ID: IRCNE2013091959
Date: 2013-09-14
According to "cnet", a new variant of the Tibet malware for OS X has been found. This variant uses a recently patched Java exploit to install a backdoor service in targeted systems and allow a remote hacker to log in and steal files.
The malware has been packaged in ZIP files, or as applications disguised as images or other file types. When run, it installs a backdoor program that allows a remote user to log in and steal personal information.
This so-called Tibet malware has until now there had three known variants, the last of which was found over a year ago.
While prior versions of the malware disguised installers as benign files, or exploited vulnerabilities in Office applications, this new variant uses a recently patched Java exploit to install the malware. When done, the following hidden application runs, as well as a corresponding global launch agent that keeps the application running in the background:
/Library/Audio/Plug-Ins/Components/AudioService
/Library/LaunchAgents/com.apple.AudioService.plist
Given the nature of the Java exploit used for this attack, these malicious files are installed without any prompt for a password.
To check for and remove this malware, simply go to the above folders in your system and remove the corresponding files, if they exist, and then restart your system to clear any instances of the malware that are running in the background.
This malware is by no means widespread, and even though Oracle has fixed the flaws for this vulnerability in Java and Apple has issued updates to its XProtect service that force the use of the latest Java versions in OS X, there may be some who might encounter either it or other malware that uses similar exploits. Therefore, to help protect yourself from such attacks there are several things you can do.
1. Update your system
2. Disable Java
3. Monitor launch agent and launch daemon folders
- 2