OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Cross-platform malware Jacksbot found in the wild

Published November 1st, 2012 at 7:19 AM EDT , modified November 1st, 2012 at 9:47 PM EDT

It has been fairly quiet in the Mac malware world lately, but there is one minor annoyance that has finally surfaced. A couple weeks ago, Intego announced discovery of a new cross-platform remote access tool, which they called Jacksbot. At the time, although they called it a trojan, they had never seen it in the wild, and had no idea how it would get installed on a user’s machine. According to a post on the Trend Micro website on Tuesday, however, it has now been found on a couple machines in the wild.

Jacksbot is a Java application, which allows it to run on any system. Note that this is different from a Java applet embedded on a web site. Java applications are downloaded and opened just like any other application, except that they require a Java Runtime Environment (JRE) to be installed and enabled in order to run. So, from the start, Jacksbot’s effectiveness in Mac OS X will be limited, since recent versions of Mac OS X no longer include a JRE by default and will disable Java systemwide after about a month of disuse.

However, although Jacksbot can be used as a multi-purpose remote access tool, it appears to be specifically designed to look for Minecraft passwords. Since Minecraft requires Java, and frequent players of Minecraft will have Java installed and enabled, they will be vulnerable to this malware. Trend Micro does not know how this malware gets onto people’s systems either, but they theorize that it may be pretending to be a Minecraft mod, to be downloaded and installed by players who want to change the behavior of Minecraft somehow.

It also appears, according to Trend Micro, that the malware authors have primarily focused on Windows. How focused on Windows it is is left a little vague by Trend Micro, and the example they give of functionality that only works on Windows is rather non-threatening. It’s safe to assume some functionality won’t work on a Mac, but how much and what functionality is up in the air to some degree.

Ultimately, this malware is not a serious threat to Mac users at this point. If you happen to play Minecraft, though, you should probably be cautious about what mods you download. Of course, that is simply good general advice anyway, as there have been other malicious Minecraft mods in the past. Minecraft mods appear to be Java code, and as such can probably do anything a Java app could do.

Tags: , , , ,

4 Comments

  • Someone says:

    So, to clarify: If you don’t play Minecraft, you don’t particularly need to worry about this thing?

    • Thomas says:

      Pretty much, yes, according to the information currently available about it. It could be modified later to be more dangerous, and to go beyond its apparent Minecraft connection, much as Flashback changed from being a fake Flash installer to being something that got installed behind the scenes through a Java vulnerability. However, regardless of what happens, it’s still just a Java app, and you can eliminate all threat it poses entirely by disabling (or not installing) Java.

  • Newbie says:

    Thanks for the updates, Thomas! I bought my mac book pro not to long ago and your advice is really making me feel comfortable with this system, it’s also made me much more aware surfing the internet in general. Thanks!

  • Someone says:

    I’ve read a lot of the articles you’ve posted, and I’m with the crowd: you’re a computer lifesaver. I first found out about this website through an Apple Support thing regarding MacKeeper (the biggest “technically not a scam” piece of crap in the history of mankind)… best computer advice website ever. Kudos to you.

This post is more than 90 days old and has been locked. No further comments are allowed.