Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

600,000 Macs Worldwide Reportedly Infected by Flashback Trojan

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,523
30,809



apple_security_icon-150x168.jpg


Ars Technica reports on a Tweet from Russian malware analyst Ivan Sorokin at Dr. Web claiming that the Flashback trojan has now infected over 600,000 Macs worldwide. That number reportedly includes 274 machines "from Cupertino", presumably meaning at Apple's headquarters.
According to Dr. Web, the 57 percent of the infected Macs are located in the US and 20 percent are in Canada. Like older versions of the malware, the latest Flashback variant searches an infected Mac for a number of antivirus applications before generating a list of botnet control servers and beginning the process of checking in with them.
Click to expand...
The authors of the Flashback trojan have continued to tweak the software since it first surfaced last September, adjusting its tactics several times to include both social engineering tricks and exploits of vulnerabilities.

The most recently-seen version of Flashback surfaced earlier this week, exploiting a Java vulnerability that was unpatched on OS X. While Oracle had released an update closing the hole on Windows back in February, Apple had yet to issue a fix for Macs, as the company has historically maintained its own Java updates that are deployed some time after Oracle issues its own corresponding updates. But just a day after that report, Apple did update Java to address the vulnerability being exploited by Flashback.

Antivirus firm F-Secure has instructions on how users can determine whether their machines are infected by the Flashback trojan. The instructions do involve running commands in Terminal, and users should thus take care to follow the instructions exactly.

Article Link: 600,000 Macs Worldwide Reportedly Infected by Flashback Trojan
 
Article Link
https://www.macrumors.com/2012/04/05/600000-macs-worldwide-reportedly-infected-by-flashback-trojan/
J

jman240

macrumors 6502a
May 26, 2009
798
243
Here we go again....

At least it appears to be easier to remove than a Windows style malware infection...
 
M

manu chao

macrumors 604
Jul 30, 2003
7,219
3,031
One more reason to keep Java disabled in my browsers, Java gets patched more often every year than I actually need Java in a browser.
 
basesloaded190

basesloaded190

macrumors 68030
Oct 16, 2007
2,693
5
Wisconsin
I'm usually against cruel and unusual punishment, but people who spend their life creating these Trojans and other things need to be punished appropriately.
 
K

KPOM

macrumors P6
Oct 23, 2010
18,027
7,868
Hopefully Apple is out with a malware cleaner sooner rather than later. I'd guess that most people don't know Terminal exists, let alone know how to use it.

Apple does need to do a better job of getting these patches out sooner. The Java fix was available in February. Perhaps they need something like Microsoft's "Patch Tuesday."
 
K

KALLT

macrumors 603
Sep 23, 2008
5,361
3,378
From the instructions:
On execution, the malware checks if the following path exists in the system:

/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app

If any of these are found, the malware will skip the rest of its routine and proceed to delete itself.
Click to expand...
So if you have any of these apps installed, you should be alright?
 
chrisperro

chrisperro

macrumors 6502
Oct 24, 2009
306
1
canada
clean here, update your system often and you should not run into this trojans...
The malware self-installs after you visit a compromised or malicious webpage. Obviously, it would be a good idea to update any Macs in your control.

For those who want to check if mac is infected (from F-Secure instructions):
Run the following command in terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If you get "The domain/default pair ... does not exist" for both - you are clean


from 9to5mac
 
C

Canaan

macrumors member
Sep 1, 2011
61
0
Totally clean here. I'm not someone who goes around clicking on anything online or even anything that pops up on the computer. I've learned plenty from using PCs. I figure most of the people who get this are probably those who aren't able to keep a windows machine clean or assume that OSX (or any OS for that matter) is bulletproof. I do love how much better my Mac is at security though :D
 
S

skerfoot

macrumors member
Feb 28, 2010
85
0
If I'm reading the information on the F-secure website correctly, the trojan wont install itself if it discovers that Microsoft Office or Skype is already installed?

Interesting.
 
Bernard SG

Bernard SG

macrumors 65816
Jul 3, 2010
1,354
7
What's quite mysterious is how does that "Dr. Web" company do to estimate that number of infected Macs?

Edit: okay I found out. It's probably with a technique called "Sinkholing".
 
Y

Yamcha

macrumors 68000
Mar 6, 2008
1,825
158
This is exactly what I illustrated before, fact of the matter is that not all users are computer savvy, not everyone will know what is safe and what's isn't.. That is why these Trojan etc.. Can indeed be a problem to some users..
 
Starflyer

Starflyer

macrumors 6502a
Jan 22, 2003
696
1,076
skerfoot said:
If I'm reading the information on the F-secure website correctly, the trojan wont install itself if it discovers that Microsoft Office or Skype is already installed?

Interesting.
Click to expand...

I guess it feels that we are suffering enough already with these installed. Hmm, this must be a new, more compassionate trojan.
 
S

scoobydoo99

Cancelled
Mar 11, 2003
1,007
353
KALLT said:
From the instructions:
So if you have any of these apps installed, you should be alright?
Click to expand...

Right. Also, you are alright if you have Office 2008, Office 2011, or Skype installed on your system. So, pretty much everyone ;)
 
tunerX

tunerX

Suspended
Nov 5, 2009
355
839
jackc said:
Screw it, the instructions look pretty long
Click to expand...

You only need to run the two commands.

defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

Copy and paste chisperro's two lines into a terminal.
 
alphaod

alphaod

macrumors Core
Feb 9, 2008
22,183
1,245
NYC
This is bad news for light users, the ones that hated Windows because it was more difficult to learn and don't do much on their computers (so they lack these "preventive" applications leading them would be more likely to be infected).
 
V

varera

macrumors member
Apr 11, 2010
69
13
skerfoot said:
If I'm reading the information on the F-secure website correctly, the trojan wont install itself if it discovers that Microsoft Office or Skype is already installed?

Interesting.
Click to expand...

That's because any of those is already malware :)
 
3

314631

macrumors 6502a
May 12, 2009
909
0
iDeaded myself
This is very bad news for consumers who should be safe from these problems when using a Mac. But it's important to note a trojan is not a virus. So we're still well ahead of Windoze users.
 
V

varera

macrumors member
Apr 11, 2010
69
13
alphaod said:
This is bad news for light users, the ones that hated Windows because it was more difficult to learn and don't do much on their computers (so they lack these "preventive" applications leading them would be more likely to be infected).
Click to expand...

Before going into panic mode, try to analyse what you have here. End user has to manually accept a self sign certificate from "Apple" for a Java application. One has to be very dumb to do that.

You cannot protect ignorant people, even if you like.

Difference here is that you only get infected if you explicitly allow malware to run. In MS world you get infected without even knowing it.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom