Once installed on the machine, the Flashback trojan, which was first discovered in September, disables the Mac’s security software and installs a dynamic loader library and auto-launch code, allowing it in inject code into applications the user launches. This code connects to a remote server and sends information about the infected Mac to this server.
The new variant infects Macs through two Java vulnerabilities in order to avoid user intervention, explained Intego in its Mac Security Blog. However, the current version of Java for Mac OS X has patched these vulnerabilities.
“If these vulnerabilities are not available – if the Macs have Java up to date – then it attempts a third method of installation, trying to fool users through a social engineering trick. The applet displays a self-signed certificate, claiming to be issued by Apple. Most users won’t understand what this means, and click on Continue to allow the installation to continue”, Intego explained.
“Found in the wild, this new variant installs an executable file in the /tmp directory, applies executable permissions with the chmod command, then launches the executable with the nohup command. The Flashback backdoor is then active with no indication to users that anything untoward has happened”, it added.