PDA

View Full Version : Flashback Tidbits: Flashback Checker, OpenDNS Protection, Apple's Low-Visibility Security Team




MacRumors
Apr 10, 2012, 10:17 AM
http://images.macrumors.com/im/macrumorsthreadlogo.gif (http://www.macrumors.com/2012/04/10/flashback-tidbits-flashback-checker-opendns-protection-apples-low-visibility-security-team/)


The Flashback malware affecting OS X systems has gained quite a bit of publicity since it was disclosed last week (http://www.macrumors.com/2012/04/05/600000-macs-worldwide-reportedly-infected-by-flashback-trojan/) that over 600,000 Macs have been infected by the malware. Flashback began life last year as a trojan and has morphed into a drive-by download taking advantage of a vulnerability in Java that Apple did not patch until last week, despite Oracle having released patches for other systems back in February.

Over the past few days, a few additional tidbits of information on Flashback have surfaced, including the arrival of some new tools to help users manage the threat.

- As noted by Ars Technica (http://arstechnica.com/apple/news/2012/04/checking-for-mac-flashback-infestation-theres-an-app-for-that.ars), a new Mac app by the name of Flashback Checker (https://github.com/jils/FlashbackChecker/wiki) has been released to help users determine whether their machines have been infected. Users have been instructed to use Terminal to enter commands searching for files created by the malware upon infection, and Flashback Checker offers a simple packaging of these commands behind a user interface. While the app is incredibly simple and does not offer assistance with removing Flashback if it is found on a given system, it does provide a more familiar interface for those who might be intimidated by delving into Terminal on their own.

http://images.macrumors.com/article-new/2012/04/flashback_checker.jpg


- OpenDNS has announced (http://blog.opendns.com/2012/04/09/worried-about-mac-malware-just-set-up-opendns/) that it has included filtering of Flashback in its services. OpenDNS offers a number of features to improve resolution of domain names, and the new filtering of Flashback helps prevent infection while also preventing already-infected machines from communicating with the command-and-control servers being used to deliver instructions to the infected machines.

- Forbes has an interview (http://www.forbes.com/sites/andygreenberg/2012/04/09/apple-snubs-firm-who-discovered-mac-botnet-tries-to-cut-off-its-server-monitoring-infections/) with Boris Sharov of Russian security firm Dr. Web, which was first to bring the magnitude of the Flashback threat to light. In the interview, Sharov describes how difficult it was to even track down the proper team at Apple with which to share their data, also noting how uncommunicative Apple has been throughout the process. In fact, the only sign of interest they've seen from Apple is the company's efforts to shut down the "sinkhole" Dr. Web was using to reroute traffic from infected machines to gauge how widespread the infections are."They told the registrar this [domain] is involved in a malicious scheme. Which would be true if we weren't the ones controlling it and not doing any harm to users," says Sharov. "This seems to mean that Apple is not considering our work as a help. It's just annoying them."

Sharov believes that Apple's attempt to shut down its monitoring server was an honest mistake. But it's a symptom of the company's typically tight-lipped attitude. In fact, Sharov says that since Dr. Web first contacted Apple to share its findings about the unprecedented Mac-based botnet, it hasn't received a response. "We've given them all the data we have," he says. "We've heard nothing from them until this."Security experts at Kaspersky Lab, which verified Dr. Web's assessment of Flashback's prevalence, indicate that Apple is indeed taking the proper steps to address the threat, including tracking and shutting down the servers being used by the malware. But the company has little experience with threats of this magnitude and is undoubtedly scrambling to keep on top of the situation.

Article Link: Flashback Tidbits: Flashback Checker, OpenDNS Protection, Apple's Low-Visibility Security Team (http://www.macrumors.com/2012/04/10/flashback-tidbits-flashback-checker-opendns-protection-apples-low-visibility-security-team/)



Michaelgtrusa
Apr 10, 2012, 10:21 AM
Open dns make up for this?

Doc750
Apr 10, 2012, 10:23 AM
. In the interview, Sharov describes how difficult it was to even track down the proper team at Apple with which to share their data, also noting how uncommunicative Apple has been throughout the process. In fact, the only sign of interest they've seen from Apple is the company's efforts to shut down the "sinkhole" Dr. Web was using to reroute traffic from infected machines to gauge how widespread the infections are.Security experts at Kaspersky Lab, which verified Dr. Web's assessment of Flashback's prevalence, indicate that Apple is indeed taking the proper steps to address the threat, including tracking and shutting down the servers being used by the malware. But the company has little experience with threats of this magnitude and is undoubtedly scrambling to keep on top of the situation.

Article Link: Flashback Tidbits: Flashback Checker, OpenDNS Protection, Apple's Low-Visibility Security Team (http://www.macrumors.com/2012/04/10/flashback-tidbits-flashback-checker-opendns-protection-apples-low-visibility-security-team/)

Typical apple ...

jasonxneo
Apr 10, 2012, 10:23 AM
We all agree malware sucks!!!! :p

sha4000
Apr 10, 2012, 10:24 AM
Been using opendns for about a year now.

ddarko
Apr 10, 2012, 10:25 AM
Well, it's good to know Apple is going after the botnet's command and control servers but wouldn't it have been great if it had pushed out the patch for the Java exploit back in February? They'd probably be dealing with far fewer infected Macs if Apple security hadn't been so complacent.

Open dns make up for this?

I'm assuming you were being sarcastic? Open DNS is a welcome - and canny - move on its part but obviously, it only works if you use it and probably the vast majority of infected people don't or aren't even aware they have the trojan. Plus, it would be an endless whack the hole chase - there'd always be a lag between new servers being set up and Open DNS blocking it.

dr Dunkel
Apr 10, 2012, 10:26 AM
I think it is wise to shut up about it, we don't want to scare the users, do we?

I8P'CS
Apr 10, 2012, 10:27 AM
Checked, Im clear. Macs still rock for me!!

Derpage
Apr 10, 2012, 10:27 AM
Time to get some more H-1B's from Asia STAT!

Thadon
Apr 10, 2012, 10:27 AM
I like how when Mac gets a virus/trojan/malware it is fixed quickly and not just by Apple but third parties try also.

miles01110
Apr 10, 2012, 10:28 AM
...but wouldn't it have been great if it had pushed out the patch for the Java exploit back in February? They'd probably be dealing with far fewer infected Macs if Apple security hadn't been so complacent.

Maybe, maybe not. It wouldn't be surprising if the vast majority of those infected don't even know it. Malware on all platforms is perpetuated by the type of users least likely to install any updates at all.

Matthew Yohe
Apr 10, 2012, 10:30 AM
“For Microsoft, we have all the security response team’s addresses,” he says. “We don’t know the antivirus group inside Apple.”

Wait, so it was difficult to contact someone because you don't have direct email addresses to internal people? Why do you need to know this? Here (https://ssl.apple.com/support/security/) it clearly states how to contact Apple.

You don't need to become pen pals with the folks inside Apple just because you found a security vulnerability.

dotheDVDeed
Apr 10, 2012, 10:34 AM
And still no fix for Leopard and Tiger users

Supermacguy
Apr 10, 2012, 10:36 AM
Secrecy has it's place for new product announcements, but Apple needs to get its head out of its ass in regard to security issues. Start working with the good guys, communicate a little bit with them. Playing ostrich doesn't help anyone examine or solve problems.

fruitycups
Apr 10, 2012, 10:36 AM
Sucks!!! Our days of worship are over

MonkeySee....
Apr 10, 2012, 10:38 AM
I'm still not even sure how 600,000 people got this? What sort of sites was this on?

D.T.
Apr 10, 2012, 10:38 AM
Step 1: Fake trojan outbreak news

Step 2: Create bogus removal tool that infects Mac when run

Step 3: 20 millions of Macs now trojan’ed


:D


I’m sure it’s fine, and if you’re paranoid you can compile the source yourself (though if you can compile source, you should be able to perform the manual check easily...)

ddarko
Apr 10, 2012, 10:39 AM
Maybe, maybe not. It wouldn't be surprising if the vast majority of those infected don't even know it. Malware on all platforms is perpetuated by the type of users least likely to install any updates at all.

"Maybe, maybe not"? You can't seriously doubt that SOMEBODY would have and applies patches and updates. Yeah there are folks who don't update their machines who wouldn't have been helped by the patch - and are still getting infected today - but patches would have helped those who do update regularly. That's a sizable group. Open DNS may be blocking the communication channels now but it wasn't when no one knew about the botnet, meaning there was a open window for how long? And Open DNS doesn't prevent the infection.

And Flashback infection has nothing to do with a user's technical expertise because it installs without user intervention. Kaspersky research indicated that the trojan was distributed by infected the Wordpress platform, which is used to build 1 out of 7 sites on the internet. People who got infected likely didn't get it from visiting an obscure porn site but from a site they visit regularly and visited in the past without any problems.

thejadedmonkey
Apr 10, 2012, 10:40 AM
Typical Apple, shoot the messenger and hope the bad news he was bearing doesn't happen.

"If I close my eyes I can't see you!"
Wait, so it was difficult to contact someone because you don't have direct email addresses to internal people? Why do you need to know this? Here (https://ssl.apple.com/support/security/) it clearly states how to contact Apple.

You don't need to become pen pals with the folks inside Apple just because you found a security vulnerability.

How you found that link is beyond me. I went to Apple.com, clicked contact, and found this page (http://www.apple.com/support/contact/).

EDIT: Bing manages to find it for me, so I guess it's findable, just not through Apple.

miles01110
Apr 10, 2012, 10:44 AM
... but patches would have helped those who do update regularly. That's a sizable group.

Obviously a patch would have helped those who update regularly, but that's not a sizable group. Some of the 600,000 Macs might have avoided infection, but it would still be a huge botnet.

And Flashback infection has nothing to do with technical expertise because it installs without user intervention. Kaspersky research indicated that the trojan was distributed by infected the Wordpress platform, which is used to build 1 out of 7 sites on the internet. People who got infected likely didn't get it from visiting an obscure porn site but from a site they visit regularly and visited in the past without any problems.

Not really sure where you're going with this tangent. I never said it had anything to do with technical expertise.

sxdev
Apr 10, 2012, 10:45 AM
Remember the instructions and cleanup are for initial infection only, not subsequent downloads. The one infected machine I found had installed an additional item which had a perl script in it, downloading and running a .sh file every 900 seconds and not cleaned up by the instructions.

nikhsub1
Apr 10, 2012, 10:47 AM
Been using opendns for about a year now.
5 years here. All my clients too. It really helps cut malware.

Rocketman
Apr 10, 2012, 10:50 AM
This might be one of those moments Apple can ask Microsoft for help.

Rocketman

ddarko
Apr 10, 2012, 10:53 AM
Obviously a patch would have helped those who update regularly, but that's not a sizable group. Some of the 600,000 Macs might have avoided infection, but it would still be a huge botnet.

We don't know how many people do update regularly and we don't know if it would have been huge. What we do know is that the botnet would have been smaller - it surely wouldn't have been bigger if patches were available - and closing know security holes as quickly as possible is to be encouraged and allowing them to remain open for months is a Bad Thing.

Not really sure where you're going with this tangent. I never said it had anything to do with technical expertise.

The tangent is there to point out that that even the most security conscious Mac user would have been infected without the patches (outside of disabling Java). In other words, Flashback isn't the type of malware that, as you wrote, "is perpetuated by the type of users least likely to install any updates at all" - it perpetuated and infected even the type of users MOST likely to install updates.

nagromme
Apr 10, 2012, 10:53 AM
The end of an era!

We’ve gone from:

* 2001: Macs are just as dangerous as Windows, probably worse, because, even though there has never been a successful real-world malware infestation on OS X, thousands of them are just about to happen any minute now!

To:

* Macs are just as dangerous as Windows, probably worse, because there has been ONE successful real-world malware infestation on OS X.

(I definitely do count this instance: it’s not a virus, not a worm, but it’s not a mere Trojan either—it’s a Trojan that installs itself; meaning the web site itself is the Trojan Horse—and one link is all it takes to get to a web site.)

P.S. I’d like to see more on the other side of the story: first a web site must be compromised, and only then can a Mac visiting it (with Java on) be compromised too. How are these web sites being compromised, which ones are they, how many of them, can we detect them, and can they be blocked if not fixed?

mmcc
Apr 10, 2012, 10:55 AM
Myth of the inherent invulnerability of OS X to malware... Busted! :eek:

Complacency from one of the highest-valued corporations in the world (if not the highest)? Sounds like another computer company with HQ in Redmond.

Funny how history repeats.

miles01110
Apr 10, 2012, 10:56 AM
We don't know how many people do update regularly and we don't know if it would have been huge. What we do know is that the botnet would have been smaller - it surely wouldn't have been bigger if patches were available
You don't know that at all. Available patches does not translate to more patched systems, especially amongst the user base most vulnerable to malware infections. - and closing know security holes as quickly as possible is to be encouraged and allowing them to remain open for months is a Bad Thing.
Clearly.

Gasu E.
Apr 10, 2012, 10:56 AM
Typical Apple, shoot the messenger and hope the bad news he was bearing doesn't happen.

"If I close my eyes I can't see you!"


How you found that link is beyond me. I went to Apple.com, clicked contact, and found this page (http://www.apple.com/support/contact/).

EDIT: Bing manages to find it for me, so I guess it's findable, just not through Apple.

Go to the little search window on the Apple site and type "security". Then look at "Support Results" on the right.

KnightWRX
Apr 10, 2012, 10:57 AM
Myth of the inherent invulnerability of OS X to malware... Busted! :eek:

No one ever claimed OS X was invulnerable to malware. This isn't the first piece of malware for OS X anyhow.

ArtOfWarfare
Apr 10, 2012, 10:57 AM
This might be one of those moments Apple can ask Microsoft for help.

Rocketman

Right, because Microsoft is well known for having a secure platform.

topmounter
Apr 10, 2012, 10:58 AM
I've used OpenDNS for a number of years now and it works fine.

And what websites do you have to visit to get this "Flashback" thing exactly?

I checked both of my Macs using the command line thing and none of them are infected. Apparently none of my Mac-using friends have it either, which makes me question these infection numbers that are getting thrown around and whether the whole thing is just a viral marketing campaign by Norton to revitalize their company with a "radar gun / radar detector" business model now that Microsoft has finally made 3rd-party security software all but obsolete.

msimpson
Apr 10, 2012, 10:59 AM
Step 1: Fake trojan outbreak news

Step 2: Create bogus removal tool that infects Mac when run

Step 3: 20 millions of Macs now trojan’ed


:D
)

I sometimes wonder if these "security companies" who find these vulnerabilities, are not somehow connected to the hackers who exploit them. Particularly ones based in foreign countries where many of these attacks seem to originate.

Apple is no longer developing Java for OSX now that Oracle bought Sun and took over Java. I don't believe Java is included with the default Lion install. You specifically have to go download it and add it in. So if Oracle releases a fix for a Java security hole, it is understandable that Apple would need some time to make the changes to the JVM's they continue to support and then test them before rolling them out.

Most users have no need for Java on their machines these days. Very few mainstream web sites use it. Corporations that use Java based apps are probably using some type of ERP system, like Oracle, that use Java in some of their products, but for the average Mac user has very little need for it.

As for Apple being "secretive" or "non-communicative" - typical press noise and hype. These security experts all want their 15 minutes of fame. Or more if they can get it.

It cracks me up how many people come to an Apple focused web sites to whine, complain, and throw hate at Apple. If you are a Windows user, why would you even visit a Mac focused site? If your an Apple hater, why even buy an Apple product? What a pitiful life you must lead.

bsolar
Apr 10, 2012, 10:59 AM
Wait, so it was difficult to contact someone because you don't have direct email addresses to internal people? Why do you need to know this? Here (https://ssl.apple.com/support/security/) it clearly states how to contact Apple.

You don't need to become pen pals with the folks inside Apple just because you found a security vulnerability.
It's not matter of becoming "pen pals", it's matter of tackling the security issues as fast as possible so that the minor number of users are at risk and the botnet does not become a bigger threat (and bloggers have less ammunition to start spreading FUD about Mac security).

Having direct contact information can help with that, but it's not needed, as long as someone fixes the vulnerability very fast and/or replies so that you can start a collaboration in the best interest of security.

Apple was informed long ago of the security holes. Apple did nothing. Zero. No fixes whatsoever. Many of those 600k infected machines could have been prevented with a more serious approach to security responses by Apple, which most likely needs to be implemented given that they are not under the radar anymore.

Gasu E.
Apr 10, 2012, 11:00 AM
Right, because Microsoft is well known for having a secure platform.

I think he means MS has more experieince at handling major malware outbreaks.

Frobozz
Apr 10, 2012, 11:00 AM
If nothing else, I feel like this virus shows how relatively secure OS X is. If this is a bug that basically manifests through an issue in Java, that strengthens that argument.

While obviously a bad thing for Mac owners everywhere, it's nice to know how infrequently these issues arise on the Mac platform versus the Windows platform. To give Microsoft credit, they have come a long way, though. It seems like fewer and fewer viruses really hit critical mass for a Reuter's article anymore. Or maybe I'm just not seeing them?

ddarko
Apr 10, 2012, 11:00 AM
You don't know that at all. Available patches does not translate to more patched systems, especially amongst the user base most vulnerable to malware infections.

Of course available patches translate into more patched system. The only question is how many.

striker33
Apr 10, 2012, 11:05 AM
Whats more annoying is that all the idiotic Windows fanboys are parading around every known social networking site gloating that Mac's actually do get viruses.

How did so many people become so misinformed about the differences between trojans, worms, and viruses?

nagromme
Apr 10, 2012, 11:05 AM
Another piece I’m curious about: are email spam/phishing campaigns (possibly driven by Windows botnets) being used to send out clickable links to infected sites?

That’s a potential malware vector that I wouldn’t ignore if I were behind this, but email hasn’t been mentioned in the articles I’ve seen.

(By the way, Apple has stumbled in their communication on this—and maybe on their actions too—which does show their lack of experience; probably not their lack of caring. It may also be that this Russia-based sinkhole left them wondering who the good guys really are—which could well keep them silent while making sure of that. Even so, looking at the big security picture, I have to give credit where due: they’ve done things with Lion that NO other “more experienced” OS or vendor has done for security. They’re not the pros in every regard, but they do lead the security pack in other ways. Ways which make me even more glad to be on Mac.)

Also, as for Java being insecure, I always assumed that and always had it turned off, but it shouldn’t have been left to me to do so. Apple should turn it off by default, since most people never need it. I consider Java being enabled by default (much like Open Safe Files) to be a dropped ball by Apple. But easily remedied!


Whats more annoying is that all the idiotic Windows fanboys are parading around every known social networking site gloating that Mac's actually do get viruses.

How did so many people become so misinformed about the differences between trojans, worms, and viruses?

To be fair, “virus” (spreads itself from program to program) vs. “worm” (spreads itself from computer to computer) are terms few can tell apart, and even tech companies don’t always use them consistently. And “Trojan” is too simple a term—some distinction needs to be made between “requiring an unusual user action” and requiring simply visiting a web page. When I see Windows malware installing itself from someone simply visiting a web page, I certainly don’t minimize that risk! This time, it’s Macs. I guess “drive by” seems to be the term here, although I never heard that term before this.

Granted, trolls are making much more of this than it is (which no doubt hurts Mac sales as intended) but the term “virus” is kind of an understandable mistake.

No one ever claimed OS X was invulnerable to malware. This isn't the first piece of malware for OS X anyhow.

Exactly. First successful one, but here’s the real myth: the myth of “people who claim Macs are invulnerable.”

No, people merely claim they’re safer. Which they still are. For many reasons, all of them helpful!

Frobozz
Apr 10, 2012, 11:05 AM
Most users have no need for Java on their machines these days. Very few mainstream web sites use it. Corporations that use Java based apps are probably using some type of ERP system, like Oracle, that use Java in some of their products, but for the average Mac user has very little need for it.

I tend to agree. I think the biggest use of Java these days on the Mac is in web platform development or software development in embedded platforms. Certainly not the typical user scenario.

msimpson
Apr 10, 2012, 11:10 AM
I've used OpenDNS for a number of years now and it works fine.

And what websites do you have to visit to get this "Flashback" thing exactly?

I checked both of my Macs using the command line thing and none of them are infected. Apparently none of my Mac-using friends have it either, which makes me question these infection numbers that are getting thrown around and whether the whole thing is just a viral marketing campaign by Norton to revitalize their company with a "radar gun / radar detector" business model now that Microsoft has finally made 3rd-party security software all but obsolete.

Microsoft has made 3-rd party security software all but obsolete? LMAO.

You obviously don't work in computer security, or have used Microsoft's ForeFront product. It is a weak product that most business don't rely on. Business for McAfee and Symantec security solutions, including endpoint systems, is busier than ever. The current APT landscape shows how sophisticated attacks have become, and that a multi-layer defense is priority number 1.

Apple could do more to improve its response to security issues, but the size of the security problems pale when compared to Windows. Windows 7 is a big improvement, but it still falls prey to the weakest link in the security chain - users who are uneducated and fall victim to phishing and other attacks.

KurtangleTN
Apr 10, 2012, 11:17 AM
http://i.imgur.com/imLTm.jpg

Most Apple fanboys at this moment. So many of them are grasping at straws, downplaying the situation, and pretending it's not a big deal when it's huge.

It's not a virus!!! DAMN ANTI APPLE MEDIA!! WE STILL DONT HAVE A VIARUS!! :D:apple:

Nobody cares about the difference between malware and a virus. Hell, how many true viruses have been released on Windows? This is an extremely potent thing that doesn't even need your admin password in order to install and begin.

To the college student, to the grandma, to the other less tech savvy Apple user they don't give a ****. They now have to think for the past couple of months their computer has possibly been tracked, used in attacks, and now they have to figure out what info could have been stolen.

This is an extremely serious infection that does extremely serious stuff. Apple's response was pathetic.

deannnnn
Apr 10, 2012, 11:17 AM
"They told the registrar this [domain] is involved in a malicious scheme. Which would be true if we weren't the ones controlling it and not doing any harm to users," says Sharov. "This seems to mean that Apple is not considering our work as a help. It's just annoying them."

Ugh, this frustrates me.

MonkeySee....
Apr 10, 2012, 11:25 AM
Image (http://i.imgur.com/imLTm.jpg)

Most Apple fanboys at this moment. So many of them are grasping at straws, downplaying the situation, and pretending it's not a big deal when it's huge.

It's not a virus!!! DAMN ANTI APPLE MEDIA!! WE STILL DONT HAVE A VIARUS!! :D:apple:

Nobody cares about the difference between malware and a virus. Hell, how many true viruses have been released on Windows? This is an extremely potent thing that doesn't even need your admin password in order to install and begin.

To the college student, to the grandma, to the other less tech savvy Apple user they don't give a ****. They now have to think for the past couple of months their computer has possibly been tracked, used in attacks, and now they have to figure out what info could have been stolen.

This is an extremely serious infection that does extremely serious stuff. Apple's response was pathetic.

Well i'm still not sticking AV on my mac so in your expert opinion what sites should I avoid?

GadgetGav
Apr 10, 2012, 11:33 AM
It's not really "disclosed" (or "confirmed" as I've seen in other reports on this) that there are 600,000 Macs infected with the Flashback trojan. It's an ESTIMATE. If there were more accurate reporting around this story, there would be less chance for fanatics on either side to trot out their tired old cliches...

I also have a question about the authenticity of a never-before-heard-of security company who is running a "sink hole" server to make these estimates of infection. It doesn't seem very far removed from the actual bad guys - indeed the Dr. Web guy says that it would be part of a malicious scheme if it wasn't them running it because they're not doing any harm to users. OK... Let's take him at his word, but what protection is there for their sink hole server? How do we know that it's not now the prime target for the malicious hackers to inject some bad code...?

Anyway, I have three Macs in my household and none of them were infected, so as far as I'm concerned there's still no problem with MacOS.

It also seems from the Dr. Web page that if the trojan finds directories for either Little Snitch or Xcode it doesn't deploy, so that seems like easy and free protection to me...

KurtangleTN
Apr 10, 2012, 11:35 AM
Well i'm still not sticking AV on my mac so in your expert opinion what sites should I avoid?

Pardon? You realize that it wasn't just a couple of sites or malware from pirate sites?

All you had to do was go to an infected site on say google images and even if you denied the password you'd be infected.

D.T.
Apr 10, 2012, 11:47 AM
P.S. I’d like to see more on the other side of the story: first a web site must be compromised, and only then can a Mac visiting it (with Java on) be compromised too. How are these web sites being compromised, which ones are they, how many of them, can we detect them, and can they be blocked if not fixed?

Another piece I’m curious about: are email spam/phishing campaigns (possibly driven by Windows botnets) being used to send out clickable links to infected sites?

That’s a potential malware vector that I wouldn’t ignore if I were behind this, but email hasn’t been mentioned in the articles I’ve seen.


Just wanted to quote both of your posts as I think they’re excellent points. We know this Java payload was sent down from visited sites and was able to execute outside of the sandbox due to a flaw in the Java distribution.

Which sites though? Did people reach those legitimately or has there been some kind of email, redirect, etc., mechanism to drive people to sites specifically design to delivery it?

Again, great points, and there are still quite a few unanswered questions about this whole event.


I sometimes wonder if these "security companies" who find these vulnerabilities, are not somehow connected to the hackers who exploit them. Particularly ones based in foreign countries where many of these attacks seem to originate.


Yeah, while I meant that post as a joke, I don’t think it’s totally outside the realm of possibility that there are relationships in place (with all the players) that aren’t totally above board.

brdeveloper
Apr 10, 2012, 11:50 AM
Checked, Im clear. Macs still rock for me!!

Just did the command-line step-by-step:
http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

I'm clean too. I'd like to see a more proactive attitude from Apple. Microsoft already has a pretty decent antivirus/antimalware built-in.

tonjik
Apr 10, 2012, 11:50 AM
Typical Apple, shoot the messenger and hope the bad news he was bearing doesn't happen.

"If I close my eyes I can't see you!"

Seems to me Apple is playing game: shoot the hacker and his servers and hope it will demotivate other hackers to make viruses for Macs.

azentropy
Apr 10, 2012, 11:52 AM
Pardon? You realize that it wasn't just a couple of sites or malware from pirate sites?

All you had to do was go to an infected site on say google images and even if you denied the password you'd be infected.

I keep hearing that but have yet to see one reputable site by name announced as infected or that spread the infection.

Some people are making it out to be a bigger issue than it is and others are making it out to be a smaller issue that it is. Truth is probably somewhere in the middle.

BC2009
Apr 10, 2012, 11:54 AM
Secrecy has it's place for new product announcements, but Apple needs to get its head out of its ass in regard to security issues. Start working with the good guys, communicate a little bit with them. Playing ostrich doesn't help anyone examine or solve problems.

So so true. The one area I have been frustrated with Apple has been in their lack of partnership with the White Hat community. People who would say "I use a Mac so I am secure" are so naive. No system is safe. I heard a variant of the same thing just recently where folks touted "I use Chrome so I am secure" because it had not been hacked on Pwn2Own (since then it has been hacked). Let me share one simple truth.... No system is fully secure. There is always a way in for determined hacker -- always.

Apple does a good job of making things more difficult (especially with Lion and upcoming features in Mountain Lion), but a hacker need only find a single hole in any public facing interface and he is in. Even the new GateKeeper feature in Mountain Lion would have likely been vulnerable to this because I'm pretty sure it relies on setting a bit in a downloaded file that is downloaded via Safari or Mail. I'm pretty sure if you download something via FTP or via vulnerable Java Runtime that bit is not going to be set and the code will still run just fine.

Apple really needs to constantly hammer and harden their OS as well as the commonly installed components like Java. You can say that "Flash" and "Java" are not Apple's responsibility, but they can make a Mac vulnerable and therefore require proper sandboxing as well. There are things Apple can do on their end to better protect users. This is why Mac App Store developers are now required to use the API's to support sandboxing -- it is so very important to prevent installed software from exposing the rest of the system to Malware.

White hat folks know all the tips and tricks to compromising a system. Simply give them access to some Apple-hosted macs and see if they compromise the systems in a new and unique way and pay them for every new exploit they find. But even if Apple does that -- it would still be true that no system is fully secure -- you are just increasing the skill level required for a hacker to compromise the system and thus narrowing the likelihood of an epidemic.

bedifferent
Apr 10, 2012, 11:56 AM
Just did the command-line step-by-step:
http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

I'm clean too. I'd like to see a more proactive attitude from Apple. Microsoft already has a pretty decent antivirus/antimalware built-in.

Lately Apple seems to be taking an arrogant approach to these matters, including any criticism of their latest OS and lack of focus on OS X while iOS appears to be their golden child and OS X their redheaded stepchild. It would behove Apple to be more receptive in regards to OS X. Sure, Lion and Mountain Lion have added some security measures, but this recent overall attitude that they can do no wrong is hubris and will bite them in the behind.

CrickettGrrrl
Apr 10, 2012, 11:59 AM
The end of an era!

P.S. I’d like to see more on the other side of the story: first a web site must be compromised, and only then can a Mac visiting it (with Java on) be compromised too. How are these web sites being compromised, which ones are they, how many of them, can we detect them, and can they be blocked if not fixed?

From this article: http://www.macworld.com/article/1166255/security_experts_600_000_plus_estimate_of_mac_botnet_likely_on_target.html

“A lot of things happened at the same time,” said Mike Geide, senior security researcher at Zscaler ThreatLabZ. “There have been mass compromises of WordPress sites, and the controllers [for those hijacked websites] match the domain structure Doctor Web described. That’s been ongoing since at least early March.”

WordPress is a popular open-source blogging and content management platform used by about one in seven websites.

Those usurped WordPress sites have been redirecting users to malicious URLs, where hackers have hosted the Blackhole exploit kit. Blackhole tries multiple exploits, including several aimed at Java bugs on Macs, to compromise machines.

The sheer size of the WordPress installed base and the scope of the WordPress injection campaign means that it would not have been impossible for hackers to poison more than 600,000 Macs.

This is one of the clearest articles I've read so far:
http://www.macworld.com/article/1166254/what_you_need_to_know_about_the_flashback_trojan.html

ddarko
Apr 10, 2012, 12:01 PM
It's not really "disclosed" (or "confirmed" as I've seen in other reports on this) that there are 600,000 Macs infected with the Flashback trojan. It's an ESTIMATE. If there were more accurate reporting around this story, there would be less chance for fanatics on either side to trot out their tired old cliches...

I also have a question about the authenticity of a never-before-heard-of security company who is running a "sink hole" server to make these estimates of infection. It doesn't seem very far removed from the actual bad guys - indeed the Dr. Web guy says that it would be part of a malicious scheme if it wasn't them running it because they're not doing any harm to users.

It seems you haven't been following this story closely. The 600,000 figure is derived from widely used and accepted techniques and it's being reported as "confirmed" or "disclosed" because Kaspersky Labs, a very well known and prominent security firm, reproduced Dr. Web's findings. Here's Kaspersky's writeup:

https://www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

Kaspersky used the same exact technique as Dr. Web - they set up a fake command and control server that all the computers infected by Flashback report to and counted the number of unique IP addresses - 600,000. They then used "passive OS fingerprinting techniques" and concluded that 98% of those bots came from Macs. Outside of inspecting each individual infected bot in person, this is as good and sound a number as we're going to get.

tonjik
Apr 10, 2012, 12:02 PM
Of course available patches translate into more patched system. The only question is how many.

And installs of patches and updates every few days translate into screwed users ;-)

Vegasman
Apr 10, 2012, 12:10 PM
Seems to me Apple is playing game: shoot the hacker and his servers and hope it will demotivate other hackers to make viruses for Macs.

That was a great strategy when Sony used it :p

Dragado
Apr 10, 2012, 12:11 PM
No one ever claimed OS X was invulnerable to malware. This isn't the first piece of malware for OS X anyhow.

Even more to the point, Apple has said that Macs don't get "PC" viruses; They make no claims as to viruses in general. That being said, Macs are less prone to Viruses just due to the nature of the OS. Lion is just about the most secure OS out there, definitely more secure than Windows.

Sensation
Apr 10, 2012, 12:46 PM
Poor show Apple, sort this mess out

KnightWRX
Apr 10, 2012, 12:48 PM
Even more to the point, Apple has said that Macs don't get "PC" viruses; They make no claims as to viruses in general. That being said, Macs are less prone to Viruses just due to the nature of the OS.

There is nothing in the OS that prevents viruses, that is a myth. Macs are not prone to viruses at all though for the simple fact that none yet exist for OS X.

Lion is just about the most secure OS out there, definitely more secure than Windows.

Lion is not the most secure OS out there, far from it. OpenBSD currently would be one of the contenders for that spot, with their massive code audits.

Come on guys, it's not hard to stick to the facts.

blackhand1001
Apr 10, 2012, 12:50 PM
Even more to the point, Apple has said that Macs don't get "PC" viruses; They make no claims as to viruses in general. That being said, Macs are less prone to Viruses just due to the nature of the OS. Lion is just about the most secure OS out there, definitely more secure than Windows.

Your kidding right? You realize that mac os is one of the easiest os's to hack. Even worse, if you have physical access to it you can even create an admin account without the need to even log in.

KnightWRX
Apr 10, 2012, 12:52 PM
Your kidding right? You realize that mac os is one of the easiest os's to hack. Even worse, if you have physical access to it you can even create an admin account without the need to even log in.

Something that can be done with physical access to about every OS out there... how is that surprising ?

Once you throw in physical access, no OS can really be secure. Heck, even OpenBSD.

Renzatic
Apr 10, 2012, 12:52 PM
Even more to the point, Apple has said that Macs don't get "PC" viruses; They make no claims as to viruses in general. That being said, Macs are less prone to Viruses just due to the nature of the OS. Lion is just about the most secure OS out there, definitely more secure than Windows.

"Ha! At least I'm not using Winblowz, right? They've got, like, 50 billion viruses. We've got one! OSX! It just works", he said, as thousands of dollars suddenly comes up missing from his bank account.

I love it. All the comments I'm reading on all these Mac websites all saying basically the same thing. "Yeah? Well...WINDOWS SUCKS OLOL I DON'T KNOW A SINGLE PERSON WHO'S GOTTEN THIS IT MUST BE FAKE THESE VIRUS COMPANIES ARE TRYING TO SELL ME THEIR STUPID PROGRAMS BY STARTING A PANIC". No. It's not just a big scare. 600,000 Macs have been infected by a bug that slipped past elevation permissions and installed itself without any forewarning. It blows, sure. But it was an inevitability. Why? Because there's no such thing as a perfectly secure OS. Someone was eventually bound to take advantage of a weakness in OSX to get some credit card numbers.

Why people are treating this like it's a personal offense, I have no idea. I mean it's your damn computer getting a bug, not someone telling you your wife has been pimping herself out at truck stops or something, forcing you to pull the denial card to save some face. Having an attitude like that will only make it that much easier for it to happen again in the future. Just accept what went down, and get your updates more often. Life will go on as usual.

nostaws
Apr 10, 2012, 12:57 PM
Of course available patches translate into more patched systems. The only question is how many.

In 2012 Microsoft and Apple are better about pushing out security updates. Whether it is Windows with a little bubble that pops up, or OS X with the software update. Users of modern OSes are much more likely to install security updates than they would have 5+ years ago.

While I personally don't like Software Update always contacting their servers I do leave the feature enabled so I don't miss a security update.

Asclepio
Apr 10, 2012, 01:05 PM
Goodbye Mac OS, Hello Windows 8 ®

Rocketman
Apr 10, 2012, 01:07 PM
I think he means MS has more experieince at handling major malware outbreaks.Correct.

nostaws
Apr 10, 2012, 01:07 PM
"Arrogant" isn't the word I would use. No company is going to say: "hey! check out our new OS, it is bloated, buggy, inefficient, and prone to trojans!"

OS X is a PRODUCT. They are going to put it in the best possible light in order to sell more copies, computers, etc.


Lately Apple seems to be taking an arrogant approach to these matters, including any criticism of their latest OS and lack of focus on OS X while iOS appears to be their golden child and OS X their redheaded stepchild. It would behove Apple to be more receptive in regards to OS X. Sure, Lion and Mountain Lion have added some security measures, but this recent overall attitude that they can do no wrong is hubris and will bite them in the behind.

NorEaster
Apr 10, 2012, 01:16 PM
Why people are treating this like it's a personal offense, I have no idea. I mean it's your damn computer getting a bug, not someone telling you your wife has been pimping herself out at truck stops or something, forcing you to pull the denial card to save some face. Having an attitude like that will only make it that much easier for it to happen again in the future. Just accept what went down, and get your updates more often. Life will go on as usual.

Bravo...well said :) As Macs become more popular, more malware (trojans, viruses, etc) is inevitable. Accept it and move on.

Let's hope Tim Cook and Co. have the foresight to take this seriously (which I actually think they do, even though I don't have proof of it.). You don't/can't run a world-class software (+hardware) company without taking security seriously these days.

bsolar
Apr 10, 2012, 01:27 PM
I'm clean too. I'd like to see a more proactive attitude from Apple. Microsoft already has a pretty decent antivirus/antimalware built-in.
Antiviruses tend to hit performance very hard and actually are not that effective. You need to update the signatures basically every day, hope that false positives don't screw some perfectly legit application, and hope that the updated signatures actually are enough up-to-date to cover the last security threat.

It would be better to invest all of the effort which goes into antiviruses into educating users, setting up safer practices (ala Mountain Lion's "only run if from App Store" by default) and fixing security issues much faster.

SockRolid
Apr 10, 2012, 01:31 PM
Seems trivial to detect and remove Flashback Checker. I would expect the next Lion update to include a script that removes it as part of the upgrade process.

Of course, not everybody updates their OS X installations as fanatically as us MacRumors regulars...

----------

Antiviruses tend to hit performance very hard and actually are not that effective. [...]

It would be better to invest all of the effort which goes into antiviruses into educating users, setting up safer practices (ala Mountain Lion's "only run if from App Store" by default) and fixing security issues much faster.

+1.

Eventually, OS X could become as closed (and as safe) as iOS.
It's the only way to ensure security.

lostngone
Apr 10, 2012, 01:34 PM
Eventually, OS X could become as closed (and as safe) as iOS.
It's the only way to ensure security.

But iOS is NOT safe...

RedCroissant
Apr 10, 2012, 01:35 PM
I don't think that Apple's lack of communication with the general public or other companies in regard to security is equal to sticking their heads in the sand and pretending that nothing is happening. The fact that OS X is by its design more secure has been known since its introduction and the fact that serious infections of a system requires a user's authorization is another testament to how great it is.

What makes people think that Apple is arrogant in regards to security anyway? Would you want to ignore security vulnerabilities when that would decrease your ability to exist as a corporation? The only way that one could claim that they were arrogant is if they suddenly fired their security staff and got rid of a security department(I doubt that will ever happen).The fact that Macs don't ship with Flash(and that Apple is partially responsible for the increase in alternative forms of web-based content development) or Java(probably because they know that it is a vulnerability) shows that they are taking this seriously. OS X 10.8 will include another security measure called "Gatekeeper" to help as well. This is in addition to the security measures one can already take in regards to Safari, location services, your own customizable firewall, and common sense when installing applications and updates.

Now take those points along with Apple working with Safari developers to make extensions that also help security. I have Adblock, Cookie Stumbler, and ClickToFlash installed along with having Java disabled for some time now. I also have Google Disconnect and Facebook Disconnect to decrease even further the number of cookies and partial system intrusions and tracking that I have to deal with. So when people claim that Apple is not being communicative or cooperative enough, I just take a look at my own system and the tools that have been made available to users to help them protect themselves from the existing malware and realize that they are doing a great job.

C. Alan
Apr 10, 2012, 01:37 PM
I’m sure it’s fine, and if you’re paranoid you can compile the source yourself (though if you can compile source, you should be able to perform the manual check easily...)

Heck, given that it is just uses a command line script, there may be 20 total lines of code involved in this checker all together.

Iv'e said it once, and I will say it again: 600k machines being infected is at best a WAG. I think the actual number is much much lower.

toronado455
Apr 10, 2012, 01:45 PM
Does Flashback only threaten Snow Leopard and Lion? What about Tiger?

D.T.
Apr 10, 2012, 01:49 PM
Iv'e said it once, and I will say it again: 600k machines being infected is at best a WAG. I think the actual number is much much lower.

I agree, and though it’s ~totally~ unscientific, nobody in my group of family, friends and colleagues got it. That’s people that range from the “hardcore” to the “I can’t kind my Safari icon” level users :)

I’d say that most of them probably didn’t have Java installed (especially the more casual users, I can’t think why they’d run into needing it), which leads me to wonder about the users that _do_ have it installed. Of the “600K” that were supposedly infected, that must have had Java installed, what and why?

You also have to wonder if there’s some other connection between the users that did get it (whatever actual number that is). Like a common website that maybe had a redirect (or was directly infected)[?]

tbrinkma
Apr 10, 2012, 02:00 PM
I find this whole thing somewhat amusing. Sure, 600k systems is a pretty big number. On the other hand, news about bot nets hunting for Windows systems doesn't start making the rounds until they cross the multi-million system mark.

Apple has never been known for their transparency. That's fine in most cases, but sub-optimal in this one. They need to work on that moving forward. That said, even the security researchers think Apple was taking the right steps, proactively hunting down the control servers and getting them shut down. They just weren't talking to the security researchers about their progress in the mean-time.

Definitely something to work on. Unfortunately that flaw isn't particularly rare across the industry. :(

ixodes
Apr 10, 2012, 02:10 PM
After years of non-stop computing using Macs, I'm concerned. Largely for two reasons.

If one steps back and looks at the big picture, the most disturbing issue I have is amount of time Apple allowed to elapse with their head in the sand. Complete radio silence (lack of communication).

If their head was not in the sand, then they should have communicated with the user base, and in turn the public.

They've failed to learn anything about damage control from the other big corporations that have faced negative challenges. Communication is everything.

Second is the fact that by remaining silent, it invites nothing but speculation, none of which is good for Apple's reputation. They can only abuse the positive halo that surrounds them for so long, and eventually the users will turn against them. It also leaves Apple open to accusations that they are simply being arrogant.

No company is perfect, but by at least making your users feel as though they are appreciated, by conveying that Apple is doing everything it can to get a handle on this, they appear proactive, concerned, diligent, responsible and professional.

That's the Apple I'd feel good about.

Oletros
Apr 10, 2012, 02:14 PM
Iv'e said it once, and I will say it again: 600k machines being infected is at best a WAG. I think the actual number is much much lower.

Any reason for this claim?

topmounter
Apr 10, 2012, 02:17 PM
Microsoft has made 3-rd party security software all but obsolete? LMAO.

You obviously don't work in computer security, or have used Microsoft's ForeFront product. It is a weak product that most business don't rely on. Business for McAfee and Symantec security solutions, including endpoint systems, is busier than ever. The current APT landscape shows how sophisticated attacks have become, and that a multi-layer defense is priority number 1.

Apple could do more to improve its response to security issues, but the size of the security problems pale when compared to Windows. Windows 7 is a big improvement, but it still falls prey to the weakest link in the security chain - users who are uneducated and fall victim to phishing and other attacks.

Security Essentials has been more than adequate on my Win7 machine. Of course it is always NAT'd behind my router and I don't use POP3 email or surf warez sites on it.

Truffy
Apr 10, 2012, 02:31 PM
Maybe, maybe not. It wouldn't be surprising if the vast majority of those infected don't even know it. Malware on all platforms is perpetuated by the type of users least likely to install any updates at all.
Can you substantiate that claim? I run regular updates. If this had been pushed out earlier my machines would have been protected earlier. (Although not having users run with admin rights probably helps).

C. Alan
Apr 10, 2012, 02:55 PM
Any reason for this claim?

The security industry, whether it be computer or otherwise, is a business model based on fear. So it is in their best interest to always put forward the worst case scenario.

Oletros
Apr 10, 2012, 02:59 PM
The security industry, whether it be computer or otherwise, is a business model based on fear. So it is in their best interest to always put forward the worst case scenario.

Ah, I tought you would have anything to prove false the methodology used to count those 600k computers

C. Alan
Apr 10, 2012, 03:13 PM
Ah, I tought you would have anything to prove false the methodology used to count those 600k computers

Actually after having done some more research, I may have to eat my own words...

The methodology they used to come up with the number was pretty clever. They took over one of the domains that the trojan was set up to check in with. According to this article, (http://arstechnica.com/apple/news/2012/04/new-analysis-backs-half-million-mac-infection-estimate.ars) they counted the number of unique requests in a 24 hour period, and based their estimates off that.

So that number may not be that far off.

I hope the crow is good today, because I appear to be eating it....

charlituna
Apr 10, 2012, 03:28 PM
Typical apple ...

Last I checked this was an issue with Java so why is anyone harassing Apple for solutions

----------

Well, it's good to know Apple is going after the botnet's command and control servers but wouldn't it have been great if it had pushed out the patch for the Java exploit back in February? They'd probably be dealing with far fewer infected Macs if Apple security hadn't been so complacent.


What about if Java had never had said exploit in the first place

Oletros
Apr 10, 2012, 03:31 PM
Last I checked this was an issue with Java so why is anyone harassing Apple for solutions[COLOR="#808080"]

Perhaps because Oracle patched that exploit months ago for all the other platforms?

charlituna
Apr 10, 2012, 03:37 PM
Secrecy has it's place for new product announcements, but Apple needs to get its head out of its ass in regard to security issues. Start working with the good guys, communicate a little bit with them. Playing ostrich doesn't help anyone examine or solve problems.

Apple put out notice that folks using Java should get it from the source so they get updates the moment they are released by the source. Same with Flash.

So how do they have their heads up their butts over an issue with software they didn't create.

Next you'll say that Apple needs to fix all the security issues with Windows because it can be run on Mac hardware

----------

I sometimes wonder if these "security companies" who find these vulnerabilities, are not somehow connected to the hackers who exploit them.

How do we know they didn't make these 'viruses' so they could find them, freak folks out and hype themselves

Oletros
Apr 10, 2012, 03:47 PM
Apple put out notice that folks using Java should get it from the source so they get updates the moment they are released by the source.

http://www.java.com/en/download/apple_manual.jsp?locale=en
Java for Apple

Apple supplies their own version of Java. Use the Software Update feature (available on the Apple menu) to check that you have the most up-to-date version of Java for your Mac.

And please, con you link to that Apple's notice?

trunten
Apr 10, 2012, 04:42 PM
Am I the only one that thinks it's kind of heartening to know that Apple were keeping track of this enough to try and shut down the sink hole? Seems fairly pro-active to me.

GGJstudios
Apr 10, 2012, 04:51 PM
These threads on the Flashback trojan are getting boring.

Macs are not immune to malware, but no true viruses exist in the wild that can run on Mac OS X, and there never have been any since it was released over 10 years ago. The only malware in the wild that can affect Mac OS X is a handful of trojans, which can be easily avoided by practicing safe computing (see below). Also, Mac OS X Snow Leopard and Lion have anti-malware protection (http://support.apple.com/kb/ht4651) built in, further reducing the need for 3rd party antivirus apps.
Mac Virus/Malware FAQ (http://guides.macrumors.com/Mac_Virus/Malware_FAQ)

Make sure your built-in Mac firewall is enabled in System Preferences > Security > Firewall


Uncheck "Open "safe" files after downloading" in Safari > Preferences > General


Uncheck "Enable Java" in Safari > Preferences > Security. Leave this unchecked until you visit a trusted site that requires Java, then re-enable only for your visit to that site. (This is not to be confused with JavaScript, which you should leave enabled.)


Change your DNS servers to OpenDNS servers by reading this (http://guides.macrumors.com/Mac_Virus/Malware_FAQ#Why_am_I_being_redirected_to_other_sites.3F).


Be careful to only install software from trusted, reputable sites. Never install pirated software. If you're not sure about an app, ask in this forum before installing.


Never let someone else have access to install anything on your Mac.


Don't open files that you receive from unknown or untrusted sources.


Make sure all network, email, financial and other important passwords are complex, including upper and lower case letters, numbers and special characters.


Always keep your Mac and application software updated. Use Software Update for your Mac software. For other software, it's safer to get updates from the developer's site or from the menu item "Check for updates", rather than installing from any notification window that pops up while you're surfing the web.

That's all you need to do to keep your Mac completely free of any virus, trojan, spyware, keylogger, or other malware. You don't need any 3rd party software to keep your Mac secure.

If you are required to run antivirus (such as by a school or work network), ClamXav (http://www.clamxav.com/) is one of the best choices, since it isn't a resource hog, detects both Mac and Windows malware and doesn't run with elevated privileges. You can run scans when you choose, rather than leaving it running all the time, slowing your system. ClamXav has a Sentry feature which, if enabled, will use significant system resources to constantly scan. Disable the Sentry feature. You don't need it. Also, when you first install ClamXav, as with many antivirus apps, it may perform an initial full system scan, which will consume resources. Once the initial scan is complete, periodic on-demand scans will have much lower demands on resources.

sweetie81
Apr 10, 2012, 04:56 PM
To be honest I wouldn't panic. If nobody surfs with root priviliges everyone should be fine as I understand that for a specific command you'd need su access no?

And I don't know if the code even if embedded in a website could use the internal strucures and commands of Unix?

GGJstudios
Apr 10, 2012, 05:00 PM
To be honest I wouldn't panic. If nobody surfs with root priviliges everyone should be fine as I understand that for a specific command you'd need su access no?
Root privileges aren't required for this trojan to infect. It can infect while running an admin or standard account.

Dragado
Apr 10, 2012, 06:52 PM
There is nothing in the OS that prevents viruses, that is a myth. Macs are not prone to viruses at all though for the simple fact that none yet exist for OS X.

You should read what I said before replying. I said that macs are "less prone" to viruses, not invulnerable. As for what's in the OS that makes it this way? It's a four letter word: UNIX. That, and Apple has done a good job on the OS X side as well.

EDIT: Plus, there's sandboxing. While it is optional, it does help to prevent things such as code injection from doing too much damage. There is no Virus-proof OS and there likely never will be, but OS X is "less prone" than certain other OSes out there.

toronado455
Apr 10, 2012, 06:52 PM
Does logmein require Java?

GGJstudios
Apr 10, 2012, 06:54 PM
Does logmein require Java?
Why not simply disable Java in your browser and find out?

senseless
Apr 10, 2012, 07:00 PM
Does Flashback only threaten Snow Leopard and Lion? What about Tiger?

Seems like an obvious question that hasn't been answered yet.

GGJstudios
Apr 10, 2012, 07:05 PM
Does Flashback only threaten Snow Leopard and Lion? What about Tiger?
Seems like an obvious question that hasn't been answered yet.
I missed that one, so thanks for catching it. I don't think it's restricted to SL and Lion.

toronado455
Apr 10, 2012, 07:56 PM
Why not simply disable Java in your browser and find out?

I'll tell you why. Because I'm using a PC. It's the Mac that has the logmein software installed, and I use the PC to remotely control the Mac.

GGJstudios
Apr 10, 2012, 07:59 PM
I'll tell you why. Because I'm using a PC. It's the Mac that has the logmein software installed, and I use the PC to remotely control the Mac.
You can still remotely access Safari Preferences, right?

GadgetGav
Apr 10, 2012, 08:08 PM
It seems you haven't been following this story closely. The 600,000 figure is derived from widely used and accepted techniques and it's being reported as "confirmed" or "disclosed" because Kaspersky Labs, a very well known and prominent security firm, reproduced Dr. Web's findings.

You're right - I haven't been following it very closely.
I have never believed that my Macs are invulnerable to viruses and trojans, so I use the web carefully. When the news broke, I followed F-Secure's guide to check for infection and found I was OK. Just to be safe, I turned off all the Java settings that people were advising could provide protection. Then Apple released a patch, so I installed that. I also have Xcode installed, so it seems like this might not have even done its thing on my machine even if I had come across it.

As far as it affects me, I've been following it enough. I'll just stop posting to forum threads about it.

toronado455
Apr 10, 2012, 08:10 PM
You can still remotely access Safari Preferences, right?

Yes, but we don't use Safari.

I'm considering globally disabling Java on the Mac in the Java Preferences Utility and want to make sure that the LogMeIn Host Software doesn't use/need Java enabled in order to work.

Mac is running Snow Leopard.

GGJstudios
Apr 10, 2012, 08:14 PM
Yes, but we don't use Safari.

I'm considering globally disabling Java on the Mac in the Java Preferences Utility and want to make sure that LogMeIn Host Software doesn't use/need Java enabled in order to work.
If you can't get physical access to the Mac and you're concerned that disabling Java may cause you to lose access altogether, you could install TeamViewer (www.teamviewer.com) on the Mac and use that as a backup connection. That way if disabling Java affects LogMeIn, you can still control the Mac via TeamViewer. I prefer it over LogMeIn (https://secure.logmein.com/products/free/) anyway, because it includes free file transfers between computers, a feature I use frequently.

KurtangleTN
Apr 10, 2012, 08:36 PM
I love how people are saying the 600k number, which is scientifically solid is bump because their personal Mac might not have it.

Damn I knew fanboys were delusional but the lengths they'll go just makes me laugh.

Last I checked this was an issue with Java so why is anyone harassing Apple for solutions

Because it was patched by Oracle and Apple waited 2 months to patch their own version. Pretty pathetic.

As if we needed more examples of Apple neglecting the Mac. As if stagnant hardware, practically no innovation on them, mediocre as it gets Lion update, lack of time at events, etc.. they take months to compile java and send it out.

sha4000
Apr 10, 2012, 09:11 PM
Security Essentials has been more than adequate on my Win7 machine. Of course it is always NAT'd behind my router and I don't use POP3 email or surf warez sites on it.

Yeah since I've been using MSE I don't even think about having to keep the AV up to date. It just does its thing and doesn't slow the PC down one bit.

aristotle
Apr 10, 2012, 09:14 PM
Goodbye Mac OS, Hello Windows 8 ®
Bye bye. Welcome to my block list.

Renzatic
Apr 10, 2012, 09:45 PM
Bye bye. Welcome to my block list.

You'd block someone over that? Seriously?

Oh great. Now he's blocked me.

SockRolid
Apr 10, 2012, 10:01 PM
But iOS is NOT safe...

I said "(and as safe) as."

iOS is safer than OS X. And vastly safer than what you get from the "chaotic cesspool" of Android Market.

Oops. I meant to type "Google Play" but it sounds so dumb that I resist it. Unbelievably bad name.

Krazy Bill
Apr 10, 2012, 10:57 PM
How did so many people become so misinformed about the differences between trojans, worms, and viruses?Who gives a rat's ass what it's called and what the difference is? It's annoying the hell out of those infected and Apple should have patched their version of Java (which is the only one you can use BTW) a long time ago.

Holy crap. Something that can finally infect OSX without any user intervention and people bog down on silly-assed semantics.

LOL!

KurtangleTN
Apr 10, 2012, 11:53 PM
Who gives a rat's ass what it's called and what the difference is? It's annoying the hell out of those infected and Apple should have patched their version of Java (which is the only one you can use BTW) a long time ago.

Holy crap. Something that can finally infect OSX without any user intervention and people bog down on silly-assed semantics.

LOL!

It's what the fanboys are clinging to right now.

As I said earlier, it doesn't matter to anyone besides Apple fanboys what it's labeled as.

It certainly does not matter to any of the poor people who got infected. Their data loss could be immense. From online passwords, banking details, hell this is tax season. How many SSNs did they grab and could now be using for terrorist actives or certainly identity theft.

What's truly sad is many are probably still infected now and don't know it, Apple has yet to truly address this in months that it's been out.

Oletros
Apr 11, 2012, 12:09 AM
And vastly safer than what you get from the "chaotic cesspool" of Android Market.

Exactly why is safer?

sweetie81
Apr 11, 2012, 05:59 AM
Root privileges aren't required for this trojan to infect. It can infect while running an admin or standard account.

Ooooh! Thanks. Didn't know that. Thanks for clarifying for me.

ri0ku
Apr 11, 2012, 06:20 AM
Guys I just ran the checker and its showing "Potential issue found at : / ~/.MacOSX/environment.plist
/Users/Shared/.libgmalloc.dylib

What do I do to get rid of it ? do I simply locate that area and delete ? never had an infection issue on OSX before.

Edit: Nevermind, I just followed the terminal guide and I think I did it right as the checker is now saying no infection found.

Should we be changing all our passwords for things now because of this?

standingquiet
Apr 11, 2012, 07:47 AM
Guys I just ran the checker and its showing "Potential issue found at : / ~/.MacOSX/environment.plist
/Users/Shared/.libgmalloc.dylib

What do I do to get rid of it ? do I simply locate that area and delete ? never had an infection issue on OSX before.

Edit: Nevermind, I just followed the terminal guide and I think I did it right as the checker is now saying no infection found.

Should we be changing all our passwords for things now because of this?

I have this too what did you do to get rid of it? I ran the terminal but it didn't do anything.

ri0ku
Apr 11, 2012, 08:24 AM
I have this too what did you do to get rid of it? I ran the terminal but it didn't do anything.

I just followed the terminal guide, I used every single command in the guide right to the end. Then when I checked using the checker it said no infection found.

It didn't work at first because I had accidentally copied a space in one of the command lines you have to copy just the command.

aristotle
Apr 11, 2012, 10:19 AM
You'd block someone over that? Seriously?

Oh great. Now he's blocked me.
I put him on my ignore list because it was an obvious flamebait post with no redeemable value even related to the topic at hand.

Back on topic:
I checked out the code for that checker and it all seems to be on the up and up. So everyone can use that or the terminal commands posted on the F-Secure site to check out their machines.

If you had one of the mac anti-virus programs already installed then your chance of infection by this particular trojan are basically zero as it will delete itself if it detect one or "Little snitch" installed on your system.

Never blindly trust an install popup that you did not initiate yourself. If you need to update your "flash" be sure to go directly to the adobe.com site to do it.

SockRolid
Apr 11, 2012, 12:25 PM
Exactly why is safer?

Is safer because Apple curates. Almost no malware compared to the Android cesspool.

Oletros
Apr 12, 2012, 03:17 AM
Is safer because Apple curates. Almost no malware compared to the Android cesspool.

Thanks, I agree with that

iLog.Genius
Apr 12, 2012, 09:37 PM
I don't know how effective this really is. I just ran this and it said no infection was found but then I just read that Apple released a fix. Ran that and it said there was something found and it was removed...