Not what you were looking for? Ask our experts!
Reply
Symantec Employee
ryan_mcgann
Posts: 864
Registered: ‎01-10-2009

Java vulnerability, Flashback Trojan and Norton

[ Edited ]

We have gotten several questions about this, so I thought I would post here publicly. Normally, it's policy to not comment on threats added to our definitions, since we consider it part of our job--we don't like to toot our own horn, so to speak. But this has received a fair amount of press. See here:

http://arstechnica.com/apple/news/2012/04/flashback-trojan-reportedly-controls-half-a-million-macs-a...

 

For those unfamiliar, the implementation of Java in Mac OS X has a vulnerability that lets a malicious Web site gain access to your Mac. When you visit a Web site with the maliciou Java applet, it downloads a trojan to your Mac. If you run the trojan, it sets up a "bonet" that can remotely control your Mac, all just by visiting a harmful Web page.

 

Norton will protect you in the following ways:

 

  • Norton SafeWeb, part of the Safe Surfing feature in Norton internet Security, will block these harmful Web pages after they have been classified as "bad" by SafeWeb. This will block Web sites that are known to be harmful
  • Norton Vulnerability Protection, part of Norton AntiVirus and Norton Internet Security, detects the harmful Java applets in several of its signatures. It also reports these Web sites to Norton SafeWeb, so they become part of the Norton SafeWeb list of "bad web sites".
  • Norton DeepSight, part of Norton Internet Security, will block the trojan's activity to the botnet, if you set it to block "Incoming and Outgoing connections".
  • Norton AntiVirus will detect the threat that the trojan that the Java applet downloads to your Mac.

You can make sure you have the latest virus and vulnerability poteection definitions by running LiveUpdate manually, but these definitions should have been downloaded already. No further action should be necessary unless you are already infected. You can enable the additional protection Norton DeepSight provides by changing it to block outgoing connections. 

 

Ryan McGann
Principal Software Engineer
Macintosh Products & Solutions
Symantec
Newbie
ragenkagen
Posts: 2
Registered: ‎04-05-2012

Re: Java vulnerability, Flashback Trojan and Norton

[ Edited ]

Ryan,

 

Does this apply to SEP too or is there a link to where this is addressed for SEP Mac clients?  My Information Security Officer is wanting to know what Symantec is doing to address this, but this is the only info I can find from Symantec relating to the newer, java based variants.

 

Thank you

Symantec Employee
ryan_mcgann
Posts: 864
Registered: ‎01-10-2009

Re: Java vulnerability, Flashback Trojan and Norton

SEP includes antivirus protection, so the information above regarding Norton AntiVirus applies. However the other features are not part of SEP yet.

 

So in short, SEP will detect this threat using the managed antivirus features in SEP.

Ryan McGann
Principal Software Engineer
Macintosh Products & Solutions
Symantec
Newbie
ragenkagen
Posts: 2
Registered: ‎04-05-2012

Re: Java vulnerability, Flashback Trojan and Norton

Thanks!

karigane
Posts: 237
Topics: 9
Kudos: 19
Solutions: 25
Registered: ‎11-10-2009

Re: Java vulnerability, Flashback Trojan and Norton

Just to verify, the SafeWeb/Safe Surfing feature is not available if you only use (recent versions of) the Safari browser, correct?

 

Perhaps it would help to list the browsers that are/aren't supported, so no one is mislead by thinking they're protected from these harmful web pages (or phishing attacks), when they actually aren't?

 

Also, as Ryan mentioned, DeepSight only blocks incoming connections by default.  You'd need to go to the Firewall's advanced settings to enable DeepSight to also block outgoing connections.

Bot Obliterator
Quads
Posts: 16,435
Registered: ‎07-21-2008

Re: Java vulnerability, Flashback Trojan and Norton

 

Quads

Symantec Employee
ryan_mcgann
Posts: 864
Registered: ‎01-10-2009

Re: Java vulnerability, Flashback Trojan and Norton

I have gotten a couple of private messages here and via e-mail asking how to know if you are protected from this threat.

 

Please look for the following Vulnerability Protection signature(s):

Web Attack: JRE Concurrency CVE-2012-0507 3

Web Attack: Malicious Java Download 4

Web Attack: Malicious Java Download 6

 

These signatures all block the Java applet from running when you visit an infected/malicious Web site.

 

You can also check for this signature:

OSX.Flashback

 

This signature blocks the trojan that is downloaded by the Java applet.

 

Thanks,

Ryan

Ryan McGann
Principal Software Engineer
Macintosh Products & Solutions
Symantec
Bot Obliterator
Quads
Posts: 16,435
Registered: ‎07-21-2008

Re: Java vulnerability, Flashback Trojan and Norton

Bot Obliterator
Quads
Posts: 16,435
Registered: ‎07-21-2008

Re: Java vulnerability, Flashback Trojan and Norton

 

How many samples have you got of this family??

 

Quads 

Symantec Employee
ryan_mcgann
Posts: 864
Registered: ‎01-10-2009

Re: Java vulnerability, Flashback Trojan and Norton

I'm not in Security Response, so I can't really comment on how many samples we have, nor how many detections we have gotten, as that data is all closely guarded by Security Response.

 

However, if you have a sample of a virus, any kind, you are encouraged to submit it to https://submit.symantec.com/websubmit/retail.cgi

 

Be sure to use "Flashback" in the Symptoms. 

Ryan McGann
Principal Software Engineer
Macintosh Products & Solutions
Symantec