Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
600,000 Macs Worldwide Reportedly Infected by Flashback Trojan
- Thread starter MacRumors
- Start date
- Sort by reaction score
First, I wouldn't trust McAfee to guard my coffee cup! There are several more reliable antivirus apps for Windows. You can find several suggestions here:
To run Windows apps on your Mac, you need to install Windows via Boot Camp or use Parallels or VMware Fusion.
If you don't have a Windows license, you can use CrossOver to run some applications. Not all Windows apps are compatible with CrossOver. Check their site for compatible apps.
For more information about running Windows on your Mac, check out the Windows on the Mac forum.
I think you already know the answer to that. Any porn site is considered a higher risk.
This might help.
http://support.apple.com/kb/HT5228
This Java exploit doesn't bypass the new runtime security mitigations in OS X Lion. But, it has the capacity to bypass Java's sandbox, which indicates an issue existed with that sandbox configuration that didn't manifest in other apps.
Also, the user had to accept the self signed certificate for the Java applet prior to any infection occurring so user interaction was required before any infection occurred.
Successful infection required the user to also password authenticate the installation so that Safari could be infected given that the target of the payload was Safari.
Without password authentication, that payload only infected apps owned by the user which it was not meant to infect so the apps functions were not modified.
The final payload modifies webpages most likely to collect login credentials via a man in the browser type of attack.
It is not the permissions of the Applications folder that is different post-leopard.
After leopard, the default apps in OS X are only modifiable with system level privileges. Safari is not modifiable by admin user without password authentication.
But in leopard and prior, folders and files that are critical to effectively hooking into the default apps for malicious purposes are only modifiable with system level privileges. This is why Leap-a required users to be running as root.
Last edited:
It must be noted though that some third party applications (e.g. Firefox, and in general anything installed via drag & drop) can be modified by default without asking admin credentials even in recent Mac OS X versions (I'm testing now in Snow Leopard, but I think it's the same in Lion). This is something to be expected, as the philosophy of this kind of installation is that the user is in charge of everything, including security. If one wants to be prompted, permissions should be manually set for the application, or the application should be used with a different user than the one who installed it.
Good point.
It should be noted that at this point in time this variant of Flashback doesn't target browsers other than Safari so users of browsers which would be owned by the user, such as Firefox and Chrome, are not compromised as far as the reports about this malware suggest.
But, this malware did have the potential to compromise those browsers which rely much less on the default architecture of OS X to function.
Obviously, Safari requires password authentication to modify while user owned browsers don't have this requirement unless properly configured by the user.
For user owned browsers in default configuration, the only barrier to infection is the acceptance of the self signed certificate for the Java applet.
This is a reason why less knowledgeable users should only use Safari.
Last edited:
These instructions keep being repeated in this thread, but is just checking Safari adequate? Is it not necessary to also check Firefox or other browsers you have used to be sure you don't have an infection involving them, for example:
defaults read /Applications/Firefox.app/Contents/Info LSEnvironmenthttp://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_c.shtml
----------
It was just a matter of time.
Checking Safari is adequate if you have the right link. The link you posted is for OSX/Flashback.C. The version being discussed here is OSX/Flashback.I. The newest versions of this trojan target only Safari.
Not all the machines in the Flashback botnet are Macs.
http://threatpost.com/en_us/blogs/questions-abound-size-and-makeup-flashback-botnet-040612
Edit: Majority appear to be Macs, but how many represent successful infection of Safari, which requires password authentication to complete.
Last edited:
A Question and a Point
First, a question: how many people have actively reported finding an infestation? I did a fairly extensive search and I could only find two people who reported a positive, and one many not have known what he was talking about.
Second, a point--I seem to have brushed past this thing myself, and was protected by having Xcode installed. About a week to two weeks ago, I started noticing that every day or two, I would, upon going to some sites, get inexplicably redirected to one of two weird sites. One was a "femalebodyinspector" site, another seemed to be a bogus UStream site ("ustreambesttv"). Both sites had a similar attribute: they had TLDs (top level domains, like ".com" or ".co.jp") of "rr.nu"--which I had never seen before.
Upon looking into it, I found it was a Wordpress hack ( http://blog.sucuri.net/2012/02/malware-campaign-from-rr-nu.html )--one or two blogs I visited regularly were, at least temporarily, hacked with this code that caused them to redirect to the "rr.nu" sites. Having suffered from the "Pharma" Wordpress hack myself, I figured it was no more than an attempt to direct web traffic and get various ad revenues. Satisfied that it was not something wrong with my machine, I moved on. About a week ago, I stopped getting the redirects, and figured that the sites I visit had cleared out the hack.
I am guessing that this is one vector for the trojan.
First, a question: how many people have actively reported finding an infestation? I did a fairly extensive search and I could only find two people who reported a positive, and one many not have known what he was talking about.
Second, a point--I seem to have brushed past this thing myself, and was protected by having Xcode installed. About a week to two weeks ago, I started noticing that every day or two, I would, upon going to some sites, get inexplicably redirected to one of two weird sites. One was a "femalebodyinspector" site, another seemed to be a bogus UStream site ("ustreambesttv"). Both sites had a similar attribute: they had TLDs (top level domains, like ".com" or ".co.jp") of "rr.nu"--which I had never seen before.
Upon looking into it, I found it was a Wordpress hack ( http://blog.sucuri.net/2012/02/malware-campaign-from-rr-nu.html )--one or two blogs I visited regularly were, at least temporarily, hacked with this code that caused them to redirect to the "rr.nu" sites. Having suffered from the "Pharma" Wordpress hack myself, I figured it was no more than an attempt to direct web traffic and get various ad revenues. Satisfied that it was not something wrong with my machine, I moved on. About a week ago, I stopped getting the redirects, and figured that the sites I visit had cleared out the hack.
I am guessing that this is one vector for the trojan.
Wrong - it's an Apple issue. Since 2005, the whole "Mac vs PC" thing has told the average consumer that they never have to worry about viruses. It "just works" propaganda has been very effective at driving up Mac sales 25% every quarter.
We shouldn't worry about viruses. It wasn't a virus. You sound like the scaremongering media.
Makes no difference, virus/malware/trojan. These things are not supposed to ever happen to a Mac because their magical nature.
It makes all the difference?
There isn't much wrong with the security of OSX for example if Java wasn't installed. We wouldn't even have this thread.
Yes, it does make a difference, and no, Macs are not "magical". Only those who are computer-illiterate would believe otherwise. Read the Mac Virus/Malware Info link posted in most malware-related threads, including this one, to learn the difference between viruses, trojans and other forms of malware. Mac has never been immune to malware and no one credible has ever claimed it was malware-free. Trojans have been around for a very long time and are user-avoidable, without the need for antivirus apps. Mac OS X viruses don't exist in the wild, and never have.
Some Observations from Windows guy...
Looking at this from a Windows User perspective, I have a lot of pity for Apple and OSX users. Mall-ware is unpleasant at best and horribly destructive at worst, and while I'm not a huge Apple Fan, I don't wish this scourge on anyone. I would like to point out a few things about all of this:
1) Several posters rightly pointed out that this being a trojan or a virus is immaterial if you have it. To further that point, it's immaterial to most computers users who are not technically savvy. Their computer has been compromised and that's all that matters.
2) Several posters have suggested that if you don't provide an admin password for elevated install, the worst that happens is that it infects your user account. Um, hello, where is the valuable stuff on your computer? Mine isn't under the WINNT/ directory, and I'm guessing yours isn't under the system/ directory either.
3) Some posters have suggested that the fact that there aren't a lot of people reporting the infection here indicates that many people aren't infected. I would point out that this website represents a highly self-selected group, and the forums even more-so. Which leads into my fourth point.
4) The Types of users who visit MacRumors combined with the very checking the trojan does helps explain why the forums may be seeing such a low reporting incidence. Many of the users on this forum use at least one of the programs being checked for, and are further, fairly tech savvy. Both of those factors mean the self selected group this forum represents are exactly the types of users this trojan was designed to avoid for as long a possible, being the group most likely to discover and do something about it. In addition, users who have programs such as office, xcode, and clamxav are more likely to be operating on corporate networks than home and isolated users. This is important because most corporate networks contain other, external (to the computer) IP traffic safeguards as well as general file/user security protocols. This leads me to point six.
5) Due to the limited nature of what this trojan is capable of, and the filtering for other applications it does, it suggests that this is a test trojan. What better way to test possible exploits and detection time than to release something like this? It seems like more of a scouting precursor to a fully developed attack trojan that combines and exploits multiple other vulnerabilities, than something that is an effective attack itself. This spells proof of concept to me, and I worry for my Mac clients.
I'd also state that *simple redirection/manipulation* of a website is a huge deal. Most people who expect to go to their bank's website aren't going to be checking to make sure they got there if it looks the same. With all due respect, many windows users are now very careful about not clinking links and checking URLs precisely because we know windows is vulnerable. Meanwhile there is a new(er) and growing body of Mac users who moved to Mac specifically because they believed (not because it is true) that they would no longer have to deal with that.
I think the worst problem the OSX platform is going to be facing, with respect to trojans, is a new user base that is complacent because they believe the system is secure NO MATTER WHAT. These are the people who were victims of windows mall-ware and they are the ones who will be victims of Mac mall-ware, for the simple reason that they don't want to think about this stuff and so they don't.
I will say that Mac is more secure than windows without equivocation, but that's only a 'more than'. Many of us, both Mac and Windows professionals, have been saying that no system is secure, but that it is still up to users to be vigilant. Meanwhile, current users, the market (and yes, Apple PR) have given these users the impression that Macs are invulnerable, largely due to oversimplifying the message and not explaining the inevitable '*', i.e. 'so long as you don't do X or don't click X'.
Mall-ware really is platform agnostic, because it exploits the mindset, not the machine. I think this is just a start.
Looking at this from a Windows User perspective, I have a lot of pity for Apple and OSX users. Mall-ware is unpleasant at best and horribly destructive at worst, and while I'm not a huge Apple Fan, I don't wish this scourge on anyone. I would like to point out a few things about all of this:
1) Several posters rightly pointed out that this being a trojan or a virus is immaterial if you have it. To further that point, it's immaterial to most computers users who are not technically savvy. Their computer has been compromised and that's all that matters.
2) Several posters have suggested that if you don't provide an admin password for elevated install, the worst that happens is that it infects your user account. Um, hello, where is the valuable stuff on your computer? Mine isn't under the WINNT/ directory, and I'm guessing yours isn't under the system/ directory either.
3) Some posters have suggested that the fact that there aren't a lot of people reporting the infection here indicates that many people aren't infected. I would point out that this website represents a highly self-selected group, and the forums even more-so. Which leads into my fourth point.
4) The Types of users who visit MacRumors combined with the very checking the trojan does helps explain why the forums may be seeing such a low reporting incidence. Many of the users on this forum use at least one of the programs being checked for, and are further, fairly tech savvy. Both of those factors mean the self selected group this forum represents are exactly the types of users this trojan was designed to avoid for as long a possible, being the group most likely to discover and do something about it. In addition, users who have programs such as office, xcode, and clamxav are more likely to be operating on corporate networks than home and isolated users. This is important because most corporate networks contain other, external (to the computer) IP traffic safeguards as well as general file/user security protocols. This leads me to point six.
5) Due to the limited nature of what this trojan is capable of, and the filtering for other applications it does, it suggests that this is a test trojan. What better way to test possible exploits and detection time than to release something like this? It seems like more of a scouting precursor to a fully developed attack trojan that combines and exploits multiple other vulnerabilities, than something that is an effective attack itself. This spells proof of concept to me, and I worry for my Mac clients.
I'd also state that *simple redirection/manipulation* of a website is a huge deal. Most people who expect to go to their bank's website aren't going to be checking to make sure they got there if it looks the same. With all due respect, many windows users are now very careful about not clinking links and checking URLs precisely because we know windows is vulnerable. Meanwhile there is a new(er) and growing body of Mac users who moved to Mac specifically because they believed (not because it is true) that they would no longer have to deal with that.
I think the worst problem the OSX platform is going to be facing, with respect to trojans, is a new user base that is complacent because they believe the system is secure NO MATTER WHAT. These are the people who were victims of windows mall-ware and they are the ones who will be victims of Mac mall-ware, for the simple reason that they don't want to think about this stuff and so they don't.
I will say that Mac is more secure than windows without equivocation, but that's only a 'more than'. Many of us, both Mac and Windows professionals, have been saying that no system is secure, but that it is still up to users to be vigilant. Meanwhile, current users, the market (and yes, Apple PR) have given these users the impression that Macs are invulnerable, largely due to oversimplifying the message and not explaining the inevitable '*', i.e. 'so long as you don't do X or don't click X'.
Mall-ware really is platform agnostic, because it exploits the mindset, not the machine. I think this is just a start.
Every one of these responses misses the point. Those of us that are tech savvy and read the forums, know this. My mother doesn't know the fine differences and frankly doesn't care. Even when her son explains that it's not an Apple issue, and that it's Java that has the problem, all she gets is that her Mac has a problem. This is what most people out there who just use the computer they bought at the apple store to check email, browse the web, take pictures, and compose some documents treat the computer. They don't care about all the individual pieces and fine distinctions in who makes what software.
All they think is 'My Mac is broken and it isn't supposed to do this. I've been lied to.' The expectations they have about Macs are unreasonable, but they are the expectations they have.
Perhaps, since this exploit uses Java, Apple should push a software update that disables it, and advises users that Java is being turned off for security reasons. Or it could push an update that has a dummy version of one of the files that abort the installation process.
In general, the default installation of OS X should disable non-essential extensions that have the potential to compromise security, and at least have a moderate level of security measures enabled. Well, at least the latter will be a feature of the next major revision of OS X.
In general, the default installation of OS X should disable non-essential extensions that have the potential to compromise security, and at least have a moderate level of security measures enabled. Well, at least the latter will be a feature of the next major revision of OS X.
Before I sit through 15 pages of this thread...
...is anyone able to quickly tell me if by installing the Java update from Apple it will fix my machine regardless, if it's infected??
Or should I check to see if it's infected first and try and sort it out before updating (bit wary of using all those Terminal commands and would prefer not to if I don't have to).
...is anyone able to quickly tell me if by installing the Java update from Apple it will fix my machine regardless, if it's infected??
Or should I check to see if it's infected first and try and sort it out before updating (bit wary of using all those Terminal commands and would prefer not to if I don't have to).
I agree that the distinction is of little relevance in the sense that the potential damage is similar, but it is still important if you believe that computer users should be informed about security. If people only care that their computer is compromised and not how it was compromised, it is likely that it will be compromised again in the future. I fail to see how it's of any help keeping them in the dark about the differences between the kinds of malware they can be exposed to. Of course, care should be taken when denying that something is a virus so it is not taken as meaning that there is not a serious security problem.
My valuable information is in my Jekyll account. What I do as Mr. Hyde doesn't affect my Jekyll account as long as I don't enter my admin password. Of course, this additional level of protection is only enjoyed by people who is careful about keeping their data compartmentalized or people with split personality.