Forgot your password?
typodupeerror
Security Apple IT

A Week After Apple's Fix, Flashback Still Infects Half a Million Macs 161

Posted by timothy
from the retract-all-advice-to-mom dept.
Sparrowvsrevolution writes "Security firm Dr. Web released new statistics Friday showing that the process of eliminating Flashback from Macs is proceeding far slower than expected: On Friday the security firm, which first spotted the Mac botnet earlier this month, released new data showing that 610,000 active infected machines were counted Wednesday and 566,000 were counted Thursday. That's a slim decrease from the peak of 650,000 to 700,000 machines infected with the malware when Apple released its cleanup tool for the trojan late last week. Earlier in the week, Symantec reported that only 140,000 machines remained infected, but admitted Friday that an error in its measurement caused it to underestimate the remaining infections, and it now agrees with Dr. Web's much more pessimistic numbers."
This discussion has been archived. No new comments can be posted.

A Week After Apple's Fix, Flashback Still Infects Half a Million Macs

Comments Filter:
  • makes more sense (Score:5, Interesting)

    by sribe (304414) on Friday April 20, 2012 @07:58PM (#39752379)

    I had wondered how in the hell it got that low that fast--a couple of days after Symantec reported 140,000, they or someone else reported 30,000. But checking the Java vulnerability against versions installed with Mac OS X, it seems that 10.4 and 10.5 should also be vulnerable, while Apple only patched for 10.6 and 10.7. That alone should prevent the numbers dropping so far so fast. Sigh. Smooth move Apple.

    • Re: (Score:1, Funny)

      by Anonymous Coward

      If you're too poor to upgrade your Mac every year you shouldn't own one.

      What kind of hipster are you?

    • by toxygen01 (901511) on Friday April 20, 2012 @08:50PM (#39752711) Journal
      That's right. However, according to Adium developers' statistics [1], only 13% of OS X users run 10.5 and 3.33% run 10.4. If you do the math and calculate probability with which someone can get infected, you will reach, I believe, very low numbers. 10.5 being apple's equivalent of vista, is dying every day and will be lost in the dust soon.

      [1] http://www.adium.im/sparkle/#osVersion [adium.im]
      • Re:makes more sense (Score:5, Interesting)

        by hairyfeet (841228) <bassbeast1968@NOsPAM.gmail.com> on Saturday April 21, 2012 @01:06AM (#39753909) Journal

        Wow...10.5 was released in 2007 and its ALREADY unsupported according to the wiki? damn maybe folks shouldn't have marked the AC a troll that made the joke about buying a new Mac every year. I thought the big selling point on the Mac was how "high quality" Macs were? Yet the support drops after less than 5 years? I guess that's why I never really got into macs, i just don't get it.

        As for TFA can we FINALLY acknowledge and admit that what the windows guys have been saying all these years is true, that you become a big enough target and you WILL get malware? After all we've seen this with both Apple and Linux with Android, and frankly it should have been incredibly obvious with just a moment's thought. I mean where do Windows viruses come from? Well since Vista made running as a limited user mandatory the vast majority I've seen has been PEBKAC, so how can switching OSes magically turn a PEBKAC user into an admin? Answer...it can't and that was the point.

        In the end one can't escape the simple fact that ALL OSes are extremely complex collections of very advanced programs and as we all know the more advanced something is the easier it is for a clueless person to break it. Sadly in this case the clueless user was Apple for not pushing out the bog standard version of Java and instead insisting on rolling their own, which would have been fine if it could do so VERY quickly but instead the apple version of java fell farther and farther behind the mainstream. At that point a major attack was inevitable, the only question was when.

        If I was a paranoid person i'd have to wonder if this wasn't by design, after all who would fault Apple if they restricted or outright banned Java as a security risk now? Of course Java like Flash allows one to run web based apps which bypasses the appstore which Apple has sunk so much into so a pessimist might say that Apple wants java to go the way of flash and what better way than to remove it to better protect the user?

        • Re:makes more sense (Score:4, Informative)

          by Yaztromo (655250) <.moc.cam. .ta. .omortzay.> on Saturday April 21, 2012 @03:16AM (#39754277) Homepage Journal

          Wow...10.5 was released in 2007 and its ALREADY unsupported according to the wiki? damn maybe folks shouldn't have marked the AC a troll that made the joke about buying a new Mac every year. I thought the big selling point on the Mac was how "high quality" Macs were? Yet the support drops after less than 5 years? I guess that's why I never really got into macs, i just don't get it.

          10.5 was the last version that ran on PowerPC machines. People with older PowerPC machines who wanted to keep up to date with the OS needed to upgrade to Intel hardware to run 10.6.

          10.6 for existing Intel Mac owners was $25. From what I've read and seen, a massive percentage of the user base upgraded to 10.6 pretty quickly. 10.6 wasn't a massive upgrade, but by shedding all of the PowerPC support and through compiler optimization, threading and multi-core support improvements (Grand Central Dispatch, and its use by most of the core applications), improved 64 bit support (including a 64-bit kernel and 64-bit apps), and various Intel-specific improvements, 10.6 was a pretty massive upgrade from 10.5 in terms of speed. According to this press release, OS X 10.6 saw twice as many purchases in its first week of release as 10.5 (four times more than 10.4's first week), with sales declining by only 25% in the second week. As such, from a practical standpoint for most Mac users, it's a non-issue, as the majority are now running 10.6 or 10.7 (roughly 78% according to the Adium page quoted by the GP post). 10.6 was such a massive improvement and so cheap (relative to other commercial OS's) that the only real reason to stick with 10.5 was if you're still on PowerPC hardware.

          In terms of hardware support according to Apple [apple.com] systems go into "Vintage" classification if they're between 5 and 7 years old (which for most of the world means "obsolete/unsupported").

          If I was a paranoid person i'd have to wonder if this wasn't by design, after all who would fault Apple if they restricted or outright banned Java as a security risk now?

          Apple already dropped Java from OS X 10.7. It isn't included at all, but can download and install itself if it's needed (it will typically offer to do so if you try to run anything that requires it).

          The latest Java updates disable Java applet support in Safari and other browsers that use Apple's Java plug-in. You can re-enable this if you need it, however it will disable itself again after a period of disuse. To be honest, while I've long been a Java developer and have no problem with rich Java applications, Java applets are a dead technology anyhow. I haven't come across one in many, many years now.

          Point being, Apple has been moving in this direction for a while. At one point (back in 10.1 IIRC) Java was supposed to be one of the top-level development languages for the Mac. Apple developed and provided the Java Cocoa bindings, which allowed UIs designed in their Interface Builder tool to be bound to Java applications, and Cocoa objects to be easily accessed via Java (and vice-versa). This was deprecated in 2005. Then Apple decided not to support Java in iOS (smart move IMO). Now it's no longer included with the OS, is only available as a downloadable add-on, and applet support is disabled by default. I don't predict they'll be getting rid of it entirely (there are a lot of Java developers on OS X, yours truly included) -- IIRC they're trying to transition to having Oracle maintain it alongside the Linux and Windows versions, instead of doing it themselves. They just want to move into a model more akin to Window's Java support -- it works fine, and applications run just fine, but you have to get it from Oracle as a separate install.

          All of which reminds me -- my parents are the type who continually ignore the pop-ups that software updates are available for their Mac (no matter how many times I've told them they need to stay up-to-date). I should call them this

          • by mortonda (5175)

            10.6 for existing Intel Mac owners was $25.

            This is the single biggest reason why macs upgrade fast. Apple doesn't overprice their upgrades, and they do a terrific job of advertising them. It makes it much more palatable to upgrade than the budget killer that MS drops on us every so often.

            • by toddestan (632714)

              10.6 for existing Intel Mac owners was $25.

              This is the single biggest reason why macs upgrade fast. Apple doesn't overprice their upgrades, and they do a terrific job of advertising them. It makes it much more palatable to upgrade than the budget killer that MS drops on us every so often.

              The real budget killer is periodically having to buy a whole new computer to run a supported OS. It especially has to painful given how expensive the computers are. Microsoft supports older versions of Windows for so long that the support will likely outlast the hardware. I could have bought an XP machine a full 10 years ago, and it will still be getting updates for it for almost another 2 more years, without giving another dime to Microsoft.

              • by hairyfeet (841228)

                That's why I never understood the complaints. Sure i personally would prefer if MSFT kept that $50 Win 7 Home deal but the simple fact is the vast majority will get Windows on their new PC and the PC itself will be positively ancient before it runs out of being supported. Take my nettop for example, its a circa 2004 Sempron 1.8GHz with 1.5Gb of RAM. That machine is now 8 years old, every single thing about it is horribly out of date, the CPU socket, RAM, even the HDD interface is more than 2 generations beh

        • Technically Java was the target and the malware was cross platform. Of course Java is a big target and probably why Apple would like to do away with Java for good.
    • by arkhan_jg (618674)

      Symantec have admitted their 140,000 was too low. The trojan uses DNS generation partly based on date on where to look for C&C servers. AV companies are building honeypots on those DNS names to 'capture' infected machines - and then use that to estimate how many machines in the wild are still infected. Turns out, some ISPs are also blocking the DNS names from resolving at all - so not only don't they connect to the dodgy C&C controllers, they don't connect to honeypots either. On top of that, the in

  • by squiggleslash (241428) on Friday April 20, 2012 @08:01PM (#39752399) Homepage Journal

    I had no idea, that's almost 500 per coffee shop!

  • 10.5 makes up 16.5% of Mac users, sure a lot are on PPC and the Flashback isn't targeting it, or is it?

    Also about 4-5% are still on 10.4%

    Apple didn't issue Diginotar Root certs fixes for these older OS X version neither.

    Come when 10.8 is released, a whopping 65% of Mac users on 10.4-10.6 will be ripe for the pickings

    Because Apple only updates the last two OS X versions in circulation, then is now releasing a new OS X version every year.

    Microsoft on the other hand issues updates for their OS for 10 years?

    Mac

    • by Billly Gates (198444) on Friday April 20, 2012 @08:10PM (#39752467) Journal

      10.5 makes up 16.5% of Mac users, sure a lot are on PPC and the Flashback isn't targeting it, or is it?

      Also about 4-5% are still on 10.4%

      Apple didn't issue Diginotar Root certs fixes for these older OS X version neither.

      Come when 10.8 is released, a whopping 65% of Mac users on 10.4-10.6 will be ripe for the pickings

      Because Apple only updates the last two OS X versions in circulation, then is now releasing a new OS X version every year.

      Microsoft on the other hand issues updates for their OS for 10 years?

      Mac's a better value? Less prone to malware? Not for too much longer...

      ... and yet I find it hilarious when I read all the angry rants on wired.com and here on how poor old XP is going to lose support in 2 years a mere 13.5 years after launch.

      This dwells into the more serious issue of the security nightmare that will come when all internet enabled computers that are more used like XP become abandonded. Personally I think it would be a good idea to disable port 80 on all devices 3 months after support ends to keep the upcoming security nightmare. It will anger many users but many malware writters will target XP if MacOSX has so many infections yet remains so small marketshare wise still. We do not allow vehicles with rags for a gas cap to go on the road right?

      I understand Apple losses money to support users but something should be done. If not after a few billion lost dollars in bank accounts will create some nasty lawsuits.

      • by jedidiah (1196) on Friday April 20, 2012 @08:16PM (#39752509) Homepage

        > ... and yet I find it hilarious when I read all the angry rants on wired.com and here on how poor old XP is going to lose support in 2 years a mere 13.5 years after launch.

        When is the last time a new PC was sold with some version of XP installed by the hardware vendor?

        THAT is your starting point for "support", not when the first version was originally released.

        • I believe there were still netbooks selling with it at the beginning of last year.
        • by yuhong (1378501)

          Except that is not how the MS support lifecycle currently works unfortunately. It guarantees mainstream support for 5 years after this version's release, or 2 years after the next version's release, whatever is later. In other words, the only reason XP is getting more than 10 years of support is the Longhorn delays (I still remember when mainstream support for it was to end in December 31, 2006!).

          • The relevant period here would be extended support rather than mainstream, since extended support still includes security fixes. And extended support lasts either 5 more years after mainstream support ends, or 2 years after the second next version is released, whichever is longer.

            So, basically, you'll keep getting security fixes for the product for at least 10 years.

      • by Moridineas (213502) on Friday April 20, 2012 @08:27PM (#39752575) Journal

        I understand Apple losses money to support users but something should be done. If not after a few billion lost dollars in bank accounts will create some nasty lawsuits.

        Apple has been getting more serious about security for awhile (in comparison to, "we're unix, we're ok"). Sandbox, gatekeeper, removal of automatic execution, malware removal tool, etc. They need to gt a LOT better in how they respond though.

        Apple clearly understands support in general though. They routinely get excellent marks on their support. See the genius bars as an example. I personally have had out of warranty macs repaired for free. My sister had an out of warranty Macbook case top replaced when it chipped. And so forth. Support is one of the big reasons to buy an Apple, imho.

      • Personally I think it would be a good idea to disable port 80 on all devices 3 months after support ends to keep the upcoming security nightmare. It will anger many users but many malware writters will target XP if MacOSX has so many infections yet remains so small marketshare wise still. We do not allow vehicles with rags for a gas cap to go on the road right?

        Just out of curiosity, what was your opinion when Sony removed Boot Other OS from the PS3? "It's their right to patch systems if you want to keep using their servers" or "they're removing a valued feature without asking the users, this is fraud and theft!"

      • What's scary is the number of NEW embedded systems like Point Of Sale, ATM, and factory control systems that are still shipping with Windows XP. There are still a bunch of software vendors that STILL have not updated their software to work with Windows 7.... and Windows 8 is right around the corner.

        • by LoadWB (592248)

          I'm RELIEVED to know that new systems are using XP. I can't tell you how many systems I run across still running 2000. Make me think, though, that since the Armageddon predicted over the deprecation of 2000 never materialized, perhaps we'll dodge the bullet with XP, as well.

          • by yuhong (1378501)

            AFAIK Stuxnet was developed before Win2000 ended support and was discovered just after, which means it did target Win2K, but patches for the vulns Stuxnet targeted are not available for Win2k without a CSA. This is a targeted attack though.

    • Microsoft can't take money from corporations with their contracts if they're not going to provide longer support. Microsoft also charges hundreds for its OS. Apple charges like £20.99. There is no good reason not to be on a 5 year old operating system unless you're a PPC user and then it's just tough luck because you're on dead hardware.
  • by Anonymous Coward on Friday April 20, 2012 @08:10PM (#39752463)

    According to wikipedia [wikipedia.org], Flashback uses web redirects and javascript to automatically load a Java applet that contains the vulnerability.

    In my book, it's only a Trojan if a real person is duped into executing it, and IMHO an infected legitimate website redirecting someone to a malicious website that automatically runs something that infects the user's computer does not count as duping a person into executing something.

    TL;DR: Flashback is not a trojan. We need a new term for this type of threat.

    • by DarwinSurvivor (1752106) on Friday April 20, 2012 @08:28PM (#39752587)
      I believe they call it a "drive by".
    • It is both a trojan and a malware drive bye.

      If you do not click on it, it is malware and will use a memory corruption bug to infect your account. You can delete your account to delete it. If you do click on it the malware turns into a deadlier trojan that runs as administrator and is more difficult to remove.

      Most malware these days regardless of type target multiple vulnerabilities. Since IE and Chrome have a sandbox ... what is up with Firefox not having one? ... you need to first get past the sanbox. Afte

    • by timothyf (615594)

      Did the user perform an innocuous action that lead to the trojan being run? It sounds like you have to visit a website hosting the trojan with a vulnerable computer (a user-initiated action, btw) and you're infected. That seems to meet the definition of a trojan to me. If you just connect a vulnerable Mac to the network and let it sit, it won't be compromised this way.

      So yes, Trojan is accurate. A user is tricked into downloading and running something malicious. A user could theoretically avoid an infection

      • by vux984 (928602)

        Did the user perform an innocuous action that lead to the trojan being run?

        So if you perform an innocuous action that leads to you getting infected with malware then its a trojan?

        Gotcha.

        So if the user were to perform an innocuous action like...

        If you just connect a vulnerable Mac to the network [a user initiated action, btw] and let it sit...

        Then any infection that leads to is a trojan.

        QED.

        A user could theoretically avoid an infection if they knew that the site was hosting the trojan

        True. And a user could a

  • The article is here [arstechnica.com].

    I think many people who assume they are invulnerable and have older macs probably have no clue they are even infected. I am curious what the percentage of older MacOSX installations are? Not everyone can afford or want to buy an expensive iMac/Powerbook every 3 years.

  • by PopeRatzo (965947) on Friday April 20, 2012 @09:08PM (#39752805) Homepage Journal

    A Week After Apple's Fix, Flashback Still Infects Half a Million Macs

    To be fair, Apple users may have more important things to do than install hotfixes. For example, engaging in a love that dare not speak its name can be very time-consuming.

    I've heard...

  • by sandytaru (1158959) on Friday April 20, 2012 @09:12PM (#39752823) Journal
    I for one welcome our Mac brethren to the world of Real Computing, where your device will get infected if you don't have any anti-virus protection, and will still get infected even if you do have anti-virus protection if you're ignorant.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      UNIX has been where grown-ups go to compute for the last 40 years, where have you been?

      • 40? Not really. 20 maybe, but in and before the '80s the term 'UNIX security' was something that users of things like VMS and OS/370 said while sniggering. A big part of the success of UNIX was that it ran on cheaper hardware than a real operating system...
      • Waiting until he's old enough to grow a neck beard...
    • You think anti-virus would have protected mac users from this?

      It wouldn't.

      • by cbhacking (979169)

        Actually, you're completely wrong. Not because the real-time scan would have caught the exploit applet at first (although any decent antivirus has now had the definition for all known variants for a few weeks) but because this malware explicitly targets people who don't give a damn about their computer's security.

        The drive-by download's payload is an installer. Before it installs the botnet kit, the installer checks the filesystem for a list of security programs, including antivirus software. If it find any

        • And that's why the Appleverse is taking embarrassingly long to clean up this particular mess. It deliberately targeted the weakest users and infected them all before the more savvy users could catch on.
  • The numbers (Score:5, Interesting)

    by glitch0 (859137) on Friday April 20, 2012 @09:44PM (#39753009) Homepage
    I'm not discrediting these guys and I'm honestly curious: How to they arrive at these numbers? How does one determine if a computer is infected without access to said computer?

    Do they port scan 1000 random machines and extrapolate from there? I'm genuinely curious to know their methods. How could they arrive at such a precise number? Surely they must only have a sample of macs and use statistical models to extrapolate, right? They can't scan all the macs, right? right?

    How do they do it?!?!
    • by Yaztromo (655250)

      Do they port scan 1000 random machines and extrapolate from there? I'm genuinely curious to know their methods. How could they arrive at such a precise number? Surely they must only have a sample of macs and use statistical models to extrapolate, right? They can't scan all the macs, right? right?
      How do they do it?!?!

      My understanding is that infected Macs try to contact a command-and-control server with a unique identifier in order to get the trojan payload. Several of the anti-virus/security companies have ben able to hijack the command-and-control system to insert their own system (probably via DNS entry changes at some major ISPs) that infected Macs then try to connect to. They record the unique ID's in the request messages, and then extrapolate the results accordingly.

      Yaz.

    • by AmiMoJo (196126)

      They have hacked some of the command and control servers by taking over their DNS entries. They can see Flashback infected Macs trying to phone home for instructions.

      • Or so they say. I tend to agree with one of the ARS posters: "Am I mistaken, are are all the numbers out from antivirus vendors, all people with a monetary stake in finding more infections rather than less? I do not recall seeing an independent verification of any count; did I miss one? Every time I read about an "independent" source "confirming" the numbers, it's another vendor with an obvious bias--the same vendors who have been exaggerating Mac threats for the past 7 years and more. I mean, if Fox News r
  • I wish Microsoft... (Score:4, Interesting)

    by sideslash (1865434) on Friday April 20, 2012 @10:44PM (#39753331)
    ...would hire those two dudes from the "I'm a Mac and I'm a PC" commercial for a reunion commercial. I'm sure Apple would sue, though, because Apple only has a sense of humor when they are making fun of other people.
  • by pesc (147035) on Saturday April 21, 2012 @03:11AM (#39754263)

    If you bought your Mac three years ago and never bought an OS upgrade, you are likely running Leopard.

    Apple has still not provided any fix or upgrade that addresses this malware for Leopard. Only for Snow Leopard and Lion.

    • Apple has still not provided any fix or upgrade that addresses this malware for Leopard. Only for Snow Leopard and Lion.

      They have a fix for Leopard. It's the free upgrade to Snow Leopard.

Take care of the luxuries and the necessities will take care of themselves. -- Lazarus Long

Working...