The Flashback Trojan is proving to be a very agile bit of code. It’s mutated several times since it was initially discovered last year, and its newest iteration will let itself onto your system with or without your permission.
The newest iteration, dubbed OSX/Flashback.K, exploits a known weakness in Java SE6. The Trojan is capable of installing itself onto a host system without the need for an admin password. According to the security firm F-Secure, “On execution, the malware will prompt the unsuspecting user for the administrator password. Whether or not the user inputs the administrator password, the malware will attempt to infect the system, though entering the password will affect how the infection is done.”
Once infected, the Trojan will attempt to download a payload (code for the main piece of malware) from a remote host and attempt to install it one of two ways, depending on whether or not the user does input his admin password. Once infected the malware hijacks the Safari browser every time it launches and redirects the user to a targeted website.
The exploit was patched in February for Windows systems, however Apple has yet to release one for OSX. F-Secure has instructions for testing and manually removing Flashback.k. It also suggests deactivating Java on your machine until a patch is released.
The only time that Flashback.k aborts its infection is when it encounters paths for MS Word, MS Office 2008, MS Office 2011, or Skype. If it does, the Trojan will uninstall itself immediately likely to avoid conflicting with these programs and alerting the user to its presence. [F-Secure via PC World]