Flashback Tidbits: Flashback Checker, OpenDNS Protection, Apple's Low-Visibility Security Team

[MacRumors]

The Flashback malware affecting OS X systems has gained quite a bit of publicity since it was disclosed last week that over 600,000 Macs have been infected by the malware. Flashback began life last year as a trojan and has morphed into a drive-by download taking advantage of a vulnerability in Java that Apple did not patch until last week, despite Oracle having released patches for other systems back in February.

Over the past few days, a few additional tidbits of information on Flashback have surfaced, including the arrival of some new tools to help users manage the threat.

- As noted by Ars Technica, a new Mac app by the name of Flashback Checker has been released to help users determine whether their machines have been infected. Users have been instructed to use Terminal to enter commands searching for files created by the malware upon infection, and Flashback Checker offers a simple packaging of these commands behind a user interface. While the app is incredibly simple and does not offer assistance with removing Flashback if it is found on a given system, it does provide a more familiar interface for those who might be intimidated by delving into Terminal on their own.

- OpenDNS has announced that it has included filtering of Flashback in its services. OpenDNS offers a number of features to improve resolution of domain names, and the new filtering of Flashback helps prevent infection while also preventing already-infected machines from communicating with the command-and-control servers being used to deliver instructions to the infected machines.

- Forbes has an interview with Boris Sharov of Russian security firm Dr. Web, which was first to bring the magnitude of the Flashback threat to light. In the interview, Sharov describes how difficult it was to even track down the proper team at Apple with which to share their data, also noting how uncommunicative Apple has been throughout the process. In fact, the only sign of interest they've seen from Apple is the company's efforts to shut down the "sinkhole" Dr. Web was using to reroute traffic from infected machines to gauge how widespread the infections are.

"They told the registrar this [domain] is involved in a malicious scheme. Which would be true if we weren't the ones controlling it and not doing any harm to users," says Sharov. "This seems to mean that Apple is not considering our work as a help. It's just annoying them."

Sharov believes that Apple's attempt to shut down its monitoring server was an honest mistake. But it's a symptom of the company's typically tight-lipped attitude. In fact, Sharov says that since Dr. Web first contacted Apple to share its findings about the unprecedented Mac-based botnet, it hasn't received a response. "We've given them all the data we have," he says. "We've heard nothing from them until this."

Security experts at Kaspersky Lab, which verified Dr. Web's assessment of Flashback's prevalence, indicate that Apple is indeed taking the proper steps to address the threat, including tracking and shutting down the servers being used by the malware. But the company has little experience with threats of this magnitude and is undoubtedly scrambling to keep on top of the situation.

Article Link: Flashback Tidbits: Flashback Checker, OpenDNS Protection, Apple's Low-Visibility Security Team

 

[Michaelgtrusa]

Open dns make up for this?

 

[Doc750]

. In the interview, Sharov describes how difficult it was to even track down the proper team at Apple with which to share their data, also noting how uncommunicative Apple has been throughout the process. In fact, the only sign of interest they've seen from Apple is the company's efforts to shut down the "sinkhole" Dr. Web was using to reroute traffic from infected machines to gauge how widespread the infections are.Security experts at Kaspersky Lab, which verified Dr. Web's assessment of Flashback's prevalence, indicate that Apple is indeed taking the proper steps to address the threat, including tracking and shutting down the servers being used by the malware. But the company has little experience with threats of this magnitude and is undoubtedly scrambling to keep on top of the situation.

Article Link: Flashback Tidbits: Flashback Checker, OpenDNS Protection, Apple's Low-Visibility Security Team

Typical apple ...

 

[jasonxneo]

We all agree malware sucks!!!!

 

[sha4000]

Been using opendns for about a year now.

 

[ddarko]

Well, it's good to know Apple is going after the botnet's command and control servers but wouldn't it have been great if it had pushed out the patch for the Java exploit back in February? They'd probably be dealing with far fewer infected Macs if Apple security hadn't been so complacent.

Open dns make up for this?

I'm assuming you were being sarcastic? Open DNS is a welcome - and canny - move on its part but obviously, it only works if you use it and probably the vast majority of infected people don't or aren't even aware they have the trojan. Plus, it would be an endless whack the hole chase - there'd always be a lag between new servers being set up and Open DNS blocking it.

 

[dr Dunkel]

I think it is wise to shut up about it, we don't want to scare the users, do we?

 

[I8P'CS]

Checked, Im clear. Macs still rock for me!!

 

[Derpage]

Time to get some more H-1B's from Asia STAT!

 

[Thadon]

I like how when Mac gets a virus/trojan/malware it is fixed quickly and not just by Apple but third parties try also.

 

[miles01110]

...but wouldn't it have been great if it had pushed out the patch for the Java exploit back in February? They'd probably be dealing with far fewer infected Macs if Apple security hadn't been so complacent.

Maybe, maybe not. It wouldn't be surprising if the vast majority of those infected don't even know it. Malware on all platforms is perpetuated by the type of users least likely to install any updates at all.

 

[Matthew Yohe]

“For Microsoft, we have all the security response team’s addresses,” he says. “We don’t know the antivirus group inside Apple.”

Wait, so it was difficult to contact someone because you don't have direct email addresses to internal people? Why do you need to know this? Here it clearly states how to contact Apple.

You don't need to become pen pals with the folks inside Apple just because you found a security vulnerability.

 

[dotheDVDeed]

And still no fix for Leopard and Tiger users

 

[Supermacguy]

Secrecy has it's place for new product announcements, but Apple needs to get its head out of its ass in regard to security issues. Start working with the good guys, communicate a little bit with them. Playing ostrich doesn't help anyone examine or solve problems.

 

[fruitycups]

Sucks!!! Our days of worship are over

 

[MonkeySee....]

I'm still not even sure how 600,000 people got this? What sort of sites was this on?

 

[D.T.]

Step 1: Fake trojan outbreak news

Step 2: Create bogus removal tool that infects Mac when run

Step 3: 20 millions of Macs now trojan’ed





I’m sure it’s fine, and if you’re paranoid you can compile the source yourself (though if you can compile source, you should be able to perform the manual check easily...)

 

[ddarko]

Maybe, maybe not. It wouldn't be surprising if the vast majority of those infected don't even know it. Malware on all platforms is perpetuated by the type of users least likely to install any updates at all.

"Maybe, maybe not"? You can't seriously doubt that SOMEBODY would have and applies patches and updates. Yeah there are folks who don't update their machines who wouldn't have been helped by the patch - and are still getting infected today - but patches would have helped those who do update regularly. That's a sizable group. Open DNS may be blocking the communication channels now but it wasn't when no one knew about the botnet, meaning there was a open window for how long? And Open DNS doesn't prevent the infection.

And Flashback infection has nothing to do with a user's technical expertise because it installs without user intervention. Kaspersky research indicated that the trojan was distributed by infected the Wordpress platform, which is used to build 1 out of 7 sites on the internet. People who got infected likely didn't get it from visiting an obscure porn site but from a site they visit regularly and visited in the past without any problems.

 

[thejadedmonkey]

Typical Apple, shoot the messenger and hope the bad news he was bearing doesn't happen.

"If I close my eyes I can't see you!"

Wait, so it was difficult to contact someone because you don't have direct email addresses to internal people? Why do you need to know this? Here it clearly states how to contact Apple.

You don't need to become pen pals with the folks inside Apple just because you found a security vulnerability.

How you found that link is beyond me. I went to Apple.com, clicked contact, and found this page.

EDIT: Bing manages to find it for me, so I guess it's findable, just not through Apple.

 

[miles01110]

... but patches would have helped those who do update regularly. That's a sizable group.

Obviously a patch would have helped those who update regularly, but that's not a sizable group. Some of the 600,000 Macs might have avoided infection, but it would still be a huge botnet.

And Flashback infection has nothing to do with technical expertise because it installs without user intervention. Kaspersky research indicated that the trojan was distributed by infected the Wordpress platform, which is used to build 1 out of 7 sites on the internet. People who got infected likely didn't get it from visiting an obscure porn site but from a site they visit regularly and visited in the past without any problems.

Not really sure where you're going with this tangent. I never said it had anything to do with technical expertise.

 

[sxdev]

Remember the instructions and cleanup are for initial infection only, not subsequent downloads. The one infected machine I found had installed an additional item which had a perl script in it, downloading and running a .sh file every 900 seconds and not cleaned up by the instructions.

 

[nikhsub1]

Been using opendns for about a year now.

5 years here. All my clients too. It really helps cut malware.

 

[Rocketman]

This might be one of those moments Apple can ask Microsoft for help.

Rocketman

 

[ddarko]

Obviously a patch would have helped those who update regularly, but that's not a sizable group. Some of the 600,000 Macs might have avoided infection, but it would still be a huge botnet.

We don't know how many people do update regularly and we don't know if it would have been huge. What we do know is that the botnet would have been smaller - it surely wouldn't have been bigger if patches were available - and closing know security holes as quickly as possible is to be encouraged and allowing them to remain open for months is a Bad Thing.

Not really sure where you're going with this tangent. I never said it had anything to do with technical expertise.

The tangent is there to point out that that even the most security conscious Mac user would have been infected without the patches (outside of disabling Java). In other words, Flashback isn't the type of malware that, as you wrote, "is perpetuated by the type of users least likely to install any updates at all" - it perpetuated and infected even the type of users MOST likely to install updates.

 

[nagromme]

The end of an era!

We’ve gone from:

* 2001: Macs are just as dangerous as Windows, probably worse, because, even though there has never been a successful real-world malware infestation on OS X, thousands of them are just about to happen any minute now!

To:

* Macs are just as dangerous as Windows, probably worse, because there has been ONE successful real-world malware infestation on OS X.

(I definitely do count this instance: it’s not a virus, not a worm, but it’s not a mere Trojan either—it’s a Trojan that installs itself; meaning the web site itself is the Trojan Horse—and one link is all it takes to get to a web site.)

P.S. I’d like to see more on the other side of the story: first a web site must be compromised, and only then can a Mac visiting it (with Java on) be compromised too. How are these web sites being compromised, which ones are they, how many of them, can we detect them, and can they be blocked if not fixed?