in in that.
Click to expand...

You are right. The Java portion of this trojan could be added to a Java based app such that it downloaded the trojan, launched the installer, and asked for your password to install.

If the Java app was installed with elevated permissions (so, password) prior to downloading the malicious content then the trojan would not require password entry. This is the vector that the iServices trojan in pirated iWork and other Mac software uses.

As I said in a previous post in this thread, user knowledge is really the only defence against novel trojans. So, don't pirate software and only download open source/free software from safe locations, such as MacUpdate, SourceForge, or developers websites linked to those services.

Luckily the Mac App Store is opening soon, so Mac users will have a curated repository to download software from thus making this issue with novel trojans even less problematic on a Mac than it already has been.
 
yadmonkey said:
To those of you saying "you have to be stupid to blah blah blah" and "it's highlighted in red blah blah blah", keep in mind that you don't see the part in red with the initial message, which will look more like this:

screenshot20101027at220.png


You don't see the red text and you don't see "not trusted" until you click Show Details. I don't care how smart you are in how many categories, everybody is stupid in something, so save your petty judgements and maybe your mind will open up enough to see how some very smart people who aren't as computer-savvy might be tricked into such a move.
Click to expand...

This dialogue shows up for Firefox, Safari uses one with the red text. I'd safely assume Chrome will use a different dialogue box too, as would Opera and all the other browsers. Mozilla should maybe invest some time in making warnings a little more alarming.
 
MadusMaximus said:
This dialogue shows up for Firefox, Safari uses one with the red text. I'd safely assume Chrome will use a different dialogue box too, as would Opera and all the other browsers. Mozilla should maybe invest some time in making warnings a little more alarming.
Click to expand...

No, this is a system message that shows the application in question, which in this case happens to be firefox. It looks the same in Safari...

screenshot20101031at323.png


Either way, you do not get scary details until you click Show Details...
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back