Mysterious new malware takes down multiple companies
Published February 19th, 2013 at 5:47 PM EDT , modified February 20th, 2013 at 11:28 AM EDT
This has been quite an interesting month in security news. Multiple major companies have been hacked, including Apple themselves, and there are rumors of yet another new bit of malware for the Mac. Yet all is still rather unclear. Is this all related? It’s probably too soon to say for sure, but I am guessing that it may be.
It all started on February 1, when Twitter announced that it had been hacked. The attackers made off with information that gave them access to 250,000 accounts. In response, Twitter reset the passwords on those accounts. Twitter made note of the fact that the attack was very sophisticated, and not the work of amateurs. Although they have made it sound like the problem is solved now, recent high-profile Twitter account hacks, like the Burger King hack, lead me to wonder if that is actually the case.
Then, on February 15, Facebook announced that they had fallen victim to a sophisticated attack as well, although no user data was compromised. They provided additional information, saying that a few employees were infected by malware embedded in a hacked developer web site. Further, they added that the machines in question were fully up-to-date and were running anti-virus software, yet were nonetheless infected.
Yesterday, F-Secure connected these two events. They also showed that they had discovered a new piece of malware, submitted to VirusTotal the day before the Twitter hack occurred. This malware evidently, as confirmed by Intego (who named it “Pintsized”), infects Macs, and disguises itself as printing software. This malware appears to open a back door to allow remote control by hackers, and is probably dropped by some kind of exploit. It would seem this is done through a Java vulnerability, though Facebook’s claims that the machines that were infected were “fully patched” is concerning, and may indicate that this is a new as-yet undiscovered vulnerability.
The biggest bomb dropped today, as multiple sources (such as Sophos, SecurityWeek and MacLife) are reporting that Apple itself has been hacked. The attack reportedly also came through a hacked developer web site – presumably the same site that caused the Facebook infection. According to a MacWorld report, Apple has already released a new Java update that protects against this malware as well as removing it, if found. As with Flashback, it sounds as if the update will alert the user if the malware was found, but will probably remain silent if not.
This is all very serious and concerning news. So how should you respond? Fortunately, it sounds as if you need do nothing at all if you are not running Java in your web browser. If you have Mac OS X 10.7 or later and have not installed Java, or if you have Java installed but have disabled it in your web browser, you should be safe.
On the other hand, if you have Java installed, you should check for system updates immediately (choose Software Update from the Apple menu), and install any Java-related updates. Then, you should seriously reconsider the notion of using Java at all. Java has become such a liability, in fact, that it is probably advisable to only run Java in a completely isolated virtual machine, or on a computer dedicated to nothing other than running Java in the web browser. Even keeping Java enabled only on trusted sites is no longer enough. Any site can be hacked, and a trusted site can suddenly become a carrier of malware. Do your self a favor and just end your relationship with Java once and for all!