600,000 Macs Worldwide Reportedly Infected by Flashback Trojan

[MacRumors]

Ars Technica reports on a Tweet from Russian malware analyst Ivan Sorokin at Dr. Web claiming that the Flashback trojan has now infected over 600,000 Macs worldwide. That number reportedly includes 274 machines "from Cupertino", presumably meaning at Apple's headquarters.

Quote:

According to Dr. Web, the 57 percent of the infected Macs are located in the US and 20 percent are in Canada. Like older versions of the malware, the latest Flashback variant searches an infected Mac for a number of antivirus applications before generating a list of botnet control servers and beginning the process of checking in with them.

The authors of the Flashback trojan have continued to tweak the software since it first surfaced last September, adjusting its tactics several times to include both social engineering tricks and exploits of vulnerabilities.

The most recently-seen version of Flashback surfaced earlier this week, exploiting a Java vulnerability that was unpatched on OS X. While Oracle had released an update closing the hole on Windows back in February, Apple had yet to issue a fix for Macs, as the company has historically maintained its own Java updates that are deployed some time after Oracle issues its own corresponding updates. But just a day after that report, Apple did update Java to address the vulnerability being exploited by Flashback.

Antivirus firm F-Secure has instructions on how users can determine whether their machines are infected by the Flashback trojan. The instructions do involve running commands in Terminal, and users should thus take care to follow the instructions exactly.

Article Link: 600,000 Macs Worldwide Reportedly Infected by Flashback Trojan

[jman240]

Here we go again....

At least it appears to be easier to remove than a Windows style malware infection...

[manu chao]

One more reason to keep Java disabled in my browsers, Java gets patched more often every year than I actually need Java in a browser.

[basesloaded190]

I'm usually against cruel and unusual punishment, but people who spend their life creating these Trojans and other things need to be punished appropriately.

[KPOM]

Hopefully Apple is out with a malware cleaner sooner rather than later. I'd guess that most people don't know Terminal exists, let alone know how to use it.

Apple does need to do a better job of getting these patches out sooner. The Java fix was available in February. Perhaps they need something like Microsoft's "Patch Tuesday."

[Meandmunch]

Curious, how is the virus being delivered? Example: Email, Pop Up ad, ect...

[KALLT]

From the instructions:

Quote:

On execution, the malware checks if the following path exists in the system:

/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app

If any of these are found, the malware will skip the rest of its routine and proceed to delete itself.

So if you have any of these apps installed, you should be alright?

[chrisperro]

clean here, update your system often and you should not run into this trojans...
The malware self-installs after you visit a compromised or malicious webpage. Obviously, it would be a good idea to update any Macs in your control.

For those who want to check if mac is infected (from F-Secure instructions):
Run the following command in terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If you get "The domain/default pair ... does not exist" for both - you are clean


from 9to5mac

[Canaan]

Totally clean here. I'm not someone who goes around clicking on anything online or even anything that pops up on the computer. I've learned plenty from using PCs. I figure most of the people who get this are probably those who aren't able to keep a windows machine clean or assume that OSX (or any OS for that matter) is bulletproof. I do love how much better my Mac is at security though

[jman240]

Quote:

Originally Posted by KALLT

From the instructions:
So if you have any of these apps installed, you should be alright?

What if you just have the path without the app installed?

[skerfoot]

If I'm reading the information on the F-secure website correctly, the trojan wont install itself if it discovers that Microsoft Office or Skype is already installed?

Interesting.

[jackc]

Screw it, the instructions look pretty long

[Bernard SG]

What's quite mysterious is how does that "Dr. Web" company do to estimate that number of infected Macs?

Edit: okay I found out. It's probably with a technique called "Sinkholing".

[Yamcha]

This is exactly what I illustrated before, fact of the matter is that not all users are computer savvy, not everyone will know what is safe and what's isn't.. That is why these Trojan etc.. Can indeed be a problem to some users..

[Dr McKay]

Here comes the debate between the definitions of "Malware" and "Virus"

[starflyer]

Quote:

Originally Posted by skerfoot

If I'm reading the information on the F-secure website correctly, the trojan wont install itself if it discovers that Microsoft Office or Skype is already installed?

Interesting.

I guess it feels that we are suffering enough already with these installed. Hmm, this must be a new, more compassionate trojan.

[scoobydoo99]

Quote:

Originally Posted by KALLT

From the instructions:
So if you have any of these apps installed, you should be alright?

Right. Also, you are alright if you have Office 2008, Office 2011, or Skype installed on your system. So, pretty much everyone

[tunerX]

Quote:

Originally Posted by jackc

Screw it, the instructions look pretty long

You only need to run the two commands.

defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

Copy and paste chisperro's two lines into a terminal.

[alphaod]

This is bad news for light users, the ones that hated Windows because it was more difficult to learn and don't do much on their computers (so they lack these "preventive" applications leading them would be more likely to be infected).

[varera]

Quote:

Originally Posted by skerfoot

If I'm reading the information on the F-secure website correctly, the trojan wont install itself if it discovers that Microsoft Office or Skype is already installed?

Interesting.

That's because any of those is already malware :-)

[314631]

This is very bad news for consumers who should be safe from these problems when using a Mac. But it's important to note a trojan is not a virus. So we're still well ahead of Windoze users.

[ArcaneDevice]

Quote:

Originally Posted by Benjy91

Here comes the debate between the definitions of "Malware" and "Virus"

Humans can't get malware.

[lkrupp]

Quote:

Originally Posted by jman240

What if you just have the path without the app installed?

The app is part of the path.

[varera]

Quote:

Originally Posted by alphaod

This is bad news for light users, the ones that hated Windows because it was more difficult to learn and don't do much on their computers (so they lack these "preventive" applications leading them would be more likely to be infected).

Before going into panic mode, try to analyse what you have here. End user has to manually accept a self sign certificate from "Apple" for a Java application. One has to be very dumb to do that.

You cannot protect ignorant people, even if you like.

Difference here is that you only get infected if you explicitly allow malware to run. In MS world you get infected without even knowing it.

[Moonjumper]

Quote:

Originally Posted by MacRumors

But just a day after that report, Apple did update Java to address the vulnerability being exploited by Flashback.

Time to install that patch I think.