Over 600,000 Macs infected with Flashback Trojan


Recommended Posts

Source 1, Source 2

I am using title from source 2(less flamebait title) but content is from source 1 (nice summary). I haven't seen this covered on main page or forums, if it is - Mods please merge topics.

For Mac owners, the nightmare scenario finally arrived. A piece of malware called Flashback, which has been in existence and steadily evolving for at least seven months, has infected more than 600,000 Macs worldwide, based on forensic analysis by a Russian antivirus company.

What makes this outbreak especially chilling is that the owners of infected Macs didn?t have to fall for social engineering, give away their administrative password, or do something stupid. All they had to do was visit a web page using a Mac that had a current version of Java installed.

I?m not surprised.

Last May, I wrote a post titled ?Why malware for Macs is on its way,? in which I pointed out evidence that a ?tipping point? was near, thanks to the growing popularity of Apple?s software:

A gain of a few percentage points in the Mac market might not seem like a lot, but in a universe with a billion Internet-connected devices, each percentage point equals a potential 10 million victims. A market with 60 million, 80 million, or even a hundred million Mac users is big enough for the bad guys.

Upcoming versions of crimeware kits will probably be cross-platform, with the capability to build and deliver Windows and OS X packages using as many vulnerabilities and social engineering tricks as possible. On every poisoned web page, visitors get sorted by OS: Windows users this way, OS X users over there. Each group gets its own custom, toxic blend. If all it takes is a tick of a check box, the gangs using these kits can jump into the Mac market literally overnight.

So now the question is when will that day come? This year? Next year?

We now know the answer.

If you think 600,000 users isn?t a lot, let?s put it in perspective. According to the latest statistics from Net Market Share, there are roughly 13 Windows PCs for every Mac in the world. So an equivalent infection rate in the Windows population would translate to 7.8 million Windows PCs.

And that?s for one strain of one malware attack, launched over a very short period of time.

This won?t be the last, either. Unfortunately, the Mac community is ill-prepared for a sophisticated wave of attacks like these. Here?s why.

These attacks are designed to be quiet. The gang that unleashed Mac Defender last year was anything but quiet. Their business model was based on being very visible and convincing victims to pay for a rogue antivirus product that would remove the malware they had just installed. By being so obvious, they forced a response (and some of them wound up in jail). This gang, by contrast, managed to infect 600,000 machines while barely tripping any alarms.

Macs are not immune. For years Apple owners have been told that Macs don?t get viruses, but we know that?s not true. And Apple?s casual approach to security updates makes them arguably more vulnerable to this sort of attack than other platforms. Like all operating systems, OS X has its share of vulnerabilities that can be exploited. In that May 2011 post, I looked at a single OS X update, which repaired 23 separate vulnerabilities:

Every one of the vulnerabilities in the April update had existed in OS X for a minimum of 18 months before being patched. Every entry on that list was capable of executing hostile code on an unpatched system with little or no user interaction. If an attacker develops a successful exploit of one of those vulnerabilities, your system can be compromised, silently and with deadly effect, if you simply download a document, view a movie or image, or visit a website.

That?s an awfully big window of opportunity. And that pattern is found in other OS X updates.

Third-party software is an ideal vector. The current exploit is triggered by a known flaw in Java, which was installed on every copy of OS X until the release of Lion (OS X 10.7) last summer. The flaw was reported in January and patched by Oracle in February, but the Apple version of Java didn?t get a patch until early April. So for several months, every Mac owner was vulnerable unless they took specific steps to remove or disable Java.

Security expert Brian Krebs points out that this behavior by Apple is sadly typical:

Apple maintains its own version of Java, and as with this release, it has typically fallen unacceptably far behind Oracle in patching critical flaws in this heavily-targeted and cross-platform application. In 2009, I examined Apple?s
and found that the company patched Java flaws on average about six months after official releases were made available by then-Java maintainer Sun. The current custodian of Java ? Oracle Corp. ? first issued an update to plug this flaw and others back on Feb. 17. I suppose Apple?s performance on this front has improved, but its lackadaisical (and often
) response to patching dangerous security holes perpetuates the harmful myth that Mac users don?t need to be concerned about malware attacks.

Similar recent attacks have successfully targeted vulnerabilities in Word on Macs. And there?s no reason not to expect attacks against other vulnerabilities in other popular third-party products like Adobe Reader and Skype.

Older Macs are especially vulnerable. According to the latest Net Market Share data, 17% of Macs worldwide are running Leopard (OS X 10.5) and Tiger (OS X 10.4), older versions of OS X that are no longer officially supported. The Java update that blocks this exploit is available for Leopard, but at least one Leopard user I spoke with says it hasn?t been offered to his Mac via Apple Software Update.

And the biggest problem of all, as any Windows security researcher can tell you, is that a large number of PC owners don?t install updates regularly or at all. On Windows PCs, for example, the most commonly found malware in 2010 was installed using an exploit that had been patched years earlier:

Conficker?s means of propagation is a vulnerability in the Windows Server service. This vulnerability was fixed in October 2008 by
, which patched Windows 2000, XP, Vista, Server 2003, and Server 2008. (Windows 7 was never affected.) There?s no excuse for that patch not being installed nearly two years later, in 2010.

Mac owners are human beings, just like their counterparts who own PCs. Some nontrivial percentage of them will ignore this and other updates and will be vulnerable to this sort of attack.

Antivirus software alone won?t help. The makers of Windows-based malware know how to build executable packages that change with every installation. These polymorphic viruses frustrate signature-based defenses. Apple added automatic updates to its XProtect lists as a response to Mac Defender last year, and that list has been updated 47 times in the past 11 months. But it?s useless against even a moderately sophisticated attacker.

It looks like the Mac malware industry has moved out of testing and into active deployment. For the bad guys, it?s a tremendous untapped market. And all the pieces are now in place for a long-term problem with no easy solutions.

Link to comment
Share on other sites

but but but... mac dont have virus and is the most secured OS \s

people dont realize that no OS is totally secure

I agree with this. However the safest OS's are the ones where users can get all their applications from a managed repository/app store like iOS, Android (with sideloading disabled by default), or GNU/Linux etc. I've never seen or heard of an actively spreading virus or piece of malware on Linux. It's possible but unlikely. There are so many configurations/distros out there that mass infections on this scale are near impossible.

Link to comment
Share on other sites

but but but... mac dont have virus and is the most secured OS \s

people dont realize that no OS is totally secure

Correct me if I'm wrong, but the issue here is that Apple took ages to patch a known security hole. If so, it makes it even worse than the others OS imo :p

Link to comment
Share on other sites

Correct me if I'm wrong, but the issue here is that Apple took ages to patch a known security hole. If so, it makes it even worse than the others OS imo :p

I wont say its a worse OS but worse in terms of security and fixing security issues

Apple has enjoyed long years of freedom from virus issues due to its little presence in the market but that has changed..

On the other hand MS improved Windows 8 in terms of security and even included MSE by default..

I would love to run 8 on mac with parallel desktop.

Link to comment
Share on other sites

Checked my systems. None of them are infected (probably because we don't visit questionable websites).

I wouldn't even have Java installed if it weren't for Creative Suite (ugh, Adobe). :hmmm: Apple definitely needs to release patches to third-party software that they manage more quickly though.

Link to comment
Share on other sites

This topic is now closed to further replies.