Mac security specialist Intego has discovered a new variant of the Flashback Trojan which leverages a Java vulnerability that Apple has patched.
Flashback.S doesn’t require a password to install. The malware places its files in the user’s home folder, at two distinct locations:
Then it deletes all files and folders in ~/Library/Caches/Java/cache to remove the applet from the infected Mac. The Austin, Texas-based security vendor has several samples of this new Flashback variant which, it claims, “is actively being distributed in the wild.”
Should the targeted computer have Intego VirusBarrier X6, Xcode or Little Snitch installed on the Mac, this variant of the Flashback Trojan will not install.
Intego stresses that its VirusBarrier X6 with malware definitions dated April 23, 2012 or later, will detect and remove all variants of the Flashback malware.
Users are infected by Flashback.S when they browse to compromised or malicious sites; the tactic is called a “drive-by” to reflect the lack of required user action beyond steering to a URL.