Forgot your password?
typodupeerror
Desktops (Apple) OS X Security Apple

Flashback Trojan Hits 600,000 Macs and Counting 429

Posted by timothy
from the first-they-came-for-the-windows-machines dept.
twoheadedboy writes "A Flashback variant dubbed Backdoor.Flashback.39 has infected over 600,000 Macs, according to Russian security firm Dr Web. The virulent Flashback trojan infecting Apple machines sparked interest earlier this week after it was seen exploiting a Java vulnerability, although it was actually first discovered back in September last year. The Trojan has a global reach after Dr Web found infected Macs in most countries. More than half of the Macs infected are in the US (56.6 percent), while another 19.8 percent are in Canada. The UK has 12.8 percent of infected Macs."
This discussion has been archived. No new comments can be posted.

Flashback Trojan Hits 600,000 Macs and Counting

Comments Filter:
  • by Dunbal (464142) * on Thursday April 05, 2012 @09:25AM (#39583841)
    Is it just wrong if I laugh a little?
    • by ifrag (984323) on Thursday April 05, 2012 @09:29AM (#39583891)

      Is it just wrong if I laugh a little?

      Try to keep it to a low chuckle. The reality distortion field might break under greater strain.

      • by alphatel (1450715) * on Thursday April 05, 2012 @09:34AM (#39583927)

        Is it just wrong if I laugh a little?

        Try to keep it to a low chuckle. The reality distortion field might break under greater strain.

        It just works!

        • by Johnny Mister (2610721) on Thursday April 05, 2012 @09:37AM (#39583963)
          The funny thing is that Linux users still seem to be under this belief about their OS. The truth is that every OS gets malware, it's just about the market share.
          • by tripleevenfall (1990004) on Thursday April 05, 2012 @10:09AM (#39584365)

            To be fair this is a Java exploit, and it's already been closed by Apple.

            The dullard users are probably receiving security updates automatically, and so they'd have been updated as of Tuesday.

            Aside from this, the general public does not seem vulnerable:

            Security researchers have uncovered yet another Mac Trojan in the wild, this time hiding inside pirated versions of the Mac OS X image editing application GraphicConverter.

            The pirated copy of GraphicConverter 7.4 is being actively distributed on file-sharing networks and torrent sites like Pirate Bay and contains the DevilRobber Trojan, Sophos researchers reported on 29 October. Once on the Mac OS X, DevilRobber creates a backdoor for remote access and installs a Bitcoin miner that uses up spare system resources and steals the content of the user’s Bitcoin wallet, according to Sophos.

            • (after reading more closely, that appears to be a trojan that exploited the same vulnerability.)

            • by bmo (77928) on Thursday April 05, 2012 @10:21AM (#39584567)

              Security researchers have uncovered yet another Mac Trojan in the wild, this time hiding inside pirated versions of the Mac OS X image editing application GraphicConverter.

              This general method, by far, is the quickest and easiest way to create a botnet. Package up some wanted software with your trojan that you checked against the top 20 malware checkers, and upload away to all the public trackers you can find, and some private ones.

              Yet weeks later when your trojan gets added to the malware definitions, you'll continue to see Windows morons download, run a scan, and pronounce "LOL FALSE POSITIVE"

              There is no anti-malware for stupid.

              --
              BMO

            • by bkaul01 (619795) on Thursday April 05, 2012 @10:27AM (#39584671)

              To be fair this is a Java exploit, and it's already been closed by Apple.

              The dullard users are probably receiving security updates automatically, and so they'd have been updated as of Tuesday.

              To be fair, that's true of almost all malware that propagates in the wild on Windows-based systems too. Zero-days that haven't been patched by Microsoft/Apple/et al. are very rare on any platform, and usually only available to organizations with resources on the level nation states or the like for espionage/cyber-warfare purposes (c.f. Stuxnet).

              • by tripleevenfall (1990004) on Thursday April 05, 2012 @10:50AM (#39585051)

                Certainly these things are true.

                For the novice user, they are safer with a Mac, I don't think that is any less true than it's been for a while. There are less vulnerabilities overall, there's less malware overall, there's no chance they are using IE when on a Mac, the process of keeping updated is more dummy-proof... dummy users are safer on Macs.

                And this is just for people using full PCs. Increasingly these novice users are spending all their computing time in iOS which is even less vulnerable.

                • by VGPowerlord (621254) on Thursday April 05, 2012 @11:40AM (#39585825)

                  the process of keeping updated is more dummy-proof... dummy users are safer on Macs.

                  It is? Last time I checked, the default update mode for Windows will install updates the next time your shut down your computer after Windows detects an update has been released.

                  This is a bit different in a corporate setting, but I assumed you meant for home users.

                  • And not only will Windows automatically update, it will also automatically restart to install that update if you wait too long to do it.

                    It seems to wait until the wee hours of the morning to do this, which makes the most sense.

                    • This doesn't work as well in today's non-desktop world. Most people's laptops are sleeping when the lid is closed, which it often is at night.

                      I think for the most part you'd find that people have the laptop asleep unless they're actively using it, which makes updates annoying and more likely to be canceled by the user.

              • Zero-days that haven't been patched by Microsoft/Apple/et al. are very rare on any platform, and usually only available to organizations with resources on the level nation states or the like for espionage/cyber-warfare purposes

                Wow, absolutely not. (Incidentally, "zero-day that hasn't been patched" is redundant. Once the vendor knows about the exploit it is no longer a zero day). These guys find zero days [wikipedia.org] every year. Every iphone jailbreak is a result of a zero-day exploit, unless you are saying Apple purposely hides vulnerabilities in the system to make them easy to exploit.

                Zero day exploits are still pretty common, and it's worth taking extra steps to be prepared for them (like regular backups, running certain software in a c

            • by 0racle (667029) on Thursday April 05, 2012 @11:01AM (#39585231)

              Aside from this, the general public does not seem vulnerable:

              Security researchers have uncovered yet another Mac Trojan in the wild, this time hiding inside pirated versions of the Mac OS X image editing application GraphicConverter.

              Yep, idiots doing idiot things because they're idiots. The OS doesn't protect you from yourself., when you tell it to install something it does it.

            • by Dunbal (464142) *

              To be fair this is a Java exploit, and it's already been closed by Apple.

              To be fair, most Windows exploits have also been Java/Flash/(Insert 3rd party vendor here) exploits too. It's been a long time since a remote Windows OS vulnerability has been seen. XP service pack 2, perhaps? But then again Windows has never made claims about being inherently "more" secure, either.

            • by amicusNYCL (1538833) on Thursday April 05, 2012 @02:57PM (#39589137)

              600,000 computers didn't get infected because someone downloaded some pirated software loaded with the malware. This is not the DevilRobber trojan, this is Flashback. The Java vulnerabilities used to download and run the virus are exploited via the good old drive-by-download method, which does not require user interaction (thanks, Java!).

              According to the Dr Web blog posting, “systems get infected with BackDoor.Flashback.39 after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system. JavaScript code is used to load a Java-applet containing an exploit.”

              This is the exact same method that Windows machines get infected. The top 3 infection vectors are Java, Acrobat, and Flash because all 3 of them will load whatever the server tells them to in a hidden iframe if necessary. Vulnerabilities in IE itself account for less than 10 percent of Windows infections, the vast majority are from insecure third-party browser plugins. Those plugins do not all of a sudden become secure, and the vendors don't all of a sudden start using good security practices, just because the target OS runs on Apple-branded hardware.

          • by monkeyhybrid (1677192) on Thursday April 05, 2012 @10:11AM (#39584387)

            Market share has something to do with it, as does a pretty good track record of security, but the type of users that use Linux is also a significant reason that we don't see widespread malware affecting desktop Linux. Your typical Linux user is generally more nerdy, computer literate and security concious.

            If you did a survey of how many users clicked on pop-up banners, opened PDFs from spam email, granted permission to untrusted Java applets, etc, I bet the percentage of Linux users who fell in the traps would be smaller than the other OS users.

          • by TheRaven64 (641858) on Thursday April 05, 2012 @10:11AM (#39584405) Journal

            It's not just about market share, although that does play a large part. For malware you spread you need a large or sufficiently interesting target for someone to bother writing it (an OS with only a dozen users, all of which were major banks that used it for Internet-facing transaction processing systems, for example, would be an interesting target even though it would have a tiny market share).

            Then you need an attack vector. Operating system vulnerabilities aren't that uncommon (check the CVE database for the Linux kernel), but most of the time these attacks come through userspace applications. From there, it depends on what the attacker wants to use. Desktop operating systems tend to be more vulnerable in this regard because very few applications are properly sandboxed, so once you've compromised one you've got complete access to everything the user does. Server software tends to be a bit more careful with privilege separation, so a Linux server may be a lot more secure than a Linux desktop.

            Finally, you need some mechanism for it to spread. This is often related to market share. For example, Windows worms used to be very common because if you look at any random IP on the local network you're likely to find a Windows machine. If you've got some Windows exploit, you can spread to every machine on the network very quickly. The same was true of email worms - a worm that compromised Outlook Express could send a message to everyone in the address book, and at least some of them would be running Outlook Express and so it would spread. In contrast, if the lone Mac in the corner of the office is infected then it's harder for it to find another Mac to infect before someone spots unusual traffic patterns and cleans it up.

          • by tlhIngan (30335) <slashdotNO@SPAMworf.net> on Thursday April 05, 2012 @12:10PM (#39586307)

            The funny thing is that Linux users still seem to be under this belief about their OS. The truth is that every OS gets malware, it's just about the market share.

            Actually, the vulnerability used in OS X is also in Linux. So yes, it can infect Linux!

            However, the payload only currently runs on OS X, so infecting Linux is a minor point since it does nothing.

            It's a Java vulnerability. Which is interesting since Apple stopped supporting and shipping Java since what, Leopard (10.5)? Heck, we can blame Oracle for the mess...

          • It's not *just* about market share. It's about a lot of things, including non-technical issues like the kinds of users the platform attracts, the kinds of work the computer is being used for, and the environment in which the computer is being used.

        • Re: (Score:2, Interesting)

          by ericloewe (2129490)

          Apple should advertise OS X to hackers:

          Instead of stuff like "Robust Kernel based on Unix" hackers would surely be attracted towards "Familiar Unix-based Kernel with guaranteed fewer security measures than Windows or many Linux distros"

          • by ByOhTek (1181381)

            "Familiar Unix-based Kernel with guaranteed fewer security measures than Windows or many Linux distros"

            Uhhhh. what? Fewer than Windows?

            Don't get me wrong, I use Windows a lot, and almost never use MacOS... but I'm not sure that is accurate (Mac having fewer security measures in the kernel than Windows.) Mind you, the most important security measure are done via the gray matter between your ears in how you set up and use your environment, but I don't think that necessarily affects either platform particularly. Both have a shitload of lemming users who just expect things to work, and assume that some technica

      • Re: (Score:2, Offtopic)

        by AngryDeuce (2205124)

        "I'm givin' ya all she's got, Cap'n!! She cannae take any more punishment!!!"

        - Tim Cook

      • by crazyjj (2598719) * on Thursday April 05, 2012 @10:48AM (#39585019)

        The reality distortion field might break under greater strain.

        That collapsed the second Jobs died. It's just a matter of time before everyone notices it and you start hearing hipsters and Macheads all saying some variation of:

        "Apple just isn't the same since Steve left. They sold out. It used to be about the MUSIC, man!"

    • by fermion (181285) on Thursday April 05, 2012 @09:42AM (#39584027) Homepage Journal
      My surprise is that there are 600K running macs to infect. I thought macs were just bought by rich people to display in there offices while they really used a PC. Clearly this article is propaganda.
    • by rwise2112 (648849)
      Well... Obviiously they were just holding them wrong.... or something.
  • How to check (Score:2, Interesting)

    by Anonymous Coward

    Is there any way to check whether your Mac is infected?

    • by wilgibson (933961)
      My thoughts exactly. I know dozens of Mac users that wouldn't have a clue how to check because they've lived under the false impression that Macs are completely invunerable.
    • Re: (Score:2, Informative)

      by alphatel (1450715) *
      Macs don't get viruses, so there is no reason to check for them, so there is no "app for that".
    • by daveschroeder (516195) * on Thursday April 05, 2012 @09:37AM (#39583965)

      See here: http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml [f-secure.com]

      Summary:

      If you open Terminal and run

      defaults read /Applications/Safari.app/Contents/Info LSEnvironment

      and

      defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

      and see:

      The domain/default pair of [...] does not exist

      for each, you are not infected. Also, if you run nearly any AV software or other tools like Little Snitch, you are not infected as it checks for these and deletes itself if found.

      Also, no sensible person ever said "Macs don't get [infected/hacked/whatever]." It just a lot less likely, and has historically been, even accounting for differences in marketshare. As Mac share increases, it only makes sense they'll be targeted more with malware. But Macs, as a whole, are indeed "more secure", in that still, to this day, you are far less likely — even with the complacency or, if you prefer, ignorance, of Mac users — to become impacted with any malware than with Windows. Maybe someday this will change. But it's never been true to date, and isn't true now. The fact that single instances of Mac malware get so blown out of proportion, STILL, is ridiculous. (Though, Apple could do better with patching known vulnerabilities in Java on Mac OS X...)

      The same advice and best practices for avoiding malware apply to Macs as well as any other desktop platform, and Mac users would do well to run current AV software. The Sophos free edition [sophos.com] is nice.

      • by ArhcAngel (247594) on Thursday April 05, 2012 @09:48AM (#39584093)

        Summary:

        If you open Terminal and run

        This just offended or confused 90% of the MAC users

      • by apcullen (2504324) on Thursday April 05, 2012 @09:55AM (#39584171)
        Excellent post.

        However, I have to disagree with you on one point:

        The fact that single instances of Mac malware get so blown out of proportion, STILL, is ridiculous.

        I don't think it's blown out of proportion, and, rather than being ridiculous, I think it's essential. Mac users generally share a believe that their computer "just works" and that they don't have to be concerned with-- or even aware of-- security. For the good of the community, that should be corrected.

      • by 68kmac (471061) on Thursday April 05, 2012 @09:58AM (#39584221) Homepage

        Also, no sensible person ever said "Macs don't get [infected/hacked/whatever]."

        Actually, Apple writes [apple.com] quite a few things that make me (and I'm a Mac user) cringe. For example:

        Download with peace of mind.

        Innocent-looking files downloaded over the Internet may contain dangerous malware in disguise. That’s why files you download using Safari, Mail, and iChat are screened to determine if they contain applications. If they do, OS X alerts you, then warns you the first time you open one.

        Yeah, when you download a file and click on it, a dialog pops up that tells you that the file was downloaded from the internet and may be dangerous. That's all. And after you had to click on that a couple of times for harmless files of all sorts, you just click on it automatically. And, boom, trojan infection ...

        • There's not really any way to protect users from themselves. If a user is technically able to download and install unknown applications, then the user can fall victim to a trojan.

          The only question in my mind is whether it's a good implementation-- making it prompt you too often will result in users always hitting "OK", so you have to use this sort of thing judiciously. That was the complaint about the early implementation of UAC in Vista. It prompted you *constantly*, and so it was both annoying and ine

      • Re: (Score:2, Funny)

        by Anonymous Coward

        You know, when you claimed that "no sensible person ever said, "Macs don't get infected"...", I got a little ticked off, because based on my experience, it seemed that NEARLY ALL Apple users had claimed this.

        Then I realized, we're both right.

      • Thanks for the link and instructions, very helpful. I ran through the procedures and am happy to see that I'm clean. The same page also indicates that this bit of malware basically deletes itself if it finds evidence of security software running on the system, such as Little Snitch or ClamXAV. I was neither offended nor confused by the reference to Terminal. Mac OS has had a hidden command line at least as far back as OS 7.1, IIRC.

        Another simple precaution Mac users can take is to make sure they are not
    • by jo_ham (604554)

      Yes.

      From instructions here: http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml [f-secure.com]

      It basically boils down to running two commands in Terminal:

      defaults read /Applications/Safari.app/Contents/Info LSEnvironment
      defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

      If both of those come back as "The domain/default pair ... does not exist" then you are ok.

      Although even easier, if you have MS Office 2008, MS Office 2011 or Skype installed you are not infected - the Trojan checks for these (for

  • by danbuter (2019760) on Thursday April 05, 2012 @09:28AM (#39583871)
    It's only been a matter of time. Many people think that since the common knowledge is that Macs don't get viruses, they are immune to everything else (including trojans). Only the computer nerds differentiate between viruses, trojans, and malware you get by clicking on something on the internet.
  • by alen (225700) on Thursday April 05, 2012 @09:29AM (#39583893)

    it used to be magic pixie dust protected Macs but in the last 6 months i've been using the Spirit of Steve

    time to find some new protection

  • by ilsaloving (1534307) on Thursday April 05, 2012 @09:31AM (#39583907)

    The users just surfed wrong.

    But seriously, Apple screwed the pooch really good on this one. Looks like it's time that their corporate culture goes through the same "trustworthy computing" initiative that Microsoft went through over the last few years.

    • by Lumpy (12016)

      It's their own fault, instead of using sun java, they used their own java and that has caused headaches for nearly a decade as they have ALWAYS been behind.

      • Why IS that anyway? Was it because Apple insisted on rolling their own, or because Sun wouldn't make one?

    • Looks like it's time that their corporate culture goes through the same "trustworthy computing" initiative that Microsoft went through over the last few years.

      They've been adding [tuaw.com] security to their system [tidbits.com] for a while now. You may not remember, but back in the day Microsoft security was extremely bad. Everyone running as Administrator was merely one symptom. OSX has had separate user accounts from day 1.

  • by Anonymous Coward

    http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

  • by Anonymous Coward

    Gizmodo's article shows how to determine if your machine is infected. http://www.gizmodo.co.uk/2012/04/mac-flashback-trojan-find-out-if-youre-one-of-the-600000-infected/

  • now (Score:5, Interesting)

    by ILongForDarkness (1134931) on Thursday April 05, 2012 @09:38AM (#39583973)

    Can we please end the madness where people claim that since an OS is a variant of unix it can't get a virus? Users do stupid things, stupid things have consequences, doesn't matter the make of the car you are driving if you are a drunk moron soon enough you'll crash into something. Similarly if you are a horny moron eventually you'll browse to a site that will find a way to get you to install some junk that will trash your computer all in the name of some desperately needed friction motivation.

    • by Swampash (1131503)

      Looks to me like this was entirely Apple's fault. It was a known exploit for Java, and Apple just didn't get around to releasing a security update with a patched Java.

    • Can we please end the madness where people claim that since an OS is a variant of unix it can't get a virus?

      It does not help that Apple itself is telling people that their OS will protect them from malware:

      https://www.apple.com/macosx/what-is/security.html [apple.com]

    • That's because they generally *don't* get VIRUSES (see what I did there?). The security settings on unix based systems are usually more strict than on windows machines.

      That being said, there is no system in the world that can block a TROJAN (which is what this is) because trojans don't target computers, they target the users. It would be like someone living in Fort Knox, but then getting robbed blind because someone came by and said, "I'll give you free pr0n if you let me in!"

      That being said, there is no

    • by itsdapead (734413)

      Can we please end the madness where people claim that since an OS is a variant of unix it can't get a virus?

      Funny, because in this thread I currently see zero (0) fanbois desperately trying to defend Apple wailing "....but its not a virus, its a trojan, and its all Oracle's fault anyhow!" c.f. any number of haters saying "Ha Ha! Macs can so get viruses!!!". Methinks some people are just a bit too desperate to knock Apple.

      Actually, although this one is technically a trojan, it sounds quite nasty in that it can apparently [f-secure.com] infect your mac even if you don't fall for the "enter administrator password" dialog. Presum

  • Haha (Score:2, Funny)

    by Anonymous Coward

    HAHA HAHAHHAHAHAHHA Hahahahahahhaahha

    hahahahahhahahhahahahhahahahh

    HAHAHAHAHAHAHahahahahahahaha

  • by FlyingGuy (989135) <flyingguy@gmail . c om> on Thursday April 05, 2012 @10:03AM (#39584277)

    This is the problem with the web. When the first DBI ( Drive By Infection ) happened the code that allowed this sort of thing to happen was not ripped out "with extreme prejudice" and in an old /. post I asked why and there was damn little in the way of a response.

    So I ask once again, why has this not been fixed? Why are there so god damn many ways to do this and how come that ability has not been removed?

    It seems to me that in the insanity of try to make the browser everything instead of a piece of software that renders text, there is nothing but vulnerability after vulnerability and I really don't see any end in sight since in trying to make the browser do everything it needs more and more access to the core functions of the OS it is running on. How can this not lead to more and more attack vectors?

    • by Whorhay (1319089)

      Because web developers love those flashy bits. Stuff like JavaScript just offers them too much to not make use of it. And it would kind of be like tossing the baby out with the bath water.

      One of the problems with Window for more than a decade has been that explorer could be exploited to gain administrative access, even if the user didn't normally have that level of access. Explorer was a core part of how Windows worked and so they couldn't do a whole lot to fix it until they redesigned for Vista.

      Personally

  • Mac users have long embraced a culture of denial; "I'm safe, I use a Mac." Gloating Linux users should take note. Yes, Linux is among the best, but it isn't invincible. Due diligence in firewalls and vetting app sources is a requirement on ALL platforms. (Yes, you too, BSD folks.)
  • by antdude (79039) on Thursday April 05, 2012 @01:49PM (#39588185) Homepage Journal

    I would assume so if Apple doesn't support Mac OS X 10.5.x anymore. I hope disabling Java in web browsers is enough since there's no way to uninstall it because Mac OS X came with it. :(

"Show business is just like high school, except you get paid." - Martin Mull

Working...