Forgot your password?
typodupeerror
Desktops (Apple) Security Apple

Mac Flashback Attack Began With Wordpress Blogs 103

Posted by timothy
from the slashcode-was-lower-on-their-target-list dept.
With more on the Flashback malware plaguing many Macs, beaverdownunder writes with some explanation of how the infection grew so quickly: "Alexander Gostev, head of the global research and analysis team at Kaspersky, says that 'tens of thousands of sites powered by WordPress were compromised. How this happened is unclear. The main theories are that bloggers were using a vulnerable version of WordPress or they had installed the ToolsPack plug-in.'"
This discussion has been archived. No new comments can be posted.

Mac Flashback Attack Began With Wordpress Blogs

Comments Filter:
  • by skipkent (1510) on Monday April 23, 2012 @03:35AM (#39768289)

    At it's height it was never as bad as some of the windows viruses have been, but it plants the seed that macs aren't safe and are just as vulnerable as any other OS.

    • by Sneeka2 (782894) on Monday April 23, 2012 @03:44AM (#39768341)

      True. Anybody with half a brain knew this of course. It was merely time for the practical proof.
      From here on Apple will have to proof itself in how well it does or doesn't respond to such incidents.
      For its first trial by fire, it didn't receive very high marks so far.

      • Re: (Score:1, Flamebait)

        by Chrisq (894406)

        True. Anybody with half a brain knew this of course.

        And now the Mac fanbois know it too.

      • This is the same thing that happened at pown to own. Any time you integrate the browser into the OS you are open up security vulnerabilities. Microsoft has had issues like this for years. Apple sacrificed security for useability.
    • by Anonymous Coward

      But how does that help? I mean "seed", heck, we've been /terraformed/ with evidence that Win security is bad, yet the average Win user is still pretty clueless about it.

      • But how does that help? I mean "seed", heck, we've been /terraformed/ with evidence that Win security is bad, yet the average Win user is still pretty clueless about it.

        We Mac users pay a premium for our computers with the presumption that one of the benefits of a Mac is that security is stringent. Just make sure your updates are up-to-date, don't randomly install crap or casually click with a 'Hey, OK, if you really think you should install that' mentality.

        This is like relying on the warning light on your dash that you're about to run out of gas. You never take it for granted that it will keep you from doing something stupid after the first time it fails you.

        • by jedidiah (1196)

          > Just make sure your updates are up-to-date, don't randomly install crap

          If you are going to go that far then you don't really need to flee to another platform really. Being crippled by fear is no enhanced security, it's gravely degraded capabilities.

          Someone else has already brought up the distinction between security and DRM in this regard.

    • by mwvdlee (775178) on Monday April 23, 2012 @03:58AM (#39768403) Homepage

      As I understand it, Mac's installed base is roughly ~8%, windows about ~85% (obviously, accurate and unbiased statistics are pretty near impossible to find).
      Flashback infected some ~600,000 macs, so a PC trojan would have to have hit ~ 6,375,000 PC's in order to be worse.
      Conficker (http://en.wikipedia.org/wiki/Conficker) infected ~7 million PC's, which is somewhat worse, but not by a large margin.

      Obviously Flashback had the benefit of fighting against a userbase largely ignorant of security and it's quite likely that if Apple and it's users start taking security seriously, future Mac infections will have significantly less impact. But history tells me things will become much worse before it gets better.

    • by jbolden (176878)

      Except they aren't as vulnerable there is a pretty long history at this point of OSX. Further the ability to move the developer community rapidly, and having a user base that is comfortable with application breakage on OS updates, means that Apple can enhance security. They have also laid a lot of groundwork in terms of security infrastructure for example the defaulting regarding application install and the sandboxing.

      A few slips once in a while is substantially different than the same level of problems a

  • ...knows far less about computer security than the average Windows user that's lived with viruses for 20 years?

    That's one tough learning curve they're entering.

    • by Anonymous Coward

      Oh, they do know about viruses, but the majority of these users moved away from windows so they can keep being lazy and not care about security, of course, the malware is going to follow them.

  • Ignorance (Score:4, Interesting)

    by dejanc (1528235) on Monday April 23, 2012 @03:46AM (#39768349)

    The main problem here may be ignorance. I use OS X and I only heard about this malware here on Slashdot. I really don't recall reading about it anywhere else. I immediately installed a Java update when it was available because I heard the fix was propagated through it. I might have as well skipped it or postponed it as I often do when I am in a situation when I don't want to wait for the updates to install, e.g. when checking email in a hotel on a vacation or just turning on the laptop to quickly see something like weather forecast.

    Most Mac users probably never even heard about Flashback.

    • Re: (Score:3, Insightful)

      by TubeSteak (669689)

      The main problem here may be ignorance.

      The main problem here may be WordPress.
      It didn't have to be OSX malware, they could have targeted any operating system.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        The main problem here may be WordPress.
        It didn't have to be OSX malware, they could have targeted any operating system.

        No, the main problem is arrogance and ignorance.

        WordPress does have security bugs, but if that was it, then there'd be tens of thousands of compromised blogs and nothing else. Your computer shouldn't be compromised simply by going to an untrustworthy site. Period.

        It could have targeted any operating system, but it didn't. It could have targeted Windows which are more numerous by an order of magnitude, but it didn't. The difference is clearly that:

        • The bug was initially in Java, but Oracle patched it relative
      • Re:Ignorance (Score:5, Informative)

        by sapphire wyvern (1153271) on Monday April 23, 2012 @04:49AM (#39768559)

        The malware still has to install on the user's OS, which requires browser/plugin exploits on the user's PC for user-privilege level access and possibly a local escalation bug if the malware wants admin rights without user "approval". So I think it's fair to cast _some_ aspersion at Apple here, even if WordPress is providing the server end of the malware deployment ecosystem.

        But getting back to your point about WordPress. It seems to me that WordPress has been the server-side vector for far too many malware deployment efforts. I've certainly heard its name associated with a lot of previous malware storms. What are some more secure alternatives to WordPress?

        • Re: (Score:3, Informative)

          by jaymemaurice (2024752)
          It probably doesn't matter what you use if you do not plan on continually updating it or install every third party plugin... It's not like the WordPress comunity can't deliver a working blogging platform or patch the security flaws but it is the prevailing platform, open source, and nobody updates. Same problems the OS vendors have really.
        • relly right saying
        • The secure alternative to WordPress is a current version of WordPress.

          It's a widely used tool for non-experts to manage their own servers. Standards vary. Good news is WordPress updates automagicly with one click. Bad news is there's a huge plugin market and theme aftermarket, and some of it is insecure. The only way to fix this is a) make it less open or b) kick out the newbies. Both medicines are worse than the disease.

      • by makomk (752139)

        Now figure out what would happen if the malware was coded to infect WordPress blogs adminned from the computers it affected. OSX is the problem here, no question about it.

    • by Anonymous Coward

      hey ! how many's I's can one pack into 4 lines of comments about one's "greatness" ...

      counting 8 I's and very irrelevant data here ...

      • by dejanc (1528235)

        I'm going for a new record which I'm about to set so I can brag about it :)

        Sorry for awful writing :)

    • by Sycraft-fu (314770) on Monday April 23, 2012 @06:23AM (#39768871)

      Apple really wants to downplay the issue. This actually isn't the first Malware to hit Macs (one of our professors got one that was using text to speech to read out ads, it was hilarious) just the first one to be really bad. Apple is still addicted to selling the viewpoint that Macs are immune to that kind of shit. So they didn't go putting out any big press releases warning people of nasty shit.

      Most of the time when there's a nasty problem, the vendors put out press releases to try and let people know that the patches this time around are more important than normal and yes, you really need to apply them Right Now. Apple didn't so reporting on it wasn't as widespread as you might expect.

      Also there are a surprising number of Mac users who drink the "Macs can't get viruses," kool aid whole heartedly. They don't just believe the specifics of the Apple advertising, they really believe Macs are 100% immune to security issues. Drives me up the wall when I'm dealing with one of them and trying to explain that yes, you DO need to patch your OS even though it is a Mac and no, running an FTP with world write access is not ok just because it is a Mac (really, had some grad students pull that one).

      Given the amount of Mac users in journalism, and the general techno-unawareness of journalists, that makes the problem worse. Someone sees a story about a "mac virus" and they say "Nah, can't be real, Mac's don't get viruses, just more stupid shit floating around the 'net."

      As time goes on, and Macs continue to be targeted (which they will) or we see cross platform attacks (using Java or HTML5 or something) the awareness of security on Macs will slowly rise.

      • And there are way too many Windows users who think they're immune because 'Mcfee' comes with their PC (too bad you didn't pay for the updates). Or that you can keep your antivirus program up to date and still happily surf 'midgetsandgoatsxxx.com' all day and click on anything that blinks.

        Drives me mad when I have little conversations with people who think it's cool to update a policy document on said compromised machine and then want to send it to me via a USB drive. Last time that happened, I put the lit

      • by jbolden (176878)

        I don't think so this isn't Microsoft with a complex eco system of interlocking vendors this is Apple with a top down style. If Mac users are being confronted with security threats Apple is going to design a response and focus on developers to rapidly bring their applications up to date. The message is going to be "we are taking care of it, make sure your applications are focused on meeting security standard XYZ because in 47 days..."

        The infrastructure is in place for apple to turn the security way up ver

      • by Vokkyt (739289)

        I would hope the general response by tech journalists to Mac Malware is an inquisitive one. It's certainly my reaction, since it is still a fairly unique occurrence.

        Macs and Malware are an annoying thing to read about because you have to dig through so much Pro/Anti Apple uselessness to figure out even the most basic information about the malware, like "what's it doing?" or "how do I know I'm infected?". I think when I read this on /. initially, it wasn't until ~ the 200th comment that someone posted the

    • I also did that, I updated my wife's computers even if her didn't like to reboot her machines for updates, but this helped her to understand why it is necessary. Flashback worked because we are pestered with Flash Player updates almost weekly, so for many users this appeared to be a legitimate update, and because Apple was incredibly lazy in updating Java. 1 or 2 weeks of delay between Oracle's patch and Apple's patch is reasonable, 2 months not.

  • by Anonymous Coward on Monday April 23, 2012 @06:07AM (#39768837)

    "How this happened is unclear. The main theories are that bloggers were using a vulnerable version of WordPress or they had installed the ToolsPack plug-in."

    This it not unclear at all. There were a few security problems with WP in the last year. But a LOT of themes use the timthumb.php module to do dynamic rescaling of images. Timthumb used to be extremely vulnerable, you could download a file from http://www.youtube.com.attacker-domainname/anything.php, install it in the timthumb's cache and have full access like forever.

    Updating WP wouldn't do any good, as a fully updated WP installation can still run a vulnerable theme. Even when the flaws in timthumb were fixed and the theme is updated, these sites have been flooded with backdoors, varying from eval($_POST['a']) in wp-config.php to newly created admin users. (Admin users can edit .php files from /wp-admin, an admin user effectively has power to run any php code desired.)

    I've manually removed and analysed infections from several customers wordpress websites, all were hit by timthumb exploits. Some of these websites had literally dozens of backdoors, each of which gave full access to the site. I've seen malware that hid from googlebot to avoid detection. I've seen infections with timers, and infections that kept an IRC connection open to accept commands. These infections were just waiting for the right moment to be abused.

    • by AndrewStephens (815287) on Monday April 23, 2012 @08:06AM (#39769335) Homepage

      Exactly right. I have noticed a huge upswing of probing behavior in my Wordpress site logs, all targeting timthumb in various common themes. Wordpress is easy to install (and easy to upgrade) but requires ongoing upkeep as vulnerabilities are found and patched. Too many people just install it and let it rot.

    • by colfer (619105)

      Also, themes are difficult to update. Compared to plugins and the Wordpress core, theme updates have these problems:

      1. First, themes do not notify you when they have updates available.

      2. It takes an expert to merge a theme update with the existing customization of the theme. (Plugins and core updates are one click.)

      3. Theme vendors limit their support. I dealt with a well-known theme vendor which charges some small amount for a subscription to all its themes. It refuses to provide archive versions or change

      • by grcumb (781340)

        Also, themes are difficult to update. Compared to plugins and the Wordpress core, theme updates have these problems:

        1. First, themes do not notify you when they have updates available.

        They do now. I'm staring at a theme update notification right now.

        2. It takes an expert to merge a theme update with the existing customization of the theme. (Plugins and core updates are one click.)

        No it doesn't. Use Child Themes [wordpress.org].

        3. Theme vendors limit their support. I dealt with a well-known theme vendor which charges some small amount for a subscription to all its themes. It refuses to provide archive versions or changelogs. So the expert is left guessing what customizations have been made, unless some previous person working on the site has keep a copy. (Plugins are more commonly from the WP site, with changelogs and archives.)

        True. As with all vendor markets, YMMV and caveat emptor.

        (Also, protip: man diff)

        4. Users keep unused themes lying around online and see no reason to update them. (This can also be a problem with inactive plugins.)

        Lazy people are lazy. This is a problem with people, not with Wordpress.

        5. Wordpress core can do nothing to protect against bad code. A theme can run arbitrary PHP, as can any admin user from the admin interface, as mentioned by parent. (Plugins are similar, though runtime the active theme has priority over plugins.)

        Again, this is a 'vulnerability' in programming languages, necessary because write and execute permissions are kind of important to people who want functionality. How this is a 'fault' in Wordpress is beyond me.

        Any software that abstracts away some of the detai

  • by anthony_greer (2623521) on Monday April 23, 2012 @06:50AM (#39768993)

    I have had non technical Mac users ask me about this, that means that they (or at least more of them than before) are open to advise about security and don't just smugly boast about Macs being invincible any longer. This makes everyone safer from my view.

    BTW the advise I give Mac users who ask is as follows:
    1: run apple menu->software update manually at least once a week, and download everything it suggests*
    2: use a non admin account for daily activity and NEVER provide admin creds unless you know exactly what it is using them for, you should never need to do this while surfing the web.
    3: Only get software from trusted sources, like the app store, SourceForge, or vendor web sites like Adobe or Autodesk.
    4: Switch to a platform where java is controlled and updated by the first party, Oracle and not a third party, Apple to ensure you have the best security possible.

    *Just as with windows or any other *NIX box, there is an exception to the all update thing, if you know that it will break your workflow or some component thereof, you can skip it while that is worked out.

    • by jrminter (1123885)
      Your point about updates breaking critical workfows is something Windows users have struggled with for years. The problem is that it is typically difficult to find out until it is too late unless one spends a great deal of time following all the development mailing lists on all software in one's toolchain.
    • Very glad to see you didn't include "install and run anti-virus" on the list.

      As I noted above, Windows users got hit just as bad with Conficker, percentage-wise, despite being conditioned to run antivirus and anti-malware tools all the time. Those tools do very little against new malware that exploit already-patched vulnerabilities.

      • There is some value to heuristics in AVs in Windows. I have seen both SEP and MS Fep stop undefined malware with heuristics in a large company.

        On the Mac however, there are no heuristic algorithms in wide enough use to be valuable, so AVs only really stop you from propagating Windows viruses, which Macs cant do anyway unless you are forwarding spam email, so its really pointless to run AVs on Macs.

    • by Huge_UID (1089143)
      4a. Uninstall Java. 4b: If you must run Java, switch to a platform where java is controlled and updated by the first party, Oracle and not a third party, Apple to ensure you have the best security possible.
      • by tlhIngan (30335)

        4a. Uninstall Java. 4b: If you must run Java, switch to a platform where java is controlled and updated by the first party, Oracle and not a third party, Apple to ensure you have the best security possible.

        Basically, you mean upgrade your Mac.

        OS X has stopped shipping Java for a little while now - I think Leopard was the last version to come with it by default, but later versions excluded it (like Flash). The main reason was to avoid reinstalls installing vulnerable versions again (Flash, notably). But for

        • by kybred (795293)

          Apple stopped installing Java with Lion. But if you attempt to run a Java app you get a prompt asking if you want to install Java. I believe that is still the Apple Java implementation, with Apple still handling the updates.

          In fall 2010, Apple announced that they were stopping their in-house Java development and was putting their support into OpenJDK [wikipedia.org]. It looks like that is targeting Java SE 7, so I think that Apple must be continuing their Java development in house until that is released. So perhaps Apple

  • by anthony_greer (2623521) on Monday April 23, 2012 @06:58AM (#39769017)

    I am not a web dev but it seems to me that there are way too many stories that involve wordpress attacks in the past year, I have heard of at least 10 cases of wordpress being compromised, but in that same time not one case of Drupal, Sharepoint, Joomla, or Movable Type having the same issues assuming all were running the latest releases.

    Is wordpress broken at it's core, or is it all just crummy plugins that open holes?

    • by Shikaku (1129753)

      Crummy plugins and people that never update Wordpress/said crummy plugins.

    • by ledow (319597)

      Joomla gets more than its fair share of serious compromises (usually XSS), but the difference that I found is:

      1) It automatically updates.
      2) You can sign up to an email about those updates and perform them manually
      3) People don't install ten millions kinds of junk and plugin into it.

      But, of course, what keeps it with a better reputation is a) not being stupid, b) fixing things that are broken and c) not as many people using it.

      Wordpress would be fine - if you kept it up to date in the same way and didn't us

    • by Danzigism (881294)
      I don't think it's a matter of WP being broken at it's core. They have some of the best core developers I've seen work on any open source project. However, it is easy to fall out of the best practices for running a WP site. Also consider that it is the most largely growing CMS out of them all. Not setting correct file permissions, using DB users with too many privileges, not keeping the damn thing up-to-date (it's easy to update, just sign in and click the notification), and just generally being an inexper
      • by dkf (304284)

        I don't think it's a matter of WP being broken at it's core. They have some of the best core developers I've seen work on any open source project. However, it is easy to fall out of the best practices for running a WP site. Also consider that it is the most largely growing CMS out of them all.

        What they appear to have is a more subtle problem: it's not designed to Fail Safe. Get something wrong? Fail to update? Any problem, and you end up with some ability to do local damage and set in motion a full exploit. If the system failed safe, it wouldn't allow you to do anything until you'd proved that you were legit; any bugs would just result in a reduction in what could be done.

        That said, I've got no idea how far you could get with creating a full CMS on the principles I described. Yes, I use the prin

  • Enough said.

What this country needs is a good five dollar plasma weapon.

Working...