• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Kudos4

Java vulnerability, Flashback Trojan and Norton

We have gotten several questions about this, so I thought I would post here publicly. Normally, it's policy to not comment on threats added to our definitions, since we consider it part of our job--we don't like to toot our own horn, so to speak. But this has received a fair amount of press. See here:

http://arstechnica.com/apple/news/2012/04/flashback-trojan-reportedly-controls-half-a-million-macs-and-counting.ars

For those unfamiliar, the implementation of Java in Mac OS X has a vulnerability that lets a malicious Web site gain access to your Mac. When you visit a Web site with the maliciou Java applet, it downloads a trojan to your Mac. If you run the trojan, it sets up a "bonet" that can remotely control your Mac, all just by visiting a harmful Web page.

Norton will protect you in the following ways:

  • Norton SafeWeb, part of the Safe Surfing feature in Norton internet Security, will block these harmful Web pages after they have been classified as "bad" by SafeWeb. This will block Web sites that are known to be harmful
  • Norton Vulnerability Protection, part of Norton AntiVirus and Norton Internet Security, detects the harmful Java applets in several of its signatures. It also reports these Web sites to Norton SafeWeb, so they become part of the Norton SafeWeb list of "bad web sites".
  • Norton DeepSight, part of Norton Internet Security, will block the trojan's activity to the botnet, if you set it to block "Incoming and Outgoing connections".
  • Norton AntiVirus will detect the threat that the trojan that the Java applet downloads to your Mac.

You can make sure you have the latest virus and vulnerability poteection definitions by running LiveUpdate manually, but these definitions should have been downloaded already. No further action should be necessary unless you are already infected. You can enable the additional protection Norton DeepSight provides by changing it to block outgoing connections. 

Ryan McGannPrincipal Software EngineerMacintosh Products & SolutionsSymantec

Replies

Kudos0

Re: Java vulnerability, Flashback Trojan and Norton

We have gotten several questions about this, so I thought I would post here publicly. Normally, it's policy to not comment on threats added to our definitions, since we consider it part of our job--we don't like to toot our own horn, so to speak. But this has received a fair amount of press. See here:

http://arstechnica.com/apple/news/2012/04/flashback-trojan-reportedly-controls-half-a-million-macs-and-counting.ars

For those unfamiliar, the implementation of Java in Mac OS X has a vulnerability that lets a malicious Web site gain access to your Mac. When you visit a Web site with the maliciou Java applet, it downloads a trojan to your Mac. If you run the trojan, it sets up a "bonet" that can remotely control your Mac, all just by visiting a harmful Web page.

Norton will protect you in the following ways:

  • Norton SafeWeb, part of the Safe Surfing feature in Norton internet Security, will block these harmful Web pages after they have been classified as "bad" by SafeWeb. This will block Web sites that are known to be harmful
  • Norton Vulnerability Protection, part of Norton AntiVirus and Norton Internet Security, detects the harmful Java applets in several of its signatures. It also reports these Web sites to Norton SafeWeb, so they become part of the Norton SafeWeb list of "bad web sites".
  • Norton DeepSight, part of Norton Internet Security, will block the trojan's activity to the botnet, if you set it to block "Incoming and Outgoing connections".
  • Norton AntiVirus will detect the threat that the trojan that the Java applet downloads to your Mac.

You can make sure you have the latest virus and vulnerability poteection definitions by running LiveUpdate manually, but these definitions should have been downloaded already. No further action should be necessary unless you are already infected. You can enable the additional protection Norton DeepSight provides by changing it to block outgoing connections. 

Ryan McGannPrincipal Software EngineerMacintosh Products & SolutionsSymantec
Kudos0

Re: Java vulnerability, Flashback Trojan and Norton

Ryan,

Does this apply to SEP too or is there a link to where this is addressed for SEP Mac clients?  My Information Security Officer is wanting to know what Symantec is doing to address this, but this is the only info I can find from Symantec relating to the newer, java based variants.

Thank you

Kudos1

Re: Java vulnerability, Flashback Trojan and Norton

SEP includes antivirus protection, so the information above regarding Norton AntiVirus applies. However the other features are not part of SEP yet.

So in short, SEP will detect this threat using the managed antivirus features in SEP.

Ryan McGannPrincipal Software EngineerMacintosh Products & SolutionsSymantec
Kudos0

Re: Java vulnerability, Flashback Trojan and Norton

Thanks!

Kudos0

Re: Java vulnerability, Flashback Trojan and Norton

Just to verify, the SafeWeb/Safe Surfing feature is not available if you only use (recent versions of) the Safari browser, correct?

Perhaps it would help to list the browsers that are/aren't supported, so no one is mislead by thinking they're protected from these harmful web pages (or phishing attacks), when they actually aren't?

Also, as Ryan mentioned, DeepSight only blocks incoming connections by default.  You'd need to go to the Firewall's advanced settings to enable DeepSight to also block outgoing connections.

Kudos0

Re: Java vulnerability, Flashback Trojan and Norton

Quads

Kudos0

Re: Java vulnerability, Flashback Trojan and Norton

I have gotten a couple of private messages here and via e-mail asking how to know if you are protected from this threat.

Please look for the following Vulnerability Protection signature(s):

Web Attack: JRE Concurrency CVE-2012-0507 3

Web Attack: Malicious Java Download 4

Web Attack: Malicious Java Download 6

These signatures all block the Java applet from running when you visit an infected/malicious Web site.

You can also check for this signature:

OSX.Flashback

This signature blocks the trojan that is downloaded by the Java applet.

Thanks,

Ryan

Ryan McGannPrincipal Software EngineerMacintosh Products & SolutionsSymantec
Kudos0

Re: Java vulnerability, Flashback Trojan and Norton

Kudos0

Re: Java vulnerability, Flashback Trojan and Norton

ryan_mcgann

How many samples have you got of this family??

Quads 

Kudos0

Re: Java vulnerability, Flashback Trojan and Norton

I'm not in Security Response, so I can't really comment on how many samples we have, nor how many detections we have gotten, as that data is all closely guarded by Security Response.

However, if you have a sample of a virus, any kind, you are encouraged to submit it to https://submit.symantec.com/websubmit/retail.cgi

Be sure to use "Flashback" in the Symptoms. 

Ryan McGannPrincipal Software EngineerMacintosh Products & SolutionsSymantec
Kudos0

Re: Java vulnerability, Flashback Trojan and Norton

I have 20+ samples

"......................any kind, you are encouraged to submit it to https://submit.symantec.com/websubmit/retail.cgi"    I don't ned that link,   it is slower.

Quads

Kudos0

Re: Java vulnerability, Flashback Trojan and Norton

Contact me privately if you would like to provide samples but don't want to use the provided link. Send me a private message here on the forums and I will get the samples to Security Response.

Thanks,

Ryan

Ryan McGannPrincipal Software EngineerMacintosh Products & SolutionsSymantec
Kudos0

Re: Java vulnerability, Flashback Trojan and Norton

Kudos0

Re: Java vulnerability, Flashback Trojan and Norton

Ryan,

I've checked for all the signatures you indicated, and have them all except for the OSX.Flashback.  I also found out that Deep Sight was not set to block outgoing but I have since changed that.

I have run LiveUpdate every other hour, and I still don't have the signature OSX.Flashback.  How (or where) would I get this signature?

I hope this makes sense, as I 'm not too familiar with the terminolgy   but I think you may understand what I'm trying to say.

Thanks.

S.

Kudos0

Re: Java vulnerability, Flashback Trojan and Norton


sabatine2004 wrote:

Ryan,

I've checked for all the signatures you indicated, and have them all except for the OSX.Flashback.  I also found out that Deep Sight was not set to block outgoing but I have since changed that.

I have run LiveUpdate every other hour, and I still don't have the signature OSX.Flashback.  How (or where) would I get this signature?

I hope this makes sense, as I 'm not too familiar with the terminolgy   but I think you may understand what I'm trying to say.

Thanks.

S.


The OSX.Flashback detection is a Virus Definition while the others mentioned in Ryan's original post are Vulnerability signatures.

I'm not sure how NAV 12 is set-up, but in NAV 11 the Vulnerability Definitions are in the 'Automatic Protection' pane -> 'Vulnerability Protection' -> 'Configure...' button, while the Virus Definitions are listed in: "Tools -> Virus Definition Information" menu.

Kudos0

Re: Java vulnerability, Flashback Trojan and Norton

Hi Timothy,

Thank you very much for the explanation.  I was able to locate it.  

Cheers,

S.

Kudos0

Re: Java vulnerability, Flashback Trojan and Norton

Apple have released a removal tool also http://support.apple.com/kb/DL1517

Quads

Kudos0

Re: Java vulnerability, Flashback Trojan and Norton

Symantec released a Removal Tool Last Week (I believe)

Kudos0

Re: Java vulnerability, Flashback Trojan and Norton

"No further action should be necessary unless you are already infected."

Hi Ryan,

Thank you for the helpful information.

My question is how can I determine if I am already infected as you described now that I have just installed the latest updates.

Joseph

Kudos0

Re: Java vulnerability, Flashback Trojan and Norton

Read the 2 posts above yours, simple enough I think.

Quads

Kudos0

Re: Java vulnerability, Flashback Trojan and Norton

Thanks for the referral. But the apple removal is only for Lion, while I have 10.5. And the link to the Norton removal tool does not function. I would appreciate any suggestions. I just want to know if I am infected. Maybe I don't need to worry about removal.

Kudos0

Re: Java vulnerability, Flashback Trojan and Norton

Another Link to download the Symantec Removal Tool for Flashback.

Replies are locked for this thread.