updated 01:35 am EST, Thu March 8, 2012
Malware may sniff for user names, passwords
A new malware threat dubbed Flashback.N, is actually a variant of an older one, claims anti-virus software maker Intego in a new blog post. Users who visit hacked or maliciously-crafted websites may see a delay, followed by a false password-request dialog box claiming to be from "Software Update." If accidentally installed, the malware inserts code into Safari's resources and will attempt to search network traffic for user names and passwords.
The malware seems to be most often found on sites hosting Wordpress blogs that are out-of-date, which allows hackers to install a backdoor on the servers that will try to re-direct Mac users to the sites that pop up the false "Software Update" password dialog. The difference between the "fake" Software Update alert and a real one is pictured below.
Intego also says it has found evidence that the authors of the Flashback malware, which has recently been trying to exploit holes in Java to present false certificates, are the same people behind the Mac Defender "fake anti-virus" malware last spring.
The company urges those hosting Wordpress sites to make sure their Wordpress software is up-to-date and that their administrative passwords are strong. A false plug-in for Wordpress called "ToolsPack" is also to be avoided, as it is the software that installs the backdoor on the server.
Mac users should be aware of the difference between a false Software Update dialog box and a real one and avoid supplying their password to a Software Update dialog that pops up while visiting a strange website. Intego users are already protected from the malware, and Apple is likely to update its anti-malware definitions in the near future to prevent the pop-up from succeeding in installing malicious code.
Genuine Software Update dialog