600,000 Macs Worldwide Reportedly Infected by Flashback Trojan

[GGJstudios]

Every one of these responses misses the point. Those of us that are tech savvy and read the forums, know this. My mother doesn't know the fine differences and frankly doesn't care.

That's true, but we can't address the issue with your mother or the masses out there. Our only audience is composed of readers of this forum. For them, it's our responsibility to give accurate information, to educate and inform. Just because others our there are operating with misinformation doesn't justify those in this forum perpetuating that misinformation. There are some out there who believe you never have to change your oil in your car. They should be informed otherwise when they visit a mechanic.

...is anyone able to quickly tell me if by installing the Java update from Apple it will fix my machine regardless, if it's infected??

No, the Java update will not remove malware. You need to follow the posted instructions to check for infection.

 

[mallwitt]

I agree that the distinction is of little relevance in the sense that the potential damage is similar, but it is still important if you believe that computer users should be informed about security. If people only care that their computer is compromised and not how it was compromised, it is likely that it will be compromised again in the future. I fail to see how it's of any help keeping them in the dark about the differences between the kinds of malware they can be exposed to. Of course, care should be taken when denying that something is a virus so it is not taken as meaning that there is not a serious security problem.

At no point did I suggest that people should not be educated as to the difference and impact of those differences, I was only making the point that for users impacted by this, the distinction is not important. Protecting themselves in the future will require understanding what behaviors can help protect them, but you are correct that these users probably will be victims again.

My valuable information is in my Jekyll account. What I do as Mr. Hyde doesn't affect my Jekyll account as long as I don't enter my admin password. Of course, this additional level of protection is only enjoyed by people who is careful about keeping their data compartmentalized or people with split personality.

All of which emphasizes my points. People on this forum are power users, most people susceptible to this are not, and are not going to inconvenience themselves by segregating their lives to this extent. In addition, this particular bit of mall-ware did not require the user to provide their admin password to install and compromise their local user information. Most people don't have a separate account for browsing the web and their letters to the editor.

 

[mallwitt]

That's true, but we can't address the issue with your mother or the masses out there. Our only audience is composed of readers of this forum. For them, it's our responsibility to give accurate information, to educate and inform. Just because others our there are operating with misinformation doesn't justify those in this forum perpetuating that misinformation. There are some out there who believe you never have to change your oil in your car. They should be informed otherwise when they visit a mechanic.

I'm not arguing who the audience of the forum is. My point was to postulate that the nature of that audience directly impacted the perception of this problem because those most impacted by it are not proportionally represented here they might in the general Mac ownership. This was in direct counterpoint to the number of posts stating that this mall-ware must not be much of a problem since there weren't many posts from infected users.

It's dangerous to forget the distinction between people who actively seek to know how their technology works, and those that only want it as a tool for other uses. Apple has specifically experienced a large growth in the latter type of users, and their ignorance, willful or not, has a direct bearing on the scope and scale that a destructive program like this has. Education is the solution to a lot of this, but large numbers of the user base aren't going to get it, and ignoring them or ridiculing them for not being knowledgeable enough to protect themselves does not help stop the problem, or encourage those users to become more educated. If anything, it will sour them on the entire experience and platform.

 

[GGJstudios]

Education is the solution to a lot of this, but large numbers of the user base aren't going to get it, and ignoring them or ridiculing them for not being knowledgeable enough to protect themselves does not help stop the problem, or encourage those users to become more educated.

In this forum, we can't influence the masses of users. We can only influence those who visit the forum. For them, it's important that we provide accurate and useful information, regardless of what the masses believe. Hopefully, if we do that long enough, the readers of this forum will take the accurate information they've learned to others outside the forum, and slowly the masses can become better educated. I don't know of anyone who proposed ignoring or ridiculing users who don't know any better.

 

[munkery]

2) Several posters have suggested that if you don't provide an admin password for elevated install, the worst that happens is that it infects your user account. Um, hello, where is the valuable stuff on your computer? Mine isn't under the WINNT/ directory, and I'm guessing yours isn't under the system/ directory either.

Protected data storage and protected data entry require system level access to compromise.

Other factors mitigate the effectiveness of malware with only user level access.

This has already been discussed several times in this forum.

 

[mallwitt]

In this forum, we can't influence the masses of users. We can only influence those who visit the forum. For them, it's important that we provide accurate and useful information, regardless of what the masses believe. Hopefully, if we do that long enough, the readers of this forum will take the accurate information they've learned to others outside the forum, and slowly the masses can become better educated. I don't know of anyone who proposed ignoring or ridiculing users who don't know any better.

Ok, I get all that and I'm not trying to argue it. I'm not suggesting this forum is the cure for all masses problems. My original point was directed to the large number of people who were suggesting that this trojan isn't a big deal because there were not many posts from people infected by it. My point was that because this forum is not primarily composed of the type of people who are uneducated about trojans and technical matters in general, that it shouldn't be used to judge how serious the trojan may prove in the real world.

As to ridiculing and ignoring users, I don't know anyone who is proposing that either. I have seen a number of posts from non-tech forum members asking for help. Some people replied with help, and some were rude. I was merely cautioning against being rude and dismissive to those looking for help simply because they don't know enough to know where to look.

Protected data storage and protected data entry require system level access to compromise.

Other factors mitigate the effectiveness of malware with only user level access.

This has already been discussed several times in this forum.

I think you missed my point. The items that I as a user are most concerned with are not system level services and applications, they are specifically ones in my user directory. The system can be re-installed, but if something like this infects a program in the user directory, that may not be. The whole point of the way OSX can be installed without destroying user applications, settings and data becomes the vulnerability for something like this. This trojan already alters Safari, without an admin password. While it is not directly capable of key-logging, it is capable of sending you to a site that looks just like your bank's, or the IRS, or any number of other sites that you may enter sensitive identity compromising data. There are a number of users who won't even think twice about this kind of thing, mostly because they have the (mistaken) idea that Macs are immune from this kind of thing.

As I stated at the bottom of that post, I'm less worried by this particular variant, and more about one that is capable of of carrying out attacks using other vulnerabilities to other User directory based programs. Just like the trojan itself, these types of compromises don't need to actually access the system itself, they only need to act as an agent for other activities outside of the system sandbox to have a potential effect.

 

[Member(TM)]

This trojan already alters Safari, without an admin password.

Are you sure about that? My impression is different, at least concerning Snow Leopard and later. From the description in F-Secure (http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml), Safari is altered if the user inputs their administrator password.

If the user did not input their administrator password, then the malware tries to alter every application launched by the infected user (probably in the hope that at least one is a third party web browser using the hijacked stream functions). The wording from F-Secure doesn't preclude that Safari or other write-protected applications are altered this way: "This in effect will inject binary2 into every application launched by the infected user." However, as I have seen no privilege escalation bug mentioned related to this malware, I'm assuming that this refers only to applications writeable by the infected user. Otherwise, it wouldn't make much sense that the malware prompts you for your password and acts differently depending on your answer. Maybe some of the users who were infected without entering their admin password can confirm whether their Safari application was altered or not.

 

[wordsworth]

Free FlashbackChecker tool for those wary of Terminal

Just learned via Macworld UK site that there's a simple downloadable tool for those less-tech-savvy Mac users who want to put their minds at rest about whether their Mac has been infected by the Flashback malware. FlashbackChecker searches and reports (but does not deal with any infection if one is present). The tool runs on Mac OSX 10.5 and higher (on both Intel and PowerPC Macs using any of those Operating Systems.)

FlashbackChecker is a 38k download and apparently was created by Juan Leon, a software engineer at Garmin International, known (it says here) for their GPS work.

Ars Technica first reported this story, apparently.

Here's where the tool's at:

https://github.com/jils/FlashbackChecker/wiki

 

[mallwitt]

Are you sure about that? My impression is different, at least concerning Snow Leopard and later. From the description in F-Secure (http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml), Safari is altered if the user inputs their administrator password.

If the user did not input their administrator password, then the malware tries to alter every application launched by the infected user (probably in the hope that at least one is a third party web browser using the hijacked stream functions). The wording from F-Secure doesn't preclude that Safari or other write-protected applications are altered this way: "This in effect will inject binary2 into every application launched by the infected user." However, as I have seen no privilege escalation bug mentioned related to this malware, I'm assuming that this refers only to applications writeable by the infected user. Otherwise, it wouldn't make much sense that the malware prompts you for your password and acts differently depending on your answer. Maybe some of the users who were infected without entering their admin password can confirm whether their Safari application was altered or not.

You may be correct in that, the wording is ambiguous enough that I'm not quite sure. On the other hand, the fact that it is going after alternate browsers is almost worse, since those don't have the sand-boxing that safari has. I think the fact that this is attacking other user directory applications that may be writable with only a security acceptance, is still a concern because anyone who has a third party browser installed, is likely using it INSTEAD of safari... nefarious indeed. Nice catch on clarification, I'd be interested to see what it's actual behavior is.

 

[munkery]

You may be correct in that, the wording is ambiguous enough that I'm not quite sure. On the other hand, the fact that it is going after alternate browsers is almost worse, since those don't have the sand-boxing that safari has. I think the fact that this is attacking other user directory applications that may be writable with only a security acceptance, is still a concern because anyone who has a third party browser installed, is likely using it INSTEAD of safari... nefarious indeed. Nice catch on clarification, I'd be interested to see what it's actual behavior is.

Alternate browsers are not targeted by this variant of flashback.

The injected binary specifically targets Safari.

 

[Ariii]

Now we're seeing the PC users beginning to call Apple's virus-protection argument 'Marketing' that we're 'Blindly following'. Worse yet, they're calling it propaganda to Mac users, along with the stereotype of them lacking knowledge of technology, and even intelligence in general. Personally, I think it's completely silly. Copying and pasting 3 lines of code into Terminal is somehow much worse than using a usually non-free, definitely non-lightweight virus protection program? Yes, it's a problem, but it's a single virus. Simply by reading a news article we can completely detect and remove it. There's no extensive list or anything, just one thing. Also, people who get these kinds of things aren't always being completely stupid. Let's say you needed some kind of software on your system from this obscure source, and you'd just have to trust them for once and get it, it could even be necessary to actually get any use out of your computer. With a Mac, you'd have the freedom to test it out without having the risk of turning your computer into a paperweight or having your eBay account become hijacked. On Windows, your freedom over software could be severely limited for 'common sense'.

 

[mBox]

I feel left out cause Im not part of the 600,000
So are the rest of the 56 macs I tend to at work...

 

[cokeb]

Latest Security Now talks about this in the first part of the program.

http://www.youtube.com/watch?v=6Ts5Ny9tSiw

 

[nec207]

From what I understand reading many of the threads here is OS X is more secure than windows .

Reading many of threads at macrumors .

Home page change or redirect to other web site .

- Windows yes this has happan all too much
- OS X this has never happen.

Favorites change or sites added to Favorites

- Windows yes this has happan all too much
- OS X this has never happen.

Wallpaper change or screensaver change

- Windows yes this has happan all too much
- OS X this has never happen.

system file change or deleted
- Windows yes this has happan all too much
- OS X this has never happen.

search box or browser Hijacking
- Windows yes this has happan all too much
- OS X this has never happen.

If any of this happen macrumors would be all over it like the world is coming to the end.


Well it is true malware can do this but it will have to prompt for admin password to do this !!! It cannot just install or do this on its own !! The way OS X works if malware gets on your computer it cannot just install or do this on its own , it needs admin password to install or make system or setting changes.

All those things talked about above is a very serious security breach !! But it cannot do this with out admin password to install or make system or setting changes.

Can spyware and keylogger get on OS X ? Yes !! can it do any thing ? Not with out admin password to install it.

The way OS works is system files , OS and setting are in area of OS that needs admin password to make changes !! Where the user and the applications are in area of the OS that does not need admin password.

No idea why windows is not like this !!


Well the debate does OS X or windows have more security holes, vulnerabilities and who is faster to patch it well that is other topic.

 

[Oletros]

No idea why windows is not like this !!

You haven't used Windows 7, do you?

 

[nec207]

Now we're seeing the PC users beginning to call Apple's virus-protection argument 'Marketing' that we're 'Blindly following'. Worse yet, they're calling it propaganda to Mac users, along with the stereotype of them lacking knowledge of technology, and even intelligence in general. Personally, I think it's completely silly. Copying and pasting 3 lines of code into Terminal is somehow much worse than using a usually non-free, definitely non-lightweight virus protection program? Yes, it's a problem, but it's a single virus. Simply by reading a news article we can completely detect and remove it. There's no extensive list or anything, just one thing. Also, people who get these kinds of things aren't always being completely stupid. Let's say you needed some kind of software on your system from this obscure source, and you'd just have to trust them for once and get it, it could even be necessary to actually get any use out of your computer. With a Mac, you'd have the freedom to test it out without having the risk of turning your computer into a paperweight or having your eBay account become hijacked. On Windows, your freedom over software could be severely limited for 'common sense'.

If you want antivirus software go and get it !! But keep mind no matter what windows OS you use and antivirus software you will get malware and it may not dectect it or remove it.


People that make malware these days are smart where it is hard to remove off the computer or they change the malware signature where it gets past the antivirus software or the antivirus software does not know how to remove it.

That why you need Norton ,Malwarebytes ,hijackthis ,lavasoft ,spyblaster so on and even than it may not remove the malware .Malware makers are making it very hard to remove malware these days and very bad infection.

There is alot of these payload virus and trojans these days going in the ads , pop ups , banner , flash , Java and bad script on the page.

Where in the old days most of these virus and trojans where in email attachment or on floppy .

There also alot of virus and trojans at porn sites and file sharing sites not to say pirated software.

----------

You haven't used Windows 7, do you?

If you mean windows UAC in windows vista and windows 7 very good indea Microsoft but very badly implemented.

There is also problem many applications need to run in full admin mode so this other major problem for Microsoft .

If Microsoft force all applications to not run in full admin mode many older software will not work.

----------

Alternate browsers are not targeted by this variant of flashback.

The injected binary specifically targets Safari.

Safari and internet explorer have the worse sandboxing .

That is why I use firefox it does not just download on to the computer with out prompt.

 

[Roc P.]

Even though I wasn't infected with this and don't have Java installed, and it is disabled in Safari on my Mac's, this whole situation scares me because I feel that I have no idea of knowing if anything else has infected any of my computers or how I would even remove it. I know there is directions on removing this Trojan but what about in the future if a new and worse Trojan or other type of malware is released or if other ones already exist? I am now actually afraid to do any online banking or purchase anything online anymore. I have stopped doing any of those things. This is terrible. I might just be being paranoid but how am I to know if I visit an infected site and something installs itself on one of my computers?

 

[munkery]

Safari and internet explorer have the worse sandboxing .

That is why I use firefox it does not just download on to the computer with out prompt.

Safari's sandbox is now equivalent to Chrome's sandbox given that Safari has the same types of sandbox (mandatory access control) but Safari is owned by system by default (so also protected by discretionary access control).

Safari also uses Keychain by default and this provides Safari with better protected storage than alternative browsers. Using Keychain is a declared future goal of both Firefox and Chrome because of the added protection it provides.

Firefox has the worst protected storage of all the alternative browsers.

 

[GGJstudios]

I might just be being paranoid but how am I to know if I visit an infected site and something installs itself on one of my computers?

As for future threats that don't yet exist, it's wise to stay informed of changes to the malware environment. You can easily do that by watching this forum or the technology news media, since any noticeable change in the Apple malware scene generates headlines. For the malware environment as it exists today, read the following.

Macs are not immune to malware, but no true viruses exist in the wild that can run on Mac OS X, and there never have been any since it was released over 10 years ago. The only malware in the wild that can affect Mac OS X is a handful of trojans, which can be easily avoided by practicing safe computing (see below). Also, Mac OS X Snow Leopard and Lion have anti-malware protection built in, further reducing the need for 3rd party antivirus apps.

Mac Virus/Malware FAQ​

1. Make sure your built-in Mac firewall is enabled in System Preferences > Security > Firewall
   
   
2. Uncheck "Open "safe" files after downloading" in Safari > Preferences > General
   
   
3. Uncheck "Enable Java" in Safari > Preferences > Security. This will completely protect you from the Flashback malware. Leave this unchecked until you visit a trusted site that requires Java, then re-enable only for your visit to that site. (This is not to be confused with JavaScript, which you should leave enabled.)
   
   
4. Change your DNS servers to OpenDNS servers by reading this.
   
   
5. Be careful to only install software from trusted, reputable sites. Never install pirated software. If you're not sure about an app, ask in this forum before installing.
   
   
6. Never let someone else have access to install anything on your Mac.
   
   
7. Don't open files that you receive from unknown or untrusted sources.
   
   
8. Make sure all network, email, financial and other important passwords are long and complex, including upper and lower case letters, numbers and special characters.
   
   
9. Always keep your Mac and application software updated. Use Software Update for your Mac software. For other software, it's safer to get updates from the developer's site or from the menu item "Check for updates", rather than installing from any notification window that pops up while you're surfing the web.

That's all you need to do to keep your Mac completely free of any virus, trojan, spyware, keylogger, or other malware. You don't need any 3rd party software to keep your Mac secure.

If you insist on running antivirus software, ClamXav is one of the best choices, since it isn't a resource hog, detects both Mac and Windows malware and doesn't run with elevated privileges. You can run scans when you choose, rather than leaving it running all the time, slowing your system. ClamXav has a Sentry feature which, if enabled, will use significant system resources to constantly scan. Disable the Sentry feature. You don't need it. Also, when you first install ClamXav, as with many antivirus apps, it may perform an initial full system scan, which will consume resources. Once the initial scan is complete, periodic on-demand scans will have much lower demands on resources.

 

[Roc P.]

As for future threats that don't yet exist, it's wise to stay informed of changes to the malware environment. You can easily do that by watching this forum or the technology news media, since any noticeable change in the Apple malware scene generates headlines. For the malware environment as it exists today, read the following.

Macs are not immune to malware, but no true viruses exist in the wild that can run on Mac OS X, and there never have been any since it was released over 10 years ago. The only malware in the wild that can affect Mac OS X is a handful of trojans, which can be easily avoided by practicing safe computing (see below). Also, Mac OS X Snow Leopard and Lion have anti-malware protection built in, further reducing the need for 3rd party antivirus apps.

Mac Virus/Malware FAQ​

1. Make sure your built-in Mac firewall is enabled in System Preferences > Security > Firewall
   
   
2. Uncheck "Open "safe" files after downloading" in Safari > Preferences > General
   
   
3. Uncheck "Enable Java" in Safari > Preferences > Security. This will completely protect you from the Flashback malware. Leave this unchecked until you visit a trusted site that requires Java, then re-enable only for your visit to that site. (This is not to be confused with JavaScript, which you should leave enabled.)
   
   
4. Change your DNS servers to OpenDNS servers by reading this.
   
   
5. Be careful to only install software from trusted, reputable sites. Never install pirated software. If you're not sure about an app, ask in this forum before installing.
   
   
6. Never let someone else have access to install anything on your Mac.
   
   
7. Don't open files that you receive from unknown or untrusted sources.
   
   
8. Make sure all network, email, financial and other important passwords are long and complex, including upper and lower case letters, numbers and special characters.
   
   
9. Always keep your Mac and application software updated. Use Software Update for your Mac software. For other software, it's safer to get updates from the developer's site or from the menu item "Check for updates", rather than installing from any notification window that pops up while you're surfing the web.

That's all you need to do to keep your Mac completely free of any virus, trojan, spyware, keylogger, or other malware. You don't need any 3rd party software to keep your Mac secure.

If you insist on running antivirus software, ClamXav is one of the best choices, since it isn't a resource hog, detects both Mac and Windows malware and doesn't run with elevated privileges. You can run scans when you choose, rather than leaving it running all the time, slowing your system. ClamXav has a Sentry feature which, if enabled, will use significant system resources to constantly scan. Disable the Sentry feature. You don't need it. Also, when you first install ClamXav, as with many antivirus apps, it may perform an initial full system scan, which will consume resources. Once the initial scan is complete, periodic on-demand scans will have much lower demands on resources.

Thank you for this information, when I get home from work I will read it more thoroughly and put these steps into practice. Will enabling the firewall block certain sites? This openDNS thing, what even is that exactly? Those 2 steps are really the only ones that I am not currently practicing yet. Thank you.

 

[GGJstudios]

Thank you for this information, when I get home from work I will read it more thoroughly and put these steps into practice. Will enabling the firewall block certain sites? This openDNS thing, what even is that exactly? Those 2 steps are really the only ones that I am not currently practicing yet. Thank you.

The firewall can block certain apps from incoming connections. DNS servers are used to convert domain names such as www.apple.com into IP addresses such as 2.23.61.15. The OpenDNS servers are blocking the Flashback trojan.

 

[Roc P.]

The firewall can block certain apps from incoming connections. DNS servers are used to convert domain names such as www.apple.com into IP addresses such as 2.23.61.15. The OpenDNS servers are blocking the Flashback trojan.

Hmm interesting. I will have to do some more research on OpenDNS. Will enabling my firewall bock iTunes from let's say, finding artwork, or connecting to the iTunes store? Also, will iCloud still sync my bookmarks and address contacts etc.? If an app doesn't work properly with the firewall enabled do I have to disable it temporarily or can I allow the one app to bypass the firewall? Is that counterproductive? Any informative links to Mac firewall and OpenDNS are appreciated. Thank you!

 

[GGJstudios]

Hmm interesting. I will have to do some more research on OpenDNS. Will enabling my firewall bock iTunes from let's say, finding artwork, or connecting to the iTunes store?

No, not unless you block iTunes in your firewall settings.

Also, will iCloud still sync my bookmarks and address contacts etc.?

Yes.

If an app doesn't work properly with the firewall enabled do I have to disable it temporarily or can I allow the one app to bypass the firewall?

You can set specific apps to be blocked or allowed. Just go to System Preferences > Security > Firewall

 

[Roc P.]

No, not unless you block iTunes in your firewall settings.

Yes.

You can set specific apps to be blocked or allowed. Just go to System Preferences > Security > Firewall

Oh ok cool! I also noticed you linked me to informative sites relating to my concerns in your other post. Thanks again. I am basically trying to make sure that besides me having issues, that my mom and brother who are casual users don't have issues surfing the web, but don't also mess anything up accidentally. I password protected my main computers but unfortunately the guest account can still use safari. It's so that in case my computer gets stolen I can still locate it through iCloud. I'm sure you know that obviously. Wish there was a way around that too. The main family Mac is not password protected.

 

[MadeTheSwitch]

Now we're seeing the PC users beginning to call Apple's virus-protection argument 'Marketing' that we're 'Blindly following'. Worse yet, they're calling it propaganda to Mac users, along with the stereotype of them lacking knowledge of technology, and even intelligence in general. Personally, I think it's completely silly. Copying and pasting 3 lines of code into Terminal is somehow much worse than using a usually non-free, definitely non-lightweight virus protection program? Yes, it's a problem, but it's a single virus. Simply by reading a news article we can completely detect and remove it. .

It's not even a virus. People are making such a big deal out of something that affects so few people and something that has even been addressed now by both Apple and 3rd party resources.