The Flashback Trojan that infected 600,000 Apple Macs earlier this month still has a very high infection rate, despite the fact Apple already patched the Java vulnerability and released a removal tool.
On top of that, a new Flashback variant that installs without prompting the user for a password, said security firm Intego.
This version, which Intego refers to as Flashback.S, places its files in the user’s home folder, at the following locations:
Once Flashback.S installs itself, it then deletes all files and folders in ~/Library/Caches/Java/cache to remove the applet from the infected Mac. By doing this, it is able to avoid detection or sample recovery, according to the security firm.
This recent variant is interesting compared to the one found two months ago. That one asks for administrative privileges, but does not require them. If you give it permission, it will install itself into the Applications folder where it will silently hook itself into Firefox and Safari, and launch whenever you open one of the two browsers. If you don’t give it permission, it will install itself to the user accounts folder, where it can run in a more global manner, launching itself whenever any application launches, but it is easier to detect.
Researchers first found Flashback in September 2011 masquerading as a fake Adobe Flash Player installer. A month later, a variant that disables Mac OS X antivirus signatures updates was in the wild.
In the past few months, Flashback evolved to exploiting Java vulnerabilities. This means it doesn’t require any user intervention if the user did not patch Java on his Mac. All a user has to do is visit a malicious website, and the malware will automatically download and install.
Meanwhile, two other Mac-specific Trojans are out there: One exploits Java and another exploits Microsoft Word. Security firm Kaspersky confirmed what many have been saying for years: As Macs are becoming more popular, malware writers are increasingly targeting them.