More than 600,000 Macs infected with Flashback Trojan downloader

Leeky

Posts: 3,357   +116

Investigations by Russian antivirus firm Dr. Web have concluded that more than 600,000 Mac computers are currently infected by the new strain of Flashback Trojan, with a massive 56.6% of the total infected machines believed to be in the US alone. Apple released an update earlier this week to patch vulnerabilities in Java that could be exploited to run malicious code in a victim's computer, including the newest strain written of the  Trojan in question, but this will only protect those that are not already compromised by the malware.

Dr. Web revealed on their website yesterday morning that the Flashback botnet was some 550,000 strong. Later that day, malware analyst Sorokin Ivan revised that figure to more than 600,000 on Twitter.

macs flashback

According to Dr. Web, the US has the most infections with 56.6% of the total infected with the BackDoor.Flashback.39 malware. Of the 300,000 plus infected machines, the Russian antivirus firm also revealed 274 were from Cupertino. Canada had the second highest infection rate with 19.8%, the UK has 12.8% and in fourth place with 6.1% of the total number of infected machines in Australia.

Internet security firm F-Secure has published detailed instructions on how to verify and remove the Trojan should your Mac computer already be infected. Interestingly, they state that the malware can infect a computer even without administrative permissions. "Whether or not the user inputs the administrator password, the malware will attempt to infect the system, though entering the password will affect how the infection is done."

The initial route to infection follows the same path. First the user visits a website which has been infected with the Flashback malware. Upon loading the infected webpage the script is executed, and it then immediately checks for the presence of several antivirus products. Should the presence of any be detected, the script then deletes itself and takes no further action.

If it doesn’t find anything, the malware then connects to a specified URL and downloads the payload. It then proceeds to install this payload, and infects the Mac computer. It appears to do this in one of two separate ways, dependent on whether you give administrative permissions.

.macs flashback

For those that refuse to grant them, the malware searches for Microsoft Office 2008, 2011 and Word applications, as well as for Skype. If it fails to find these it then creates several files in the userspace area and creates a launch point in the   "~/.MacOSX/environment.plist" location of the Mac user’s home folder.

Those that grant administrative permission will find the infection follows another pathway, creating several files inside Safari’s "/Applications/Safari.app/Contents/Resources" folder, and the creation of a launch point in "/Applications/Safari.app/Contents/Info.plist" to start the malware when Safari is run.

Another note of particular interest is the way the code has been written. It appears to take complete advantage of the average Mac users’ notion that their computer can’t get infected and therefore doesn’t need an antivirus product installed. Those using certain internet security products will therefore not have been infected but it appears to have been written to specifically target those that don't have any installed.

It's also important to note that the installation of the latest security patches from Apple is not enough to resolve the issue for those already infected. Many are now questioning whether Apple could have done more to prevent infections on such a massive scale, especially since Oracle had patches available back in February, but Apple took almost two months longer to release them on their platform.

Permalink to story.

 
I haven't been infected thank you ClamXav and well done to my lack of ignorance enabling Mac OS X built in firewall, lets be honest here though this is not the first time Java has been under this sort of publicity, I also believe there was a similar thing with flash, and thats why ladies and gentle men I have moved on from making websites with flash HTML5 ftw!
 
Techm633 said:
I cant wait to watch Apple and it's isheep followers explain this one away.....LOL!!

They won't they will turn it on other brands, they will now use the excuse of "Well now we are getting more popular"

If I remember rightly there was an iPod virus a few years ago, all of that got shoved to Microsoft (tbh Apple was the carrier of the virus, it didn't do anything until you plugged it into a Microsoft computer and it infected millions of other portable storage devices around the world)

And I will say I think lots of the Apple fanboys that where so ignorant to the virus thing are dying off or keeping very quite these days, I worked with a contractor in a school when we where fitting Mac Os X into the music department, and I asked him he's views on viruses and I stated about if they where more popular that they would be getting attacked more and because I wanted to install antivirus software across the network, and he's response to this was "Mac's getting viruses is and always will be a myth" I wonder where he is now?
 
quote: ""Queue someone laughing with the "no viruses for Mac" adagio...""

This is just urban myth that died out in the early 2000's . And the people that do say it are just silly. Its good thing that windows has no silly users.
 
quote: ""They won't they will turn it on other brands, they will now use the excuse of "Well now we are getting more popular"""

are you saying they are getting malware now because they are NOT getting more popular? True reasons are never excuses but rather reasons.
 
Guest said:
quote: ""They won't they will turn it on other brands, they will now use the excuse of "Well now we are getting more popular"""

are you saying they are getting malware now because they are NOT getting more popular? True reasons are never excuses but rather reasons.

I think there getting them because groups that make viruses want to be the ones that did, I'm not one to be saying anything about popularity as I simply don't know what the figures are on the amount of users from one system to the next, I'm just speculating on what might happen or be said.
 
Not really surprising as the Mac people don't think they can get viruses, since they have been told that. If you can't get them, no need to protect your computer, no protection means you are more likely to get something.
 
For those that have a Mac and didn't click through on instructions to see if you are infected, I'll put how here. Open Terminal and copy paste.

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

If that comes back with "The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist" then copy paste this in Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If that comes back with "The domain/default pair of (/Users/YourUserName/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist" then you are safe. If it doesn't, click through on the link in the article for the F-Secure removal page.

Aside from that, it is interesting that the trojan backs out if it finds an AV or LittleSnitch installed. The article gives an explanation for why that is. But if you don't put in your password, the trojan also backs out if you have Word, Office 2008 or 2011, or Skype. I don't understand the reasoning for backing out with those apps installed.


Also, just a note to everyone calling this a virus. It isn't, it is a trojan. That doesn't change the fact that a Mac can be 'infected', and most attacks on computers now are trojans rather than viruses. I'm only pointing this out because you are getting the terminology wrong, and when you are doing so to laugh at Mac users it makes you sound about as informed on things are you perceive a Mac user to be.
 
Guest said:
quote: ""Queue someone laughing with the "no viruses for Mac" adagio...""

This is just urban myth that died out in the early 2000's . And the people that do say it are just silly. Its good thing that windows has no silly users.

An urban myth? They should probably tell their apostles in the Apple Stores then - I've heard that "Macs don't have viruses" diatribe spouted off multiple times in the last 6 months (in different stores) as part of the sales pitch to convince hapless buyers as to why the Macbook is "worth so much more than a PC."
 
SNGX1275 said:
For those that have a Mac and didn't click through on instructions to see if you are infected, I'll put how here. Open Terminal and copy paste.

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

If that comes back with "The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist" then copy paste this in Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If that comes back with "The domain/default pair of (/Users/YourUserName/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist" then you are safe. If it doesn't, click through on the link in the article for the F-Secure removal page.

Aside from that, it is interesting that the trojan backs out if it finds an AV or LittleSnitch installed. The article gives an explanation for why that is. But if you don't put in your password, the trojan also backs out if you have Word, Office 2008 or 2011, or Skype. I don't understand the reasoning for backing out with those apps installed.

Also, just a note to everyone calling this a virus. It isn't, it is a trojan. That doesn't change the fact that a Mac can be 'infected', and most attacks on computers now are trojans rather than viruses. I'm only pointing this out because you are getting the terminology wrong, and when you are doing so to laugh at Mac users it makes you sound about as informed on things are you perceive a Mac user to be.

It's all well and good trying to argue the difference between the term virus and trojan, but as long as it got through it's still open to other things happening, for a while now windows machines that get infected with a trojan often fall apart from there getting viruses shortly afterwards depending on the type of attack the trojan is scripted to do, people have tried and failed before to argue the difference between the two, but with AV software reporting trojans as found viruses you're not going to change anyones minds or terminology's of explaining that they have a virus or trojan.

And yeah I agree fanboyisum is rife I've been fighting it for a years but I feel the need to give up!
 
Also, just a note to everyone calling this a virus. It isn't, it is a trojan.
Forgive my ignorance, as I've always thought of a trojan as being a special type of virus. I've always seen virus as a general term for all infection aside from ad-ware.

Since you brought it up, I can see now that virus has a category to itself.

Malware includes: (Malware Wikipedia link)
  • computer viruses
  • worms
  • trojan horses
  • spyware
  • adware
  • most rootkits
To be honest I've never really separated spyware and adware into their own categories either. :/

Instead of keeping up with which one belongs to what category, I will refer to everything as malware.
 
cliffordcooley said:
Also, just a note to everyone calling this a virus. It isn't, it is a trojan.
Forgive my ignorance, as I've always thought of a trojan as being a special type of virus. I've always seen virus as a general term for all infection aside from ad-ware.

Since you brought it up, I can see now that virus has a category to itself.

Malware includes: (Malware Wikipedia link)
  • computer viruses
  • worms
  • trojan horses
  • spyware
  • adware
  • most rootkits
To be honest I've never really separated spyware and adware into their own categories either. :/

Instead of keeping up with which one belongs to what category, I will refer to everything as malware.

You just proved my point above most people (I'm also guilty as above) find it quicker and easier to just place them under one term, the average user cares not for the difference but worries just as much the same be it virus,trojan, malware act.
 
Thats fine, I even put in my post it doesn't make much difference because the Mac is still being 'infected'. I'm just saying, everyone loves these threads because its free reign to bash the Mac community. In one breath (even in this thread) people say they are hearing diatribes about mac's not getting viruses, then in the next breath they are citing this as an example. The terminology exists, and the people that get all excited about reading how a Mac has a trojan vulnerability are using incorrect terminology.

So at the time you are laughing at Macs "don't get viruses", the people you are making fun of for saying that are still technically correct.

So there is a distinction in it.

Now, having said that, to paraphrase something I saw elsewhere, this all fits into the realm of "stuff I don't want on my Mac". So in the general sense, your point is made and understood.

I'm just saying, that it seems like people's anti Mac attitude gets the best of them in these threads and then confusing or not knowing the difference in the terms makes you sound just as uninformed as the Mac users you love to hate.

All it takes is 1 more letter of typing to type 'trojan' rather than 'virus' and this could be avoided (but then that would have reduced the amount of posts in this thread significantly).

Edit - just in my typing this post, a guest further proved my point.
 
Something very important missing from the comments, this issue is only caused by holes in third-party software, Apple has stopped bundling Flash and Java on OS X since Lion because of these kind of security issues.
 
mario said:
Something very important missing from the comments, this issue is only caused by holes in third-party software, Apple has stopped bundling Flash and Java on OS X since Lion because of these kind of security issues.
You're trying to shift the blame away from Apple but the point everyone is making is that the OS X platform is vulnerable, which it is. Doesn't matter if it's through third-party holes or not. The point is that the OS X platform can be and is being exploited.
 
Definitely fair points, SNGX1275... But, arguing semantics over "virus" vs "trojan" can cloud part of the bigger picture: there is a direct correlation that is relevant to the typical layperson when looking at Macs and security. For example, the Apple salespersons that I observed selling the "Macs don't get viruses" mantra were claiming that the Mac is "so secure that you don't need that horrible security software PCs require" as part of their sales pitch. As most in the PC world know, security software catches a multitude of evildoers, virus and trojan alike. So, that "Mac's can't catch viruses" belief can spill over into a false sense of security in the general populace, who really don't necessarily know the difference between a virus, worm, trojan, etc. And this propagated attitude of some kind of mystical superiority tends to cause uneducated users to let their guard down (or never even have it up to begin with), allowing things like these trojans to sneak in.
 
Any software can be compromised. ANY, ANYWHERE period. It is the nature of executing instructions.

Regardless, Mac's still fair multitudes better in this regard mainly due to four related factors:

1. Less proliferation
2. Higher price of entry
3. Quality control
4. More locked down

As OS X transitions to the iOS way of doing things, 3 and 4 will become the prominent factors for it's superiority in regards to infection.
 
Of course the US would have the highest percentage :(

That's just because Apple computers are more populated in the US than other regions of the world. I don't think anyone should take it as any indication of the intelligence of those using them, its a simple case of them outnumbering the computers sold in other countries like the UK, for example.

@Mario,

Very true, but the fact Apple took almost two months to patch updates that Oracle released in February is inescapable. The principal point here is Apple shouldn't have taken the removal route, they should have fixed it sooner. I don't feel that stopping it being shipped by default in OS X Lion or saying people "shouldn't" install them is a good enough reason as it does nothing to solve the underlying problem -- it just masks it up.

We're not talking about a backyard software developer here, we're talking about two huge software development houses (Oracle/Apple) that have untold resources to address these issues in a timely fashion.

Quite simply put, Apple took far too long to respond. When you consider that the new strain of the Flashback Trojan was identified in the wild at the beginning of March, yet it took Apple until the beginning of April to address the original flaws (which at the time didn't even include this strain) it is inexcusable.

The blame rests solely on Apple here. It might be a third party package, but given that Apple continues to exert control over their upgrades they also take responsibility for any consequent actions as a result.

It makes you wonder what the real state of play could have been had Apple actually immediately released the required patches to render the exploits unusable. Would we be sat here now with over half a million infected Macs? I doubt it.

For the record, I'm a long term Mac user, and have had Apple Mac computers for pretty much the entire time I've been using computers in general. I even did my computer studies using Apple PowerPC's back in the day (as well as Acorn RISC machines).

EDIT: While we're on the subject of OS X and the culture of their invincibility, I'm often surprised the levels Apple employees go to when selling them to PC users. To say OS X cannot get viruses or malware is grossly incorrect. Even Apple's own website is misleading. PC Viruses are a thing of the past due to the difference in architecture, but the underlying impression it gives is they cannot get viruses.

While there may be very few of any massive potential risk in the wild currently, it lures new users into a false sense of security, and once they stop worrying about infection risks it becomes a distant memory. That's without the common misconception that malware and Trojans are viruses. To the average uninformed person they are one and the same, which is precisely why these issues happen.
 
Is anyone actually surprised? Crapple software cannot get any less secure than they already are.
 
Back