OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Another Tibet variant appears

Published September 10th, 2013 at 2:47 PM EDT , modified September 10th, 2013 at 2:47 PM EDT

It has been a little more than a year since the last new variant of the Tibet malware was discovered, but today, Intego reported that a fourth variant has been found. They are calling this new variant OSX/Tibet.D. There are a few important lessons we can learn from this malware.

no_javaFirst, it should be noted that this variant returns to the original Tibet tricks of using Java vulnerabilities to get itself installed. We haven’t seen too much of that lately, but this just goes to show that just because it’s been quiet, you can’t assume that Java is safe. I’m sure that regular readers will not be affected by this malware, since they will probably have long ago taken my advice about the huge, slow-motion train wreck that is Java and disabled it in their web browsers. I’ve said it many times before, and I’m sure I’ll have to say it again. Those of you who have not disabled Java, I can’t advise you strongly enough to do so now!

Second, it’s interesting to note that Intego’s VirusBarrier apparently detected the new variant of Tibet, despite never having seen it before. I guess the code didn’t change much since a year ago. This is an important point, though, since one of the major arguments made by people who crusade religiously against anti-virus software is that it cannot catch anything that hasn’t already been seen. Clearly, although that certainly is going to be the case with brand-new malware, that’s not a fact graven in stone.

The truth is, hackers are often lazy, and will reuse code that is sometimes years old. One might wonder why they do such a thing, which increases the odds of their malware being caught by anti-virus software. However, if you think about it from their point of view, what’s the benefit of working hard to bypass some anti-virus software installed by a savvy user, who may notice something fishy going on and put an end to the shenanigans anyway? It’s much easier to rely on being able to infect the unsavvy users who aren’t running anti-virus software, in much the same way that e-mail scams are often wildly ridiculous specifically for the purpose of fooling only the most gullible.

In the end, if you have Java turned off and keep your system up-to-date, you have little to fear. If you are one of those folks who, for whatever reason, has to engage in more risky behavior, using good anti-virus software would not be a bad idea. (See my Mac Malware Guide for more information to help you decide whether anti-virus software is for you.)

Tags: , ,

2 Comments

  • Al says:

    > one of the major arguments made by people who crusade religiously against anti-virus software is that it cannot catch anything that hasn’t already been seen.

    Yes, I’m one of those patiently waiting for proof that anybody had found a totally new piece of malware through some sort of heuristic behavior analysis. To me it’s a long way from having written a signature that will apply to a wide variety of variants to being able to find something brand new through other means. I give Little Snitch credit for alerting lots of uses to the Java version of Flashback, but other examples seem to be more elusive.

  • Sid Cannon says:

    I get what you’re saying Thomas, but the majority of the time, especially in the Windows world, zero day malware will bypass every AV out there.

    Source : Experience

This post is more than 90 days old and has been locked. No further comments are allowed.