We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Mysterious new malware takes down multiple companies

Published February 19th, 2013 at 5:47 PM EST , modified February 20th, 2013 at 11:28 AM EST

This has been quite an interesting month in security news. Multiple major companies have been hacked, including Apple themselves, and there are rumors of yet another new bit of malware for the Mac. Yet all is still rather unclear. Is this all related? It’s probably too soon to say for sure, but I am guessing that it may be.

It all started on February 1, when Twitter announced that it had been hacked. The attackers made off with information that gave them access to 250,000 accounts. In response, Twitter reset the passwords on those accounts. Twitter made note of the fact that the attack was very sophisticated, and not the work of amateurs. Although they have made it sound like the problem is solved now, recent high-profile Twitter account hacks, like the Burger King hack, lead me to wonder if that is actually the case.

Then, on February 15, Facebook announced that they had fallen victim to a sophisticated attack as well, although no user data was compromised. They provided additional information, saying that a few employees were infected by malware embedded in a hacked developer web site. Further, they added that the machines in question were fully up-to-date and were running anti-virus software, yet were nonetheless infected.

Yesterday, F-Secure connected these two events. They also showed that they had discovered a new piece of malware, submitted to VirusTotal the day before the Twitter hack occurred. This malware evidently, as confirmed by Intego (who named it “Pintsized”), infects Macs, and disguises itself as printing software. This malware appears to open a back door to allow remote control by hackers, and is probably dropped by some kind of exploit. It would seem this is done through a Java vulnerability, though Facebook’s claims that the machines that were infected were “fully patched” is concerning, and may indicate that this is a new as-yet undiscovered vulnerability.

The biggest bomb dropped today, as multiple sources (such as Sophos, SecurityWeek and MacLife) are reporting that Apple itself has been hacked. The attack reportedly also came through a hacked developer web site – presumably the same site that caused the Facebook infection. According to a MacWorld report, Apple has already released a new Java update that protects against this malware as well as removing it, if found. As with Flashback, it sounds as if the update will alert the user if the malware was found, but will probably remain silent if not.

no_javaThis is all very serious and concerning news. So how should you respond? Fortunately, it sounds as if you need do nothing at all if you are not running Java in your web browser. If you have Mac OS X 10.7 or later and have not installed Java, or if you have Java installed but have disabled it in your web browser, you should be safe.

On the other hand, if you have Java installed, you should check for system updates immediately (choose Software Update from the Apple menu), and install any Java-related updates. Then, you should seriously reconsider the notion of using Java at all. Java has become such a liability, in fact, that it is probably advisable to only run Java in a completely isolated virtual machine, or on a computer dedicated to nothing other than running Java in the web browser. Even keeping Java enabled only on trusted sites is no longer enough. Any site can be hacked, and a trusted site can suddenly become a carrier of malware. Do your self a favor and just end your relationship with Java once and for all!

Tags: , , , , ,


  • Hester says:

    I have java disabled in my web browser at all times. Though I still got the Java update in Software Update. Should I still install it?

    • Thomas says:

      Absolutely! Even though you’re not using Java in the web browser, you still have Java installed if that update shows up. You should update it just in case you ever decide to turn on Java in the browser for some reason, or in case someone else borrows your computer and turns it on.

  • Someone says:

    In paragraph 4, you say it “disguises itself and printer software.” Do you mean “disguises itself AS printer software?”

    Oh, and by the way, I don’t get why anyone still bothers with Java. It’s not like you haven’t said anything about it’s dangerousness… 🙂 What do you really need it for?

  • Daniel says:

    Unfortunately I still need it for Adobe Illustrator. I have it disabled in the browser but don’t get it why Adobe is still insisting on using it for their products.

    • Thomas says:

      Using Java apps locally is entirely different than allowing Java applets embedded in web pages to run. The latter is where the real security issues are. The former is no more dangerous than running any other app.

  • Gavin says:

    I’m curious what Mr. Reed’s views are about F-Secure’s theory that this was about tampering with the source code for mobile applications. What they seem to imply (even if they don’t quite say it) is that this a roundabout route to install IOS malware. That (if true) would be a very different concern.

  • aalien says:

    You don’t need java to use adobe illustrator.
    Go to folder “HD > Applications > Adobe > Adobe Illustrator > Illustrator Formats” and delete the file “FXGFileFormat.aip”.

    Illustrator only asks Java to have compatibility to use this OLD plugins to some kind of backwards compatibility. I give you my word you don’t need it and you will be using illustratot with NO PROBLEM.

    Some weeks ago (when I started to post in thomas website concerns about java) I almost installed java to use illustratot BUT then figure out the reason.

    SO my advice: Delete the plugin and uninstall Java.

  • aalien says:

    If you’re not sure and don’t trust me do this:
    1 – Take out the plugin file form the folder and keep it in another location (for backup reasons if you aren’t sure about my advice);
    2 – Uninstall java and open illustrator;
    3 – If you want to go back just put the plugin in the folder again and install UPDATED version of Java;

    Also please past this info after you confirm that it’s true because you’re not an isolated case. I contacted Adobe about this issue YET they don’t give a f*** about it. So I post in Adobe Forums the solution but they do not delete it so they know there’s no side effects. Past this info on twitter etc to let people know about this and maybe adobe removes this stupid old plugin from their releases… I know a lot (really a lot) of people who didn’t know about this (from my faculty and I already made hundreds of people uninstalling Java just because they need it to use illustrator, it’s just ridiculous)… If you need it in future just put it back in the folder so maybe it’s a good thing to save it to Documents folder for instance… I deleted mine eheheh

    About this situation:
    Off course it’s everything related! No doubt!
    It’s like a snowflake rolling from the mountain, it only keeps bigger…
    After twitter they got access to people (and companies administrators and developers) info giving them access to other levels. Even if they don’t crack the “companies computers” they can still do it to related personal and familiars giving them always some kind of vulnerability…

  • Softwarewith hackApps says:

    I do agree with all of the ideas you have introduced in your post. They’re very convincing and can definitely work. Nonetheless, the posts are too brief for beginners. May just you please extend them a little from subsequent time? Thank you for the post.

This post is more than 90 days old and has been locked. No further comments are allowed.