This malware is downloaded from sites as a “video codec” required to view videos.  One such site was brought to my attention by a colleague:

After clicking on the ‘play’ button in the middle of the “video,” the following message is displayed:

If you click the Download Now! button, you will be sent to the following page:

Clicking the Download Now! button here downloads a file named download.dmg into your Downloads folder.  (Could I have said “download” more times in that sentence?)

Opening the downloads.dmg disk image shows that its contents consist of two files: Codec-M Installer and Codec-M Uninstaller.  If you run the installer, the first thing you’ll see is a request to change your web browser’s home page and search engine:

If you leave those boxes in their default checked states, then they will do just what they say.  Your home page and search engine will be set to a dodgy-looking search site.  Searching on that site results in a lot of advertising links and a bunch of results that don’t closely match what a real search engine would give you.  In addition, with those boxes checked, a Safari extension will be installed:

It’s unclear exactly what this extension does.  Sophos’ page describing this malware claims that the extension serves ads, though I did not see this behavior in my testing.  So I can’t comment on what conditions might cause those ads might be served or what form they would take.

Interestingly, if you uncheck those boxes, your preference is actually obeyed!  Your browser home page and search engine are left alone, and in addition, the Safari extension is not installed.

Once the installer completes, in addition to the changes mentioned above, an application named Codec-M.app is installed in your Applications folder.  This application, when opened, appears to provide translation service:

The interface is very basic, but it appears to work.  Though, why something that is supposed to be a video codec might offer translation is beyond me.  Clearly this is not what it is advertised to be.

The only other files of note that get installed are an executable named codecm_uploader, placed in ~/Library/Application Support/Codec-M/, and a LaunchAgent to keep this file running, installed as ~/Library/LaunchAgents/com.codecm.uploader.plist.  What this process is doing is unclear, though Sophos says that it keeps the software updated and reinstalls it if it is removed.

In my brief testing, the malware only tries to call out once, at the time of installation.  It connects to update.codecm.com on port 80, and from examining the packets transmitted, it appears that all that is done is download of the latest version of the software.  Most of the transactions consist of binary data being downloaded…  very little data is actually sent to the server, and none of it looks particularly interesting.  In addition, the Codec-M.app application will connect to a variety of servers: www.whitesmoke.com, which appears to be a very dodgy site and is flagged red by WOT, and a variety of other servers (www.google-analytics.com, upload.wikimedia.org and bits.wikimedia.org), from which it likely downloads its content.

Perhaps the most interesting thing about this malware is the uninstaller.  Believe it or not, the uninstaller actually appears to work!  It will remove the Safari extension, Codec-M.app, codecm_uploader and the LaunchAgent keeping it running.  I have not discovered any other potentially dangerous files left behind after running the uninstaller!

For now, I am not too concerned about this malware.  It does not appear to be particularly dangerous.  The worst thing it seems to do is direct users to dodgy sites, probably in an attempt at click fraud – an attempt at increasing revenue from click-throughs on ads.  And though I am reluctant to tell people to rely on an uninstaller provided by malware, the uninstaller seems to remove all the files that I would tell you to remove anyway.  But, here’s what you need to delete in order to manually remove this malware:

~/Library/Safari/Extensions/codec-M.safariextz
~/Library/Application Support/Codec-M
~/Library/LaunchAgents/com.codecm.uploader.plist
/Applications/Codec-M.app

Note that the ‘~’ in the paths above represent your user folder.  Also note that the Library folder in your user folder is invisible by default in Mac OS X 10.7 (Lion).  To get to that folder, choose Go -> Go to Folder in the Finder and enter “~/Library” (without the quotes) in the box.  Alternately, you can hold down the option key while the Go menu is open, which will cause a Library item to appear…  select that to open the user Library folder.  Finally, note that the codecm_uploader process if found inside the Codec-M folder that you need to remove from Application Support.  You won’t be allowed to empty the trash until you make that process quit, which you can do from Activity Monitor (select codecm_uploader and click the Quit Process button) or by logging out and then logging back in.

Last week, a minor new variation of the Sabpab malware was reported by Sophos.  This new variant apparently has been observed taking advantage of the same Microsoft Office vulnerability as the Tibet malware.  And this week, all within a 24-hour period, came announcements of three other developments.  A minor new variant of Flashback was reported by Intego, using the same Java vulnerabilities, proving that the Flashback hacker(s) are still actively working at infecting people.  A new trojan, named FkCodec, was discovered in Sophos’ threat database, but without any other announcement, details are extremely sparse.  (There have been several reports on the Apple Support Communities from people who have discovered this malware on their systems, but no reports about how it got there or what it does beyond the single-sentence description on the Sophos site.)  And another new bit of malware called Maljava was seen by Symantec, infecting both Mac and Windows users through one of the same Java vulnerabilities that Flashback has been using.

This flood of reports in a one week period, following up on the high infection rates being reported from earlier variants of Flashback, seems concerning.  And Mac users should be concerned!  But it’s very important to understand that there are some very simple things Mac users can do to protect themselves.  First and foremost is ensuring that all software is up-to-date.  Much of the new malware appearing lately has been taking advantage of Java or Microsoft Office vulnerabilities that have already been patched.  Yet many users never update their systems or other software.  This phenomenon was reported on back in February by Sophos, who pointed out that the number of exploits taking advantage of a particular Microsoft Windows vulnerability has been rising since the patch was released, not falling.  It is important to understand that a patch that closes a vulnerability does not discourage hackers from attacking it.  Instead, it points out exactly where a weak point is and how it can be exploited on machines that have not updated.  And since hackers know that many people don’t update software, those updates are essentially invitations for them to write malware.  Once a patch has been released, it is important to update as quickly as possible!

Another thing Mac users need to do is be cautious online.  This does not only mean being careful about what you download, it also means being careful about what technologies you enable in your web browser.  In particular, Java and Flash have been notorious for having more holes than a sieve.  Flashback notwithstanding, both of these should be disabled in all web browsers as a simple precaution.  Java applets are found on only a few web sites, so disabling Java is the best choice for most people.  Flash, unfortunately, is still fairly common, and cannot be as easily disabled.  However, Marc Hoyois’ ClickToFlash Safari extension can help by disabling Flash by default, and allowing you to load specific Flash applets found on a web page one at a time.  (His ClickToPlugin extension blocks more than just Flash, including some Java applets.  However, it’s important to understand that this cannot block all Java applets, and thus cannot be used as a comprehensive defense with regard to Java.)

Some users may not be savvy enough to determine what is and is not safe online, or may simply want some additional peace of mind.  In such cases, anti-virus software can be beneficial.  However, it’s important to understand that there’s a lot of bad anti-virus software out there.  Just to name a few, iAntivirus does not protect against any recent malware, MacScan cannot reliably identify malware and has a tendency to identify false positives and BitDefender does not identify a several items from my malware collection.  Be sure you’re getting something good, that won’t bring your system to a grinding halt with constant background scanning.  Sophos Anti-Virus for Mac Home Edition has been excellent in my testing, and catches every item in my collection.  ClamXav is also good, though it does miss one older variant of Flashback (which, to be fair, hasn’t been sighted in the wild to my knowledge since last year).

As much as Windows-centric news sources and friends would have you believe, it is not time for Mac users to panic and run for cover.  These threats are all fairly minimal for the most part, and all can be easily avoided.  To all those who I have seen express the unprofessional sentiment of happiness at Mac users finally “getting their comeuppance” by being affected by malware, let me just point out that the total number of malware threats to the Mac platform in this century is still several orders of magnitude smaller than the number of new Windows malware programs reportedly appearing per day!

For more information about this topic, see my Mac Malware Guide.

* Those malware counts lump all variants of a particular series together – for example, MacDefender, MacSecurity, MacProtector, etc are all counted as one – with the exception of Flashback, for which I am counting the 2011 Flashback trojan and the 2012 Flashback malware that installs as a drive-by download separately.

There are three updates, each one only relevant to one particular group of Macs:

• Java for OS X Lion 2012-003
  Only for users of Mac OS X 10.7 (Lion) who have Java installed
• Flashback malware removal tool
  Only for users of Mac OS X 10.7 (Lion) who do not have Java installed
• Java for Mac OS X 10.6 Update 8
  Only for users of Mac OS X 10.6 (Snow Leopard)

The need for the “Flashback malware removal tool” update comes from the fact that Lion does not have Java installed by default.  So it could cause even more confusion to try to package a Java update for a computer that doesn’t have Java!  Apple named the update differently, according to the lack of Java, but that name has caused many people to mistakenly download it for the wrong system.  It only works on Lion systems without Java!

Further, it’s important to note that all three updates are exactly the same when it comes to removing the malware.  If you are infected, your machine will be disinfected when you install the update, and you will see a message telling you that.  If you are not infected, however, the update simply installs with no mention of the fact that you were clean.

Finally, if you aren’t sure which update is right for you…  no problem!  Don’t bother trying.  Just run Software Update (found in the Apple menu), and install whichever one shows up there.  If none of those updates show up, look at the Software Update pane in System Preferences.  Do you see one of these updates listed under the Installed Software tab?  If so, you have already installed the update successfully, and your machine should be clean.

If none of these updates have been installed and aren’t showing up as an option, then you either have a problem with your computer or you are running an older system, like Mac OS X 10.5 (Leopard).  There are no updates available for systems older than Snow Leopard.

For more information about Flashback, see About the Flashback malware.

Sabpab, according to Sophos, installs a backdoor that allows the hackers to capture screen snapshots, upload or download files and execute commands on infected Macs remotely.  That is obviously a significant concern, especially since the malware can sneak in unannounced.  Worse, existing tools made for combatting Flashback not have any effect on this malware, since it works a little differently.  It apparently installs two files:

~/Library/Preferences/com.apple.PubSabAgent.pfile
~/Library/LaunchAgents/com.apple.PubSabAGent.plist

(The ‘~’ in those paths represents your user folder.)  Although one variant of Flashback installed a file in the LaunchAgents folder, not all tools for detecting Flashback do anything with that folder.

To check for and remove these files, simply look in those folders.  Unlike with Flashback, none of these files are invisible, so they should be easy to find.  (The exception is the Library folder, which is invisible by default in Lion.  To access your user Library folder, hold down the option key while clicking the Go menu in the Finder, and while still holding down the option key, choose Library.)

Of course, these details may change in a future variant of Sabpab.  It is critical to update Java ASAP and close the holes that the malware can sneak in through!

Sophos Anti-Virus for Mac Home Edition can, of course, already recognize this malware, if properly updated.

It is left a bit unclear exactly what variants of Flashback are removed. Time will tell whether it removes older variants of Flashback, from before the Java attacks began, or if it will only remove the more recent variants. In addition, there were signs today of a new variant of Flashback making the rounds. It will be interesting to see if Apple’s update will remove that. From one report I’ve seen today, it would seem that Sophos does not recognize the new variant yet… if one is comfortable drawing conclusions from a single data point.

In addition to removing Flashback, of course, the update also ensures that Java is updated to the most recent version, which fixes the vulnerabilities Flashback relies on. However, the update also takes things one step further by disabling automatic execution of Java applets. This will help ensure safety in the future if other Java bugs are discovered and exploited. That shows that Apple takes this threat and future threats seriously, and is welcome news!

Unfortunately, users of older systems cannot update, and thus miss all the benefits of these two updaters. Those users would be wise to turn off Java in their web browsers and use F-Secure’s free Flashback removal script to ensure you’re not infected. And as before, users of Lion who have not yet installed Java are completely safe from this particular threat, and do not need the update.

For more information about Flashback, see About the Flashback malware.

In the past, Apple has been criticized for delaying such updates far too long.  Indeed, Java 1.6.0_31 has been available for some time now, but Apple had not made the update available to Mac users.  The fact that they have released these updates today shows that Apple takes this threat very seriously.  Either that or it’s an unbelievably remarkable coincidence of timing!

I highly recommend that everyone who has Java installed (which includes all users of Mac OS X 10.6) install the appropriate update as soon as possible.    However, given the proven insecurity of Java, I would still recommend keeping it turned off in your web browser.

F-Secure posted details of the discovery today.  They have also posted instructions on how to identify an infection, though I do not recommend relying on them.  Flashback is notorious for randomizing the names of files that it installs on your system, and using names of other software so that those files may “blend in.”  I also do not recommend using any removal instructions, which F-Secure and others have also posted, due to the same issue.  Removal of this trojan is not trivial, and some variants have been known to do permanent damage to the system, which can only be repaired with a fresh installation.  If you are infected, I recommend erasing the hard drive and reinstalling the system and all applications from scratch.  Do not copy anything over from backups of the infected system except files you know you created.  Migration Assistant is your enemy, as it will import too much, and may reinfect the clean system.

Symptoms of infection may include behavior described in Flashback infections becoming widespread, and also commonly involves crashing of multiple apps, usually Safari.  However, it is important to keep in mind that you may not see these symptoms, and if you do, it may be too late, as the malware may have stolen personal data by that time.  Do not wait until you see symptoms.  Turn off Java immediately, and if you are running Lion and have not yet installed Java, you should seriously consider not installing it at all.

Some may make the claim that this malware is a non-issue, because the patch for the vulnerability it relies on was released by Microsoft on June 9, 2009 – nearly three years ago.  However, many people never install updates.  As Sophos pointed out in February, malware authors often target patched vulnerabilities, knowing that people will be running outdated systems for ridiculously long periods of time.  Since many Mac users upgrading to Lion were caught flat-footed by the discovery that MS Office 2004 – an 8-year-old product – will not run in Lion gives ample evidence to support the idea that there are many people using outdated versions of MS Office.

Users should be advised to install any available updates for MS Office as soon as possible, or start using an alternative to MS Office (such as OpenOffice, NeoOffice, LibreOffice or Apple’s Pages).

This new trojan is still very under-documented.  Intego, as per their usual form, provides almost no details about what the malware does, and AlienVault Labs, which has extensive documentation on the Windows version of this trojan, barely mentions the Mac at all.  So, at this time, there is no indication what files are installed or whether the malware injects code into other apps like Flashback.  It is also unclear how the malware behaves on machines with Java updated to patch those vulnerabilities.  There is no mention of Tibet.A using social exploits, as Flashback does, to trick the user into installing it in that case, or if it simply fails to install.  Intego does say, however, that there are no symptoms of infection unless you have software installed to monitor outgoing network connections.

Most of the world is probably not at much risk at the moment, since the perpetrators of this malware appear to be using it exclusively to target Tibetan activists.  However, it is always possible that this malware will accidentally infect others as well, or that the hackers behind it will widen the target audience.  As I recommended with Flashback, you should turn of Java in your web browser and make sure that Java is up-to-date by running Software Update.  Or, even better, if you are running Mac OS X 10.7 (Lion) and have not yet installed Java, don’t do so.