600,000 Macs Worldwide Reportedly Infected by Flashback Trojan

[sngx1275]

then i feel clean

i still don't fully understand what this virus "does" when fully implemented on a machine. so i don't even know what i was possibly at risk of. what's the point of this virus, i guess is what i am asking. i have read 4 articles and i still don't have that answer.

This one does, well nothing at the moment, it reports to a botnet. Also based on the links in this thread it "If infection is successful, the malware will modify the contents of certain webpages displayed by web browsers; the specific webpages targeted and changes made are determined based on configuration information retrieved by the malware from a remote server."

Subsequently people said that it couldn't keylog or do other things, others diagreed too though, so I'm not convinced either way yet.

But generally I think the goal in something like this is 1 of 2 things: 1 - to keylog your stuff for passwords, bank account, other bad stuff. 2 - to make your machine part of a coordinated DDoS attack on a website.

At this point in time, it appears this one was not attempting to do either.

It has been speculated that, based on its removal if it saw certain apps, it was just a test. Perhaps something created by a consultant for an AV firm. Can you imagine the money to be made if you can convince Mac users they need to buy your brand of antivirus?

 

[thejadedmonkey]

What is the Trojan able to do if installed without authentication?

It can't inject itself into apps owned by system, such as Safari, without password authentication so not every launched app is infected with binary2.

Binary2 is designed to target Safari so it sounds like this is only collateral infection on non system owned apps.

This is much like Leap-a but without the worm-like behavior. No significant infection occurs unless user running as root or password authenticates installation.

It'll inject itself into every app you open. Java is owned by the system, so I don't see why it couldn't exploit a java vulnerability to edit system owned apps.

 

[sngx1275]

It'll inject itself into every app you open.

Citation needed. Or at least a few sentence explanation why you believe this.

 

[MacinDoc]

This one does, well nothing at the moment, it reports to a botnet. Also based on the links in this thread it "If infection is successful, the malware will modify the contents of certain webpages displayed by web browsers; the specific webpages targeted and changes made are determined based on configuration information retrieved by the malware from a remote server."

Subsequently people said that it couldn't keylog or do other things, others diagreed too though, so I'm not convinced either way yet.

But generally I think the goal in something like this is 1 of 2 things: 1 - to keylog your stuff for passwords, bank account, other bad stuff. 2 - to make your machine part of a coordinated DDoS attack on a website.

At this point in time, it appears this one was not attempting to do either.

It has been speculated that, based on its removal if it saw certain apps, it was just a test. Perhaps something created by a consultant for an AV firm. Can you imagine the money to be made if you can convince Mac users they need to buy your brand of antivirus?

Modifying the contents of webpages could certainly be used for malicious activities. For example, if you navigate to your bank's website, you could be redirected to a spoof of that site, where you could unwittingly enter bank card and password information, without even the need for the botnet to have keylogging capability.

 

[andymac2210]

The worrying thing about this is it's the first one we've seen that really requires ZERO user authorisation to infect your machine.

Typically, in the past these all required a little stupidity on the users part, but now any popup or link could nuke you.

Screw it, disabling java even after updating - never need it anyway.

 

[smoledman]

The worrying thing about this is it's the first one we've seen that really requires ZERO user authorisation to infect your machine.

Typically, in the past these all required a little stupidity on the users part, but now any popup or link could nuke you.

Screw it, disabling java even after updating - never need it anyway.

So I don't EVER want to hear about how Windows is infested with viruses and Macs are 100% safe.

 

[Roc P.]

So I know that java is a factor in getting this Trojan. I don't have java installed in any of my Mac's and I also have java disabled in Safari on my Macs. However, I still have javascript enabled in Safari on my Mac's because the websites I visit most often don't work properly without javascript enabled. Does having javascript enabled put me in as much risk of Trojans etc. as having java enabled? I can't say I even understand the difference between java and javascript.

 

[sngx1275]

So I know that java is a factor in getting this Trojan. I don't have java installed in any of my Mac's and I also have java disabled in Safari on my Macs. However, I still have javascript enabled in Safari on my Mac's because the websites I visit most often don't work properly without javascript enabled. Does having javascript enabled put me in as much risk of Trojans etc. as having java enabled?

No.

 

[Roc P.]

No.

Thanks for your reply. May I ask for further explanation as to why? I am just curious. If you aren't in the mood, I understand. Or even if you can link me to any webpages with further info. that would be appreciated. Thank you!

 

[lhammer610]

Nowdays... people are the biggest vulnerability to a system. A machine cannot protect you from yourself - if you enter a password when you are prompted to, without checking to make sure you initiated a command that would cause that popup window to appear (like manually launching software update or clicking a lock button in system prefs) the mac can't override your willingness to put your user/password in ....

Just use some common sense.

----------

I get unsolicited update requestes from Apple (system updates) and Adobe (usually Flash) via their update managers all the time.

 

[thejadedmonkey]

Citation needed. Or at least a few sentence explanation why you believe this.

From http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

Infection Type 2

In cases where the user did not input their administrator password, the malware checks if the following path exists in the system:

/Applications/Microsoft Word.app
/Applications/Microsoft Office 2008
/Applications/Microsoft Office 2011
/Applications/Skype.app
If any of these are found, the malware again skips the rest of its routine and proceeds to delete itself, presumably to avoid infecting a system that has an incompatible application installed.

If none of the incompatible applications are found, the malware will create the following files:

~/Library/Application Support/.%decoded_filename%.tmp - contains %decoded_binary1_contents% and %decoded_payload_config%
/Users/Shared/.libgmalloc.dylib - contains %decoded_binary2_contents%
The malware then creates a launch point by creating "~/.MacOSX/environment.plist", containing the following lines:

<key>DYLD_INSERT_LIBRARIES</key>
<string>/Users/Shared/.libgmalloc.dylib</string>
This in effect will inject binary2 into every application launched by the infected user.

For this infection type, the malware reports the successful infection to the following URL:

h t t p : / / 95.215.63.38/stat_u/

 

[AidenShaw]

ok, so i ran the terminal commands and came up clean, but just noticed that ClamXAV just found jsched / OSX.Flashback 8 and it's still scanning. this was also after i skipped a CLAM update that featured the option to disregard "infected" files for future scans. WTF! what exactly does this virus do to your machine if it's been on my macbook?

It's sent your credit card info to a cartel in China that just ordered a new Ferrari on your card.

Enjoy the payments!



Seriously - if your machine is infected look closely at all financial transactions (after cleaning your system - don't logn log into any website before making sure that the malware has been removed) and immediately contest any strange charges. Don't wait for the next bill.

And, ignore any pedantic souls who berate you for calling this a "virus" when technically it's a "trojan". When your identity is stolen, and your credit limits maxed - it doesn't matter.

 

[sngx1275]

Thanks for your reply. May I ask for further explanation as to why? I am just curious. If you aren't in the mood, I understand. Or even if you can link me to any webpages with further info. that would be appreciated. Thank you!

Sorry, I wasn't trying to be a douche. I was just a little shorter than normal because I've been fighting misunderstandings for 12 hours on multiple forums. Its just that javascript and java are 2 different things. Java is what is affected here, javascript isn't. I'd link you to Java and Javascript on wikipedia, but I'm really too tired. You can probably look it up in the amount of time it took me to type this anyway.

From http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

Yes, I read all that 12 hours ago. Your impressive quotations did not in any way answer my question into how it infects every app.

 

[Roc P.]

Sorry, I wasn't trying to be a douche. I was just a little shorter than normal because I've been fighting misunderstandings for 12 hours on multiple forums. Its just that javascript and java are 2 different things. Java is what is affected here, javascript isn't. I'd link you to Java and Javascript on wikipedia, but I'm really too tired. You can probably look it up in the amount of time it took me to type this anyway..

No worries man, I didn't think you were being a douche or anything. Thanks for the reply and I will definitely do some reading up on wikipedia etc.

 

[Wondercow]

It appears to depend on which version of Mac OS X you're running, whether it prompts or not.

It shouldn't. The Aplications folder has, to my knowledge, always been read-write-execute (rwx) for group Admin and r-x for Others. So, either you are already logged in to an admin account or you've changed the privileges for the Applications folder to rwx for Others.

For user accounts, i.e. non-admin, one should not be able to write to /Applications.

 

[blackhand1001]

...Then those Windows users have a false sense of security. I had a PC infected with Torpig that no virus scanner could detect, and was fully protected and up to date. I only detected it after blowing the partition away and starting from scratch. Was hiding in the boot sector. I'm still not sure how it got infected.

I'm not saying that a virus scanner is not a good idea, its just you should not trust that you are safe even with scanners and security updates.

tddskiller is your friend for these kind of infections. Always try this utility for any machine you find that has google being redirected as well.

 

[Blue Fox]

I'm CLEAN!!!

 

[MuppetGate]

Here's a little experiment you can try to prove to yourself that I do, indeed, know what I'm talking about.

1. Right-click on your Desktop and select "New Folder".
2. Browse in Finder to your /Applications folder
3. Right-click on Safari.app and select "Show Package Contents"
4. Double-click on "Contents", then on "Resources"
5. Drag the folder you created in step 1 to the Resources folder
6. Now close all Finder windows
7. Go back and repeat steps 2-4 and verify that the folder you created is in Safari.app
8. Notice that at no point in time were you prompted for your admin password

You can modify the contents of the /Applications folder without elevated privileges. Many apps are installed simply by dragging them to that folder... no password required.

Mmm. Just tried this. As soon as I tried to copy the folder I got a prompt telling me that I needed to authenticate.

 

[MuppetGate]

Curious to know where they got this number from, how can they know etc.

A good question that prompted me to do a little googling.

The original source of the story came from the Anti-Virus maker Dr Web. I've never heard of them to be honest. Here's the a cut from the original press release:

Doctor Web exposes 550 000 strong Mac botnet
April 4, 2012

Doctor Web—the Russian anti-virus vendor—conducted a research to determine the scale of spreading of Trojan BackDoor.Flashback that infects computers running Mac OS X. Now BackDoor.Flashback botnet encompasses more than 550 000 infected machines, most of which are located in the United States and Canada. This once again refutes claims by some experts that there are no cyber-threats to Mac OS X.

Obviously, the popular press has rounded up the figures to a nice, even 600,000 to make it easier for us to read. I don't have a problem with that.

Now the good doctor discovered a whole raft of sites carrying the trojan.

The recently discovered ones include:

godofwar3.rr.nu
ironmanvideo.rr.nu
killaoftime.rr.nu
gangstasparadise.rr.nu
mystreamvideo.rr.nu
bestustreamtv.rr.nu
ustreambesttv.rr.nu
ustreamtvonline.rr.nu
ustream-tv.rr.nu
ustream.rr.nu
According to some sources, links to more than four million compromised web-pages could be found on a Google SERP at the end of March. In addition, some posts on Apple user forums described cases of infection by BackDoor.Flashback.39 when visiting dlink.com.

I really have no business visiting the listed sites, but some people might. I couldn't find any reference to the trojan being installed from dlink.com aside from echoes from the original press release. I did find mention of suspected virus being found on a dlink installation CD, which the company said was a false-positive.

Dr Web claim that they obtained the figure by redirecting the trojan traffic back to their own servers.

Personally, I'd like a second opinion.

 

[MuppetGate]

One other tiny, tiny point:

Some folk seem to be saying that this trojan installs itself without the need for an admin password. According to f-secure, it does indeed prompt for an admin password.

If you enter your admin password (dumbarse mode) then your whole Mac is its playground. If you don't enter an admin password, the trojan is limited to your user account, which is what I would expect.

So as far as I can tell, the trojan cannot simply dump stuff into the privileged folders as some people have claimed.

Is it a problem? Well, I think so. The most valuable stuff on your Mac is inside your user folders. If the OS is compromised, you can just reinstall it. If they get your bank details then that's a much bigger deal. But this a user education problem, rather than a problem with the OS. The same exploit would work on any OS with the same user.

Still, I think that Apple really should have gotten a fix out quicker instead of waiting for yet another anti-virus firm to break the news.

 

[millar876]

/Applications/Microsoft Word.app
/Applications/Microsoft Office 2008
/Applications/Microsoft Office 2011
/Applications/Skype.app
If any of these are found, the malware again skips the rest of its routine and proceeds to delete itself

With those being all apps owned my micro$oft, has anybody else had the idea that it might be someone at Redmond that made the thing, I mean it checks fo M$ apps and if it finds them, decides not to bother, it's highly suspicious, or I'm deeply cynical. But the corporate advantage of saying (for example) that win8 is more secure than OSX must be worth thinking about for them?

My opinion only, no proof, no liable intended. I have Skype and office 2011 installed and use win7 on boot amp for games, so not a complete windoze h8r

 

[Renzatic]

With those being all apps owned my micro$oft, has anybody else had the idea that it might be someone at Redmond that made the thing, I mean it checks fo M$ apps and if it finds them, decides not to bother, it's highly suspicious, or I'm deeply synical. But the corporate advantage of saying (for example) that win8 is more secure than OSX must be worth thinking about for them?

Gentlemen, I do believe we have a conspiracy on our hands!

On a serious note, I really truly seriously doubt it. Simply for the fact that, if word were to get out that MS were directly involved, there would be an absolute top of the line poopstorm over it. One that would most definitely end up with MS being sued for umpteen millions amounts of dollars, lose an incredible amount of face over, and would probably net them some serious criminal repercussions as well. All this for what? To infect OSX a somewhat easy to fix bug?

I doubt the risk is worth the reward.

 

[TheLastNinja]

Just did the Terminal check. I'm clean.

I'm running OS X 10.4.11. I tried Software Update, but all it gives me is an old update for Safari. [I never use Safari, so I never bothered updating it.] Nothing for Java. Are Tiger users going to be left vulnerable? I suppose I'll disable Java since I don't I've ever had to use it when browsing.

 

[Bernard SG]

Still, I think that Apple really should have gotten a fix out quicker instead of waiting for yet another anti-virus firm to break the news.

That's easier said than done, they actually seem to struggle with the fix as they issued two Java updates in two days.
Apple might end up dumping their in-house Java support in future OS X releases and throw the ball into Oracle's court.

 

[Sirolway]

/Applications/Microsoft Word.app
/Applications/Microsoft Office 2008
/Applications/Microsoft Office 2011
/Applications/Skype.app
If any of these are found, the malware again skips the rest of its routine and proceeds to delete itself

With those being all apps owned my micro$oft, has anybody else had the idea that it might be someone at Redmond that made the thing, I mean it checks fo M$ apps and if it finds them, decides not to bother, it's highly suspicious, or I'm deeply cynical. But the corporate advantage of saying (for example) that win8 is more secure than OSX must be worth thinking about for them?

My opinion only, no proof, no liable intended. I have Skype and office 2011 installed and use win7 on boot amp for games, so not a complete windoze h8r

Not a chance - Microsoft aren't that dumb.
The potential damage to their reputation just wouldn't make it worth it.

Look at Enron / Arthur Andersen & (potentially) News International to see the consequences of a loss of reputation