600,000 Macs Worldwide Reportedly Infected by Flashback Trojan

[eastercat]

Really? " All Programs -> Accessories -> Command Prompt " is difficult to find?

That's what my friend told me when she moved from xp to win 7.

Why you've mentioned Windows' MS DOS here is beyond me. Just because an aspect of a Mac may be marginally easier that that of a PC doesn't mean it cannot and should not be improved upon. Doing something better than a Windows machine does not justify a weak part of a Mac.

I mention ms dos, because I'm a former windows user; a number of mac users are as well. I'm pointing out that the experience of looking for a trojan on a mac isn't so dramatically different for ex-windows users.
I'm not sure what your idea of an improved method is, but I'd rather use a manual method than install a program that uses up resources.

As an aside, I used quicksilver to find terminal. <opt>+space is how I start up most programs.

 

[Viking23]

Mac users must ensure that their Java environment is updated to avoid system compromi

Another bit of information, which may be of interest.



Apple Mac OSX users are warned that there is the potential for malware infections which can affect users of Apple's OS X operating system. It appears that cybercriminals have begun to use 'drive-by' exploitation techniques to infect OS X users, rather in the same way that they have targeted MS Windows users previously.

The Java exploit that allows this to happen (CVE-2012-0507) was not previously patched in the version of Java distributed by Apple. Now Apple has responded by patching the six week old flaw with an update to Java 6 update 31. Apple's own bulletin says "Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_31".

The Mac update required to protect your machine is Java for OS X 2012-001 and Java for Mac OS X 10.6 Update 7.

It is suggested that a large number of Macs have already been caught out by this exploit. The initial code compromises the system and then downloads more malicious software that carries out further attacks depending on its type and function. The main payloads have been a data stealing Trojan that attempts to steal passwords and banking information from Safari users and the other appears to trigger a search engine redirection, presumably to perform advertising fraud or direct victims to further malicious content.

If you use a Mac, you should see the update arriving on your machine soon.
-------------------------------------------------------------------------------------------------------------------

W E B L I N K S
Sophos:
http://nakedsecurity.sophos.com/2012/04/05/mac-botnets-gaining-traction-using-drive-by-java-exploit/

Sophos:
http://nakedsecurity.sophos.com/201...-that-was-being-used-to-compromise-mac-users/

Brian Krebs:
http://krebsonsecurity.com/2012/04/urgent-fix-for-zero-day-mac-java-flaw/
The Register:
http://www.theregister.co.uk/2012/04/02/flashback_mac_malware/
Apple Advisory: http://support.apple.com/kb/HT5228
Oracle (JAVA) advisory:
http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html

 

[tone*]

How is this hard? Apple makes it easy to find Terminal with finder--unlike with Windows 7, where you have a bitch of a time finding the ms dos prompt.
.

How do you work that out when the steps are essentially the same?

Typing terminal in spotlight is just easy as typing cmd

Finder/Applications/Utilities/Terminal
Start/All Progams/Accessories/Command Prompt

 

[AndyfromTucson]

is the point of this thread to discredit 600,000 macs have been infected?

Well, it depends.

If tons of people write back and report no infections, and nobody reports finding an infection, then this thread will tend to discredit the 600,000 claim.

On the other hand, if lots of people report finding their Mac is infected then this thread will tend to support the 600,000 claim.

My personal motive is just curiosity. I like to check what I am told.

 

[jennyp]

Stop press! world headlines! one trojan found for the Mac!

And in the Windows world? The fact that it is such big news, that there are so very few of them (and ones you have to install yourself at that) shows the big difference between the OSs in terms of trojans. As for viruses, forget it.

In any case, - java? Just switch the damn thing off.

 

[kcjames]

I posted about an infection recently. My first Mac was a 1998 Powerbook, so I have a sense of what popups are normal.

I saw a popup. Not one of the ones described above, as there are a number of variants. I did not grant privileges. I ran ClamXav, which found nothing. (ClamXav was in an Applications sub-folder, by the way.)

I googled the application that requested privileges and found nothing. The names aren't constant for all the variants.

At the time, I had the same idea as many of you that I needed to do something active to install malware.

This trojan is reported to be on many seemingly respectable blogs. I hadn't been clicking away on dodgy sites.

My error was passive and encouraged by Apple. I'd reinstalled the OS and forgotten that Apple enables Java in Safari by default.

The only way I knew that anything was wrong was that all my PPC apps began crashing. Following the F-Secure instructions, I found and removed the files that they correctly say are installed without user intervention. My PPC applications then behaved normally.

I don't care if you call this malware, a trojan, a virus or My Aunt Susan.

If it represents something that can install itself without user intervention and might be able to give up passwords, then it is not a good thing.

I changed any passwords that I care about.

Anyone who wants to support the OS X platform should stop posting outdated information, recognize that this malware exists and encourage people to take sensible precautions.

You can sneer at anyone running an vulnerable version of OS X or you can help them. Sneering will mean more infected Macs. Helping will mean fewer. Up to you....

As for outdated, my current Mac came with Snow Leopard installed and is still under warranty. Apple is supposed to support products that are still under warranty.

 

[ixodes]

1) I know that MacRumors is an Apple oriented place, where Apple lovers come to discuss things about Apple's product.

2) Posts like the one I quoted make it look like a fanboy place, not an Apple technology discussion place.

1a) Emphasis on the word "discuss"

I particularly enjoy a *good discussion*, it's one of the reasons I participate in forums. Good discussions are valuable and educational.

They may also be very successfully conducted without the stupid pictures and "Cool Story Bro" captions, that we see on this site so much.

Only children get a kick out of that infantile behavior.


2a) I could not agree more. And then people wonder why the "fanboy" classification is applied to them.

 

[DVD9]

it infects itself in every binary you run. It also installs itself just by visiting a webpage, and exploiting a security hole. No user interaction necessary, besides just visiting a bad URL.

A Windows style drive-bye.

There is no safety net.

 

[Nostromo]

When will we see a security update on that?

 

[dagger01]

Perspective

Ok folks here's some perspective...

1. The Trojan will not install if you have antivirus installed

2. The Trojan requires the user to knowingly install something, and if unexpected, anyone who has been on the Internet a few years knows you don't install something unexpected

3. 600,000 Macs is 11.5% of Macs sold between October 2011 and December 2011. The percentage gets smaller as you include total installed base.

4. It's been patched so the percentage is only going to drop

5. Wow, that's one that stuck. Still way more secure than Windows last year alone.

6. Help your friends learn Item 2 above.

 

[kcjames]

2. The Trojan requires the user to knowingly install something, and if unexpected, anyone who has been on the Internet a few years knows you don't install something unexpected
.

Please tell me what I knowingly installed other than Safari?

 

[Nostromo]

So, basically, if you installed the Java update you are clean?

 

[dagger01]

Umm, no it doesnt

The article has clearly stated that you need to use Terminal, which involves commands and some deep knowledge of what you're doing, for Flashback's removal.
In Windows, you just need to use Windows Malicious Software Removal Tool or a decent anti-virus, which involves 1 or 2 clicks.

Yea, it's gotta be very hard to click things. I mean, typing commands in Terminal must be simpler.

I know that MacRumors is an Apple oriented place, where Apple lovers come to discuss things about Apple's product. But, posts like the one I quoted make it look like a fanboy place, not an Apple technology discussion place.

Did you look at the F Secure link? The commands and expected responses are right there to copy and paste, like good documentation writers make. And yes, copying and pasting into a Terminal window is something even a Windows user can do.

 

[jman240]

The article has clearly stated that you need to use Terminal, which involves commands and some deep knowledge of what you're doing, for Flashback's removal.
In Windows, you just need to use Windows Malicious Software Removal Tool or a decent anti-virus, which involves 1 or 2 clicks.

Yea, it's gotta be very hard to click things. I mean, typing commands in Terminal must be simpler.

I know that MacRumors is an Apple oriented place, where Apple lovers come to discuss things about Apple's product. But, posts like the one I quoted make it look like a fanboy place, not an Apple technology discussion place.

I was referring to that shortcut virus that has been making the rounds in the windows sphere recently. It requires not just malware bytes, but tdsskiller, combofix, and even then sometimes you have to do extra things to get rid of it / return the system to how it was before. Especially if it trashed all the shortcuts. Users cannot find software without a shortcut somewhere and remaking all of those is very time consuming... Anyway, yes I agree, most windows malware is an easy click and wait procedure but some aren't.

Sorry for the fanboy sounding comment, I've just been super frustrated with this shorcut virus thing lately. I'm not sure that's the official name but this is the one that several of my users have gotten recently though it appears to be a variant since they are still getting it and I haven't seen this particular email in a while. http://www.mcbsys.com/blog/2011/11/new-airline-ticket-virus-email/

 

[DVD9]

Pardon my ignorance but my use of terminal has been somewhat limited. Do I enter the commands one at a time or both at once? Also, since I have Office 2011 installed the terminal commands are not needed as stated in previous posts?

Thanks in advance for helping me to understand.

Yes you need to copy and paste the commands into Terminal one at a time hitting Enter after each.

Are we safe then? Maybe not. We don't know how old this info is. The author(s) of the program could have rolled out updates already that made the program uninstall itself from its previous haunts after reinstalling itself somewhere else in the operating system.

Trojans are the worst form of malware.

 

[wovel]

I guess it feels that we are suffering enough already with these installed. Hmm, this must be a new, more compassionate trojan.

Maybe Microsoft wrote the virus and they don't want heir software blamed

 

[pooprscooper]

From the instructions:

On execution, the malware checks if the following path exists in the system:

/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app

If any of these are found, the malware will skip the rest of its routine and proceed to delete itself.

So if you have any of these apps installed, you should be alright?

Xcode? Wow, this one be one useless piece of malware to be scared off by Xcode.
Anyways, I always have Little Snitch installed on all my machines. Wish there was a windows version of it available, the alternatives are too annoying.

it infects itself in every binary you run. It also installs itself just by visiting a webpage, and exploiting a security hole. No user interaction necessary, besides just visiting a bad URL.

Not true at all. You can't install this only by visiting a website... Nothing opens automatically, and even if it did, this Trojan requires your user permission to install. It will ask for your admin username/pass before it does anything. You have to be pretty stupid to give it that info. OSX does not have the same vulnerabilities as Windows where it can be installed unattended by simply visiting a website. There are no known exploits that can elevate to admin privileges without user permission which is why there have been ZERO Viruses for OSX over the past 11 years.

 

[Nostromo]

clean here, update your system often and you should not run into this trojans...
The malware self-installs after you visit a compromised or malicious webpage. Obviously, it would be a good idea to update any Macs in your control.

For those who want to check if mac is infected (from F-Secure instructions):
Run the following command in terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If you get "The domain/default pair ... does not exist" for both - you are clean


from 9to5mac

Clean here, too.

Thanks.

 

[sngx1275]

Ok folks here's some perspective...

1. The Trojan will not install if you have antivirus installed

2. The Trojan requires the user to knowingly install something, and if unexpected, anyone who has been on the Internet a few years knows you don't install something unexpected...

1. That is just by design, for this particular piece of malware. For whatever reason it checks for specific apps and removes itself if they are there. Remove that check, and it likely installs and runs as it was intended.

2. Even if you don't enter your password, it still infects (unless Word, Office 08, Office '11, or Skype exist, if so, see #1).

 

[jonnysods]

Flippin hackers.

 

[deputy_doofy]

Nothing, thankfully.

 

[DVD9]

I just can't help but wonder if this stuff is real or if the conspiracy theorists are right. Is it a natural evolution or AV companies with decreasing PC market share? Oh well, I'm sure it's Chinese hackers that will never be caught and Antivirus companies will provide immediate solutions for a premium.

Why are the exploits endless? Why has there been no push from above to put a stop to this? Forbes.com recently had a piece about exploit hackers selling their finds for huge dollars to the NSA, CIA, FBI, MI6, BND etc.

Encryption really works. PGP and TrueCrypt can lockup hard drives and keep these agencies out. Their way in is through online exploits.

 

[deputy_doofy]

Nothing, thankfully.

Since I didn't read this thread fully, was *anyone* infected?

 

[joepunk]

If you get "The domain/default pair ... does not exist" for both - you are clean
from 9to5mac

I'm good too.

 

[knarzie]

I don't consider my knowledge to be 'advanced'. Dare I check if I am clean?