Flashback behaviour

Discussion in 'Mac Basics and Help' started by seustice, May 1, 2012.

  1. seustice, May 1, 2012
    Last edited: May 2, 2012

    seustice macrumors newbie

    Joined:
    May 1, 2012
    Location:
    London
    #1
    I work in a school and my ISP has alerted me to at least 1 Mac on my BYOD IP that is exhibiting the behaviour of the Flashback malware.

    Does anyone have any idea as to what I should be looking for on the firewall so that I can identify the interal IP (and thus track the user down)?
     
  2. musty345 macrumors regular

    musty345

    Joined:
    Feb 28, 2010
    Location:
    United Kingdom
    #2
    Would it be possible to get all mac users to update their macs? Apple has released a flashback remover tool in their updates. Maybe let all of your students know in an assembly and ask your IP if it's still there?

    Someone else may come up with a better solution, but this is all i can think of.

    Here's a link to the article about the update http://techcrunch.com/2012/04/13/apple-releases-mac-flashback-trojan-removal-tool/
     
  3. seustice thread starter macrumors newbie

    Joined:
    May 1, 2012
    Location:
    London
    #3
    Unfortunatly this is not an option, these are not devices we own, although we can send out advisory notes, we cannot enforce it.
     
  4. Macman45 macrumors demi-god

    Macman45

    Joined:
    Jul 29, 2011
    Location:
    Somewhere Back In The Long Ago
    #4
    Can you run the removal tool from Apple?

    http://support.apple.com/kb/DL1517?viewlocale=en_US&locale=en_US

    Can't see why they would object to that...I'm guessing you have a third party contract? They come in and maintain your school equipment...You might find your systems are so locked down that the tool won't run, but it's what they would do...:)
     
  5. seustice thread starter macrumors newbie

    Joined:
    May 1, 2012
    Location:
    London
    #5
    These are the student's own devices, I need to figure out a way to identify who has the infection by going through firewall logs, but I need to know what I'm looking for. The end goal is to identify the user and advise them to run the removal tool.
     
  6. Macman45 macrumors demi-god

    Macman45

    Joined:
    Jul 29, 2011
    Location:
    Somewhere Back In The Long Ago
    #6
    Why not run them on all? Chances are that if one student has it, and I'm assuming they communicate with each other using the devices, then more than one is likely to have the Malware....A one shot solution would be to run on all.
     
  7. seustice thread starter macrumors newbie

    Joined:
    May 1, 2012
    Location:
    London
    #7
    I agree, but an email saying "You have an infection" is much more likely to generate some action than an email saying "You should check that you don't have an infection".

    I appreciate the input, but if my ISP can detect a device has it, it must be generating a log on the firewall that would identify them, if I only knew what to look for. Remember, these are not devices we own, or lease, or exert any central control over.
     
  8. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #8
    Ask your ISP exactly what they detected, then check your logs for the same thing.

    I suggest doing some reading on the Flashback malware: what its attack modes are, what the vulnerabilities are, and what the effects are. There are plenty of articles around the web on it, even though some of them have conflicting information (e.g. one says it's only a fake installer, while another says it's a fake installer or a simple drive-by download).

    AFAIK, the current attack vector is always a Java vulnerability in a web browser. So that leaves out any iOS device, since they have no Java on them. Also AFAIK, it was an open vulnerability only in Mac OS X Java, so any device with Java but not running Mac OS X is unlikely to be a victim. Furthermore, if Java is disabled in the browser (Safari > Preferences > Security > Eisable Java off) then the attack is completely thwarted, again AFAIK.

    NOTE: It's a Java vulnerability, not JavaScript. Java is a completely different language and product than JavaScript. Java is to JavaScript as ham is to hamster, i.e. same initial letters, completely different otherwise.

    After being infected, the malware contacts some command-and-control servers to obtain additional instructions or code. The researchers who found it also determined what the DNS names of those servers is, and proceeded to register the domains for themselves. So an infected machine is effectively telling the researchers it's infected.

    Later, it was found the malware would also use Twitter to search for certain patterns that signalled a command. I don't know how far that research has gone in identifying the patterns.

    Apple enlisted the aid of ISPs to identify or shutdown the routing of requests that go to the command-and-control servers. That's probably what your ISP detected: an attempt to contact one of those servers. But exactly which server I don't know. The domain names might be listed in one of the articles describing Flashback, on one of the security sites tracking it. Or it might not.

    If your ISP knows what server names it's looking for, then ask them what they are. That seems the easiest approach to me.

    The only other approach I can think of is to dig into the articles about exactly what servers the malware is contacting, and ferret out that information yourself.

    The above is simply what I've gathered by reading a few articles on Ars Technica, and following a few of their links to the web pages of security firms tracking the malware. I haven't done any significant digging into it, nor ferreting out of server information.
     

Share This Page