More than 600,000 Macs infected with Flashback Trojan downloader

By Lee Kaelin on April 5, 2012, 9:00 AM

Investigations by Russian antivirus firm Dr. Web have concluded that more than 600,000 Mac computers are currently infected by the new strain of Flashback Trojan, with a massive 56.6% of the total infected machines believed to be in the US alone. Apple released an update earlier this week to patch vulnerabilities in Java that could be exploited to run malicious code in a victim's computer, including the newest strain written of the  Trojan in question, but this will only protect those that are not already compromised by the malware.

Dr. Web revealed on their website yesterday morning that the Flashback botnet was some 550,000 strong. Later that day, malware analyst Sorokin Ivan revised that figure to more than 600,000 on Twitter.

According to Dr. Web, the US has the most infections with 56.6% of the total infected with the BackDoor.Flashback.39 malware. Of the 300,000 plus infected machines, the Russian antivirus firm also revealed 274 were from Cupertino. Canada had the second highest infection rate with 19.8%, the UK has 12.8% and in fourth place with 6.1% of the total number of infected machines in Australia.

Internet security firm F-Secure has published detailed instructions on how to verify and remove the Trojan should your Mac computer already be infected. Interestingly, they state that the malware can infect a computer even without administrative permissions. "Whether or not the user inputs the administrator password, the malware will attempt to infect the system, though entering the password will affect how the infection is done."

The initial route to infection follows the same path. First the user visits a website which has been infected with the Flashback malware. Upon loading the infected webpage the script is executed, and it then immediately checks for the presence of several antivirus products. Should the presence of any be detected, the script then deletes itself and takes no further action.

If it doesn’t find anything, the malware then connects to a specified URL and downloads the payload. It then proceeds to install this payload, and infects the Mac computer. It appears to do this in one of two separate ways, dependent on whether you give administrative permissions.

.

For those that refuse to grant them, the malware searches for Microsoft Office 2008, 2011 and Word applications, as well as for Skype. If it fails to find these it then creates several files in the userspace area and creates a launch point in the   "~/.MacOSX/environment.plist" location of the Mac user’s home folder.

Those that grant administrative permission will find the infection follows another pathway, creating several files inside Safari’s "/Applications/Safari.app/Contents/Resources" folder, and the creation of a launch point in "/Applications/Safari.app/Contents/Info.plist" to start the malware when Safari is run.

Another note of particular interest is the way the code has been written. It appears to take complete advantage of the average Mac users’ notion that their computer can’t get infected and therefore doesn’t need an antivirus product installed. Those using certain internet security products will therefore not have been infected but it appears to have been written to specifically target those that don't have any installed.

It's also important to note that the installation of the latest security patches from Apple is not enough to resolve the issue for those already infected. Many are now questioning whether Apple could have done more to prevent infections on such a massive scale, especially since Oracle had patches available back in February, but Apple took almost two months longer to release them on their platform.




User Comments: 41

Got something to say? Post a comment
bielius bielius said:

That's a lot, but they can't compare to PC's yet

SalaSSin said:

Queue someone laughing with the "no viruses for Mac" adagio...

Wait, i just did it...

Sunny87 said:

I haven't been infected thank you ClamXav and well done to my lack of ignorance enabling Mac OS X built in firewall, lets be honest here though this is not the first time Java has been under this sort of publicity, I also believe there was a similar thing with flash, and thats why ladies and gentle men I have moved on from making websites with flash HTML5 ftw!

TechM633 said:

I cant wait to watch Apple and it's isheep followers explain this one away.....LOL!!

Sunny87 said:

Techm633 said:

I cant wait to watch Apple and it's isheep followers explain this one away.....LOL!!

They won't they will turn it on other brands, they will now use the excuse of "Well now we are getting more popular"

If I remember rightly there was an iPod virus a few years ago, all of that got shoved to Microsoft (tbh Apple was the carrier of the virus, it didn't do anything until you plugged it into a Microsoft computer and it infected millions of other portable storage devices around the world)

And I will say I think lots of the Apple fanboys that where so ignorant to the virus thing are dying off or keeping very quite these days, I worked with a contractor in a school when we where fitting Mac Os X into the music department, and I asked him he's views on viruses and I stated about if they where more popular that they would be getting attacked more and because I wanted to install antivirus software across the network, and he's response to this was "Mac's getting viruses is and always will be a myth" I wonder where he is now?

Guest said:

quote: ""Queue someone laughing with the "no viruses for Mac" adagio...""

This is just urban myth that died out in the early 2000's . And the people that do say it are just silly. Its good thing that windows has no silly users.

Guest said:

quote: ""They won't they will turn it on other brands, they will now use the excuse of "Well now we are getting more popular"""

are you saying they are getting malware now because they are NOT getting more popular? True reasons are never excuses but rather reasons.

NTAPRO NTAPRO said:

Of course the US would have the highest percentage

Sunny87 said:

Guest said:

quote: ""They won't they will turn it on other brands, they will now use the excuse of "Well now we are getting more popular"""

are you saying they are getting malware now because they are NOT getting more popular? True reasons are never excuses but rather reasons.

I think there getting them because groups that make viruses want to be the ones that did, I'm not one to be saying anything about popularity as I simply don't know what the figures are on the amount of users from one system to the next, I'm just speculating on what might happen or be said.

Guest said:

Not really surprising as the Mac people don't think they can get viruses, since they have been told that. If you can't get them, no need to protect your computer, no protection means you are more likely to get something.

SNGX1275 SNGX1275, TS Forces Special, said:

For those that have a Mac and didn't click through on instructions to see if you are infected, I'll put how here. Open Terminal and copy paste.

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

If that comes back with "The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist" then copy paste this in Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If that comes back with "The domain/default pair of (/Users/YourUserName/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist" then you are safe. If it doesn't, click through on the link in the article for the F-Secure removal page.

Aside from that, it is interesting that the trojan backs out if it finds an AV or LittleSnitch installed. The article gives an explanation for why that is. But if you don't put in your password, the trojan also backs out if you have Word, Office 2008 or 2011, or Skype. I don't understand the reasoning for backing out with those apps installed.

Also, just a note to everyone calling this a virus. It isn't, it is a trojan. That doesn't change the fact that a Mac can be 'infected', and most attacks on computers now are trojans rather than viruses. I'm only pointing this out because you are getting the terminology wrong, and when you are doing so to laugh at Mac users it makes you sound about as informed on things are you perceive a Mac user to be.

Vrmithrax Vrmithrax, TechSpot Paladin, said:

Guest said:

quote: ""Queue someone laughing with the "no viruses for Mac" adagio...""

This is just urban myth that died out in the early 2000's . And the people that do say it are just silly. Its good thing that windows has no silly users.

An urban myth? They should probably tell their apostles in the Apple Stores then - I've heard that "Macs don't have viruses" diatribe spouted off multiple times in the last 6 months (in different stores) as part of the sales pitch to convince hapless buyers as to why the Macbook is "worth so much more than a PC."

Sunny87 said:

SNGX1275 said:

For those that have a Mac and didn't click through on instructions to see if you are infected, I'll put how here. Open Terminal and copy paste.

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

If that comes back with "The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist" then copy paste this in Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If that comes back with "The domain/default pair of (/Users/YourUserName/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist" then you are safe. If it doesn't, click through on the link in the article for the F-Secure removal page.

Aside from that, it is interesting that the trojan backs out if it finds an AV or LittleSnitch installed. The article gives an explanation for why that is. But if you don't put in your password, the trojan also backs out if you have Word, Office 2008 or 2011, or Skype. I don't understand the reasoning for backing out with those apps installed.

Also, just a note to everyone calling this a virus. It isn't, it is a trojan. That doesn't change the fact that a Mac can be 'infected', and most attacks on computers now are trojans rather than viruses. I'm only pointing this out because you are getting the terminology wrong, and when you are doing so to laugh at Mac users it makes you sound about as informed on things are you perceive a Mac user to be.

It's all well and good trying to argue the difference between the term virus and trojan, but as long as it got through it's still open to other things happening, for a while now windows machines that get infected with a trojan often fall apart from there getting viruses shortly afterwards depending on the type of attack the trojan is scripted to do, people have tried and failed before to argue the difference between the two, but with AV software reporting trojans as found viruses you're not going to change anyones minds or terminology's of explaining that they have a virus or trojan.

And yeah I agree fanboyisum is rife I've been fighting it for a years but I feel the need to give up!

cliffordcooley cliffordcooley, TechSpot Paladin, said:

Also, just a note to everyone calling this a virus. It isn't, it is a trojan.
Forgive my ignorance, as I've always thought of a trojan as being a special type of virus. I've always seen virus as a general term for all infection aside from ad-ware.

Since you brought it up, I can see now that virus has a category to itself.

Malware includes: (Malware Wikipedia link)

  • computer viruses
  • worms
  • trojan horses
  • spyware
  • adware
  • most rootkits

To be honest I've never really separated spyware and adware into their own categories either. :/

Instead of keeping up with which one belongs to what category, I will refer to everything as malware.

Sunny87 said:

cliffordcooley said:

Also, just a note to everyone calling this a virus. It isn't, it is a trojan.
Forgive my ignorance, as I've always thought of a trojan as being a special type of virus. I've always seen virus as a general term for all infection aside from ad-ware.

Since you brought it up, I can see now that virus has a category to itself.

Malware includes: (Malware Wikipedia link)

  • computer viruses
  • worms
  • trojan horses
  • spyware
  • adware
  • most rootkits

To be honest I've never really separated spyware and adware into their own categories either. :/

Instead of keeping up with which one belongs to what category, I will refer to everything as malware.

You just proved my point above most people (I'm also guilty as above) find it quicker and easier to just place them under one term, the average user cares not for the difference but worries just as much the same be it virus,trojan, malware act.

Guest said:

... because EVERY layman knows "Macs can't catch viruses" lol

SNGX1275 SNGX1275, TS Forces Special, said:

Thats fine, I even put in my post it doesn't make much difference because the Mac is still being 'infected'. I'm just saying, everyone loves these threads because its free reign to bash the Mac community. In one breath (even in this thread) people say they are hearing diatribes about mac's not getting viruses, then in the next breath they are citing this as an example. The terminology exists, and the people that get all excited about reading how a Mac has a trojan vulnerability are using incorrect terminology.

So at the time you are laughing at Macs "don't get viruses", the people you are making fun of for saying that are still technically correct.

So there is a distinction in it.

Now, having said that, to paraphrase something I saw elsewhere, this all fits into the realm of "stuff I don't want on my Mac". So in the general sense, your point is made and understood.

I'm just saying, that it seems like people's anti Mac attitude gets the best of them in these threads and then confusing or not knowing the difference in the terms makes you sound just as uninformed as the Mac users you love to hate.

All it takes is 1 more letter of typing to type 'trojan' rather than 'virus' and this could be avoided (but then that would have reduced the amount of posts in this thread significantly).

Edit - just in my typing this post, a guest further proved my point.

mario mario, Ex-TS Developer, said:

Something very important missing from the comments, this issue is only caused by holes in third-party software, Apple has stopped bundling Flash and Java on OS X since Lion because of these kind of security issues.

RH00D RH00D said:

mario said:

Something very important missing from the comments, this issue is only caused by holes in third-party software, Apple has stopped bundling Flash and Java on OS X since Lion because of these kind of security issues.

You're trying to shift the blame away from Apple but the point everyone is making is that the OS X platform is vulnerable, which it is. Doesn't matter if it's through third-party holes or not. The point is that the OS X platform can be and is being exploited.

Vrmithrax Vrmithrax, TechSpot Paladin, said:

Definitely fair points, SNGX1275... But, arguing semantics over "virus" vs "trojan" can cloud part of the bigger picture: there is a direct correlation that is relevant to the typical layperson when looking at Macs and security. For example, the Apple salespersons that I observed selling the "Macs don't get viruses" mantra were claiming that the Mac is "so secure that you don't need that horrible security software PCs require" as part of their sales pitch. As most in the PC world know, security software catches a multitude of evildoers, virus and trojan alike. So, that "Mac's can't catch viruses" belief can spill over into a false sense of security in the general populace, who really don't necessarily know the difference between a virus, worm, trojan, etc. And this propagated attitude of some kind of mystical superiority tends to cause uneducated users to let their guard down (or never even have it up to begin with), allowing things like these trojans to sneak in.

Guest said:

Any software can be compromised. ANY, ANYWHERE period. It is the nature of executing instructions.

Regardless, Mac's still fair multitudes better in this regard mainly due to four related factors:

1. Less proliferation

2. Higher price of entry

3. Quality control

4. More locked down

As OS X transitions to the iOS way of doing things, 3 and 4 will become the prominent factors for it's superiority in regards to infection.

Leeky Leeky said:

Of course the US would have the highest percentage

That's just because Apple computers are more populated in the US than other regions of the world. I don't think anyone should take it as any indication of the intelligence of those using them, its a simple case of them outnumbering the computers sold in other countries like the UK, for example.

@Mario,

Very true, but the fact Apple took almost two months to patch updates that Oracle released in February is inescapable. The principal point here is Apple shouldn't have taken the removal route, they should have fixed it sooner. I don't feel that stopping it being shipped by default in OS X Lion or saying people "shouldn't" install them is a good enough reason as it does nothing to solve the underlying problem -- it just masks it up.

We're not talking about a backyard software developer here, we're talking about two huge software development houses (Oracle/Apple) that have untold resources to address these issues in a timely fashion.

Quite simply put, Apple took far too long to respond. When you consider that the new strain of the Flashback Trojan was identified in the wild at the beginning of March, yet it took Apple until the beginning of April to address the original flaws (which at the time didn't even include this strain) it is inexcusable.

The blame rests solely on Apple here. It might be a third party package, but given that Apple continues to exert control over their upgrades they also take responsibility for any consequent actions as a result.

It makes you wonder what the real state of play could have been had Apple actually immediately released the required patches to render the exploits unusable. Would we be sat here now with over half a million infected Macs? I doubt it.

For the record, I'm a long term Mac user, and have had Apple Mac computers for pretty much the entire time I've been using computers in general. I even did my computer studies using Apple PowerPC's back in the day (as well as Acorn RISC machines).

EDIT: While we're on the subject of OS X and the culture of their invincibility, I'm often surprised the levels Apple employees go to when selling them to PC users. To say OS X cannot get viruses or malware is grossly incorrect. Even Apple's own website is misleading. PC Viruses are a thing of the past due to the difference in architecture, but the underlying impression it gives is they cannot get viruses.

While there may be very few of any massive potential risk in the wild currently, it lures new users into a false sense of security, and once they stop worrying about infection risks it becomes a distant memory. That's without the common misconception that malware and Trojans are viruses. To the average uninformed person they are one and the same, which is precisely why these issues happen.

Guest said:

Is anyone actually surprised? Crapple software cannot get any less secure than they already are.

MilwaukeeMike said:

Uhh... so what does the virus do? Doesn't anyone want to know? Did I miss that part?

SNGX1275 SNGX1275, TS Forces Special, said:

MilwaukeeMike - For now, it apparently is just checking in with botnet servers. I presume that it could so something malicious in the future, like use all the infected comps to attack a website. I haven't heard about it gathering data sniffing for passwords or anything, but I suppose that is a possibility too.

As I mentioned above (in response to the contents of the article) this thing doesn't attempt to install itself anymore once it discovers if you have any AV (or in the second instance if you have word, office, skype). It actually goes so far as to remove itself if it finds those. It is actively doing this.. for what reason? I don't know that answer, and why those apps? Wouldn't put it past some security consultant to have created this for one or more AV producers for Macs. I'm not saying thats the case, esp by backing out (if you didn't give it your password) when it sees word, office or skype. But it is odd.

Sunny87 said:

SNGX1275 said:

MilwaukeeMike - For now, it apparently is just checking in with botnet servers. I presume that it could so something malicious in the future, like use all the infected comps to attack a website. I haven't heard about it gathering data sniffing for passwords or anything, but I suppose that is a possibility too.

As I mentioned above (in response to the contents of the article) this thing doesn't attempt to install itself anymore once it discovers if you have any AV (or in the second instance if you have word, office, skype). It actually goes so far as to remove itself if it finds those. It is actively doing this.. for what reason? I don't know that answer, and why those apps? Wouldn't put it past some security consultant to have created this for one or more AV producers for Macs. I'm not saying thats the case, esp by backing out (if you didn't give it your password) when it sees word, office or skype. But it is odd.

I can only but speculate as to why that is, maybe it only wants to spread among the ignorant! lol

Guest said:

I don't believe that the case is that it backs out when it sees those MS products, rather that the torjan tries to install itself in any of those locations.

SNGX1275 SNGX1275, TS Forces Special, said:

I don't believe that the case is that it backs out when it sees those MS products, rather that the torjan tries to install itself in any of those locations.

No that is false. It modifies /Applications/Safari.app/Contents/Info.plist and creates ~/.MacOSX/environment DYLD_INSERT_LIBRARIES.

If you are going to disagree with an idea, then you should explain why you disagree.

It is "trojan" not "torjan" anyway.

davislane1 davislane1 said:

Can't believe people still believe these things (I use a mac) are impervious to viruses/trojans. In fact, I'm a bit surprised that only 600,000 machines have been infected, given the care-free attitude most Mac users have about security.

Guest said:

Well call me an ***** but I have no antivirus. What I have is several cisco routers ah asa 5010 appliance. Let me see 20 bucks on ebay. You can have an enterprise set up for couple of hundreds. Who thought inflation was such a blessing.

mevans336 mevans336 said:

NTAPRO said:

Of course the US would have the highest percentage

Because Apple products sell highest in the US. Apple doesn't even rank in the top 25 worldwide.

SNGX1275 SNGX1275, TS Forces Special, said:

Because Apple products sell highest in the US. Apple doesn't even rank in the top 25 worldwide.

You know how I know you don't know anything about statistics?

avoidz avoidz said:

I see thousands of Apple followers with Dawson crying faces right about now.

Guest said:

Only one thing worse than the apple fanbois... and that's the windows fanbois who desperately want every other OS to be as full of holes as their malware sponge of choice...

cliffordcooley cliffordcooley, TechSpot Paladin, said:

Only one thing worse than the apple fanbois... and that's the windows fanbois who desperately want every other OS to be as full of holes as their malware sponge of choice...
It's not windows users who wants every other OS to be just as popular. If every other OS was just as popular, they would be just as big a Mal-ware sponge.

You are hiding behind a guest account because you don't want to make these comments as a registered user.

captaincranky captaincranky, TechSpot Addict, said:

Any software can be compromised. ANY, ANYWHERE period. It is the nature of executing instructions.

Regardless, Mac's still fair multitudes better in this regard mainly due to four related factors:

1. Less proliferation

2. Higher price of entry

3. Quality control

4. More locked down

As OS X transitions to the iOS way of doing things, 3 and 4 will become the prominent factors for it's superiority in regards to infection.

You forgot "5", nobody bothers writing malware for Macs.

Well, I suppose I should have said, "almost nobody"...

Only one thing worse than the apple fanbois... and that's the windows fanbois who desperately want every other OS to be as full of holes as their malware sponge of choice...

No, I think it's just that Windows users are just flat out tired of being talked down to by a bunch of "yuppies with more money than brains"(*), and an almost complete lack of computer knowledge.

(*) Add "itinerant guest trolls at Techspot", to that elite.

1 person liked this | cliffordcooley cliffordcooley, TechSpot Paladin, said:

Woohoo, lets skip ahead another 13 months.

SNGX1275 SNGX1275, TS Forces Special, said:

Wouldn't normally reply to this. But, I have seen CC bump 2 threads in the last 3? days just to revisit an argument that had died months before. One was odd, 2 seems really odd, is this going to be a trend CC? I enjoy your comments even if I don't agree, but bringing back dead threads is a bit much.

captaincranky captaincranky, TechSpot Addict, said:

Wouldn't normally reply to this. But, I have seen CC bump 2 threads in the last 3? days just to revisit an argument that had died months before. One was odd, 2 seems really odd, is this going to be a trend CC? I enjoy your comments even if I don't agree, but bringing back dead threads is a bit much.
I don't think I intentionally bumped anything. The threads either were on the front page, or I got an email notice. (? ). Not sure. It could be that Cliff's avatar makes every thread look so new....

Since I'm apparently notorious for looking for an argument, (although personally I don't believe a word of that), in my own defense, I can usually find enough contention in the present to satisfy my need to vent.

But WTF, I suppose I'll just plead insanity...:oops: That's the best excuse I can come up with, since I don't have a cell phone or Nvidia Shield game to blame for "distracted posting".

Then there's the conditioned response I have to many guest posts. It's like waving a red cape in front of a bull.

Edit: Whew, I'm glad I got this up before you locked the thread! That "art film" was taking forever to download...

cliffordcooley cliffordcooley, TechSpot Paladin, said:

OMG Cap, you are hilarious! Nobody can say, you don't have a sense of humor.

Are you sure you don't want a nVidia Shield or iPhone?

captaincranky captaincranky, TechSpot Addict, said:

OMG Cap, you are hilarious! Nobody can say, you don't have a sense of humor.
Oh, I'd venture to say a few people around here might differ with you on that...

Are you sure you don't want a nVidia Shield or iPhone?

The Shield...., never!

OTOH, if the iPhone comes with a pair of barely legal redheads who are willing to engage in a game of "hide the telephone, and let me call you", then I'm "all in". (So to speak)...

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.