Flashback Malware Still Affecting over 100,000 Macs

[chrono1081]

Microsoft has a weekly (every Tuesday) release of security updates & patches. To apply them it's just like a software update on a Mac, automatic & easy. Just one click to launch and in minutes you're set.

The only difference is MS has expertise with this & Apple doesn't (Yet). As much as some Mac users need to pump up their ego by bashing MS, you're wasting your time & revealing a lack of current knowledge.

Forget the myths, they're propagated by the unaware.

Neither my Mac or Windows computers have crashed, or been infected in many years. Not even a BSOD. Theyre just computers. Learn safe computing & enjoy trouble free sessions.

I work in IT fixing Windows servers and desktops for a living and am well aware of their strengths/weaknesses.

I wasn't bashing Microsoft, and saying that they get infected is not a myth in the least, its common. Anyone on here would be hard pressed to find a friend that hasn't had their Windows machine infected with something before. If it was a myth Microsoft wouldn't have pumped a ton of money into MS Security Essentials and Windows Malicious Software Removal Tool.

Most people don't even know they're infected when they are because a virus doesn't look like what happens on TV where there are flashing gifs and spinning logos, the virus just does what it does quietly in the background and if the user is lucky antivirus catches it and reports it.

That being said most people don't realize Apple updates too. Aside from the security updates that everyone sees, there is a file it checks for and updates each time it connects to the internet. I forget how to find that file but users on the forum have posted about it before (if anyone knows what file I'm talking about and how to find it please post).

 

[Mac Kiwi]

How much do you want to bet?

Three large anti-malware companies that spend millions per year on network snoops to discover botnets come up with very similar figures on the number of infected systems.

And somebody on the interwebs says he doesn't believe the numbers.

If companies / organizations who had nothing to gain were coming up with the same numbers, then ya then I would believe them.

 

[Bensalama21]

Seems like a lot, but I guess not as a percentage. Still, new threats, I fear, will soon become the norm.

It was good while it lasted.


I hope I'm wrong.

It was only a matter of time before something like this happened.

 

[bsolar]

They are using VM's. VM's are still using Network resources which in turn means they need to be treated the same as every other network resource.

I'm talking about using VMs created exclusively to test malware: it's obvious they need to be isolated from the network, antivirus or not.

You should not test software which you suspect contains malware in anything connected to your network because the antivirus (or any malware detector) does not guarantee 100% coverage. If the antivirus does not complain it might be that there is no malware, but it might also be that there is malware but it went undetected. In the latter if you are connected to the network you just put the whole network at risk.

 

[thewitt]

None of our Macs were infected either. Add another skeptic to the list... We do nothing special to protect them, and our developers surf as much as anyone does who works the weird, long hours these keyboard jockeys do...

 

[Mattie Num Nums]

I'm talking about using VMs created exclusively to test malware: it's obvious they need to be isolated from the network, antivirus or not.

You should not test software which you suspect contains malware in anything connected to your network because the antivirus (or any malware detector) does not guarantee 100% coverage. If the antivirus does not complain it might be that there is no malware, but it might also be that there is malware but it went undetected. In the latter if you are connected to the network you just put the whole network at risk.

To test Malware? I've never worked for a company that purposely tests Malware on un Networked VM's. Sounds pretty much like a waste of Security resources.

 

[-hh]

Must be those people who are scared to death of any updates and wait 4 years before finally committing.

Dramatic condescending hyperbola noted.

Personally I find it very disturbing that Leopard has not been supported in this Security update, since there's still a lot of Mac customers using that version (for whatever reason) **PLUS** the fact that Snow Leopard superceded Leopard only 2.6 years ago.

What this reveals to me is that Apple's "5 years support" policy statement really only applies to their hardware - - not their software ... including their own OS!

Apple is only providing fixes for OS X 10.7 and 10.6. Aren't there still significant numbers running Leopard or earlier?

Yes, if you consider 20% of the Mac installed base that's running Leopard or older (this number is as per Hitslinks usage stats).

In very round numbers, I'd make the breakdown of Mac OS versions to be:

40% - Lion
40% - Snow Leopard
15% - Leopard
5% - Tiger

Get ClamXav from AppStore for free...

Catch-22 alert: AppStore requires Snow Leopard (or later). So while that's a good idea, it doesn't do much good for the Macs running Leopard.

... Why would anyone type in their password and allow things they have no idea where comes from?

Welcome to the land of Social Engineering. I've not checked to see if this is the case, but you can hopefully understand that if the trojan tries to represent itself as an innocent "Java Update", since many users know that they have Java on their machine, they'll probably assume its okay.

If you are still running a ppc machine, you are not affected...

This is very good to know - - but I have to say that unfortunately, this is the first that I've actually heard this mentioned.

And in looking at Apple's support page for Flashback, this fact is not even mentioned.


-hh

 

[Chlloret]

In very round numbers, I'd make the breakdown of Mac OS versions to be:

40% - Lion
40% - Snow Leopard
15% - Leopard
5% - Tiger




Catch-22 alert: AppStore requires Snow Leopard (or later). So while that's a good idea, it doesn't do much good for the Macs running Leopard.

This is very good to know - - but I have to say that unfortunately, this is the first that I've actually heard this mentioned.

And in looking at Apple's support page for Flashback, this fact is not even mentioned.


-hh

The 15% Leo and 5% older ARE the old PPC machines and why would Apple mention the fact, that these are not affected? Do you really think, that somebody that runs with these old machines is in any way reachable for support? Most of them are not even online anymore, they are learning computers, media centers or better typewriters.
AppStore is indeed asking for SL and if you have an old Intel Mac with Leopard on it, you get the upgrade to SL FOR FREE from Apple. How is that for support? Why should they write a patch for a system when they can simply upgrade you to the new one? Of course, they hope that you, after receiving your free copy of SL, purchase an upgrade to Lion, but there is no must for that.
So, all in all I think Apple did a graet job here, responding to a "threat" created by a russion website and hyped by the media worldwide by writing a "patch" (for whatever, mainly probably to show that they do something) and a lot of Mac users are happy and feel safe.
Not that they ever where unsafe, but its the thought that counts.

Still waiting for a real existing and working flashback trojan, anywhere, neverming half a million.

 

[bsolar]

To test Malware? I've never worked for a company that purposely tests Malware on un Networked VM's. Sounds pretty much like a waste of Security resources.

Well, I meant to test software which you suspect might contain malware. To quote your original post, emphasis mine:

Not one of our clients got the Flashback Malware and a some of our clients jobs are to find pirated software/media in order to catch piraters; so you know they are putting shady things on there machines (they have admin rights too!)

If they are doing that on whatever machine, the machine cannot be trusted anymore no matter which antivirus you had installed and needs to be re-imagined to be sure it's clean. If said machine was connected to a network it might also have put the whole network at risk.

If you need to run insecure code you want to do that in a safe, controlled environment, isolated from anything you care about. An hardware dedicated machine is even better but it's much easier to just have a clean, throw-away VM that you can use as disposable environment.

 

[Mattie Num Nums]

Well, I meant to test software which you suspect might contain malware. To quote your original post, emphasis mine:



If they are doing that on whatever machine, the machine cannot be trusted anymore no matter which antivirus you had installed and needs to be re-imagined to be sure it's clean. If said machine was connected to a network it might also have put the whole network at risk.

Needless to say we haven't had any outbreaks other than a machine here or there (not even in this group) get a virus in almost a decade. Whatever we are doing must work. We have a lot of hardware that sifts through the environment. Most remediation can be solved with solid hardware and solid infrastructure design.

 

[Roc P.]

The 15% Leo and 5% older ARE the old PPC machines and why would Apple mention the fact, that these are not affected? Do you really think, that somebody that runs with these old machines is in any way reachable for support? Most of them are not even online anymore, they are learning computers, media centers or better typewriters.

One of my 3 Mac's is an older PPC iMac running Leopard that is connected to the Internet. My mom uses it to sync her iPad and my older brother uses it to surf the web etc. ... I am reachable for support. I don't agree with your statement.

 

[Chlloret]

One of my 3 Mac's is an older PPC iMac running Leopard that is connected to the Internet. My mom uses it to sync her iPad and my older brother uses it to surf the web etc. ... I am reachable for support. I don't agree with your statement.

So what you are saying is, that you looked at Apple Support and are not happy that Apple did not tell YOU that your machine is not affected by this only on Intel running java code hole?

What did you actually loose? How many soon 7year old machines are in active use? And since they are not affected anyway, who cares?

----------

It was only a matter of time before something like this happened.

What actually happened?

 

[Roc P.]

So what you are saying is, that you looked at Apple Support and are not happy that Apple did not tell YOU that your machine is not affected by this only on Intel running java code hole?

What did you actually loose? How many soon 7year old machines are in active use? And since they are not affected anyway, who cares?

All I'm saying is that there are indeed people out there running these machines and connected to the Internet with them. Granted that number is getting smaller and smaller. The Apple page does say this:

Additional Information
For Macs running Mac OS X v10.5 or earlier, you can better protect yourself from this malware by disabling Java in your web browser(s)*preferences.

Doesn't that indeed mean that PPC iMacs etc. CAN be affected? I don't see anything about "Intel" only? Where did you get that info? Not trying to be confrontational or anything, just genuinely wondering. Thanks.

 

[Chlloret]

All I'm saying is that there are indeed people out there running these machines and connected to the Internet with them. Granted that number is getting smaller and smaller. I'm just curious how you know they are not affected if Apple hasn't said so? Honestly just wondering, not attacking or trying to be confrontational.

Apple got nothing to do with it, the problem is with java. And the only affected version is the one running on Intel (and compatible) machines. Java on other plattforms can not do anything with it and none, not 1, infection has been reported fromm PPC or ARM.

Of course, saying that, no real infection has been shown on intel either, all we know are these estimates and they vary wildly from nothing to "up to 600000" and anything in between. But for some reason, nobody seems to actually have a live one at home.

The only reason why Apple is involved is, because Java is being supported by Apple for there machines while on Windows Oracle themselfes bring updates and closed the hole there two month earlier. However, as you have to download the update on windows machines as well, there should be in theory a very large number of infected Windows machines, simply by there numbers, but there are not. After all, not everyone updates there computer on a daily bases, the vast majority of Windows machines did not update ever, I see plenty of Windows computers running xp or Windows7 (no SP), these people do simply not care. I can see daily by the amount of Windows malware I get in the mail on my mac from Windows machines (tons of hidden .pifs ect) that they do not care. Still, this was a massive Mac problem? No way.

I did not want to talk bad about PPC users, I got myself a Pismo Powerbook (upgraded to G4) I am very fond of and it works beautiful, so yes, there are PPC machines out there, but hardly anything to worry about and therefore no need for Apple to waste time on it.

 

[Roc P.]

Apple got nothing to do with it, the problem is with java. And the only affected version is the one running on Intel (and compatible) machines. Java on other plattforms can not do anything with it and none, not 1, infection has been reported fromm PPC or ARM.

Of course, saying that, no real infection has been shown on intel either, all we know are these estimates and they vary wildly from nothing to "up to 600000" and anything in between. But for some reason, nobody seems to actually have a live one at home.

The only reason why Apple is involved is, because Java is being supported by Apple for there machines while on Windows Oracle themselfes bring updates and closed the hole there two month earlier. However, as you have to download the update on windows machines as well, there should be in theory a very large number of infected Windows machines, simply by there numbers, but there are not. After all, not everyone updates there computer on a daily bases, the vast majority of Windows machines did not update ever, I see plenty of Windows computers running xp or Windows7 (no SP), these people do simply not care. I can see daily by the amount of Windows malware I get in the mail on my mac from Windows machines (tons of hidden .pifs ect) that they do not care. Still, this was a massive Mac problem? No way.

I did not want to talk bad about PPC users, I got myself a Pismo Powerbook (upgraded to G4) I am very fond of and it works beautiful, so yes, there are PPC machines out there, but hardly anything to worry about and therefore no need for Apple to waste time on it.

Yeah I see what you're saying. I guess time will tell what the truth/outcome of all this will be.

 

[Renzatic]

Still waiting for a real existing and working flashback trojan, anywhere, neverming half a million.

Then go out and find it. Just because you personally haven't been infected, nor know anyone who has been, doesn't mean the problem doesn't exist.

Case in point, I wasn't affected by Sasser back when it made it's way through a couple million XP machines back when. Never even ran across a single person who was affected by it. Does that mean Sasser was really nothing more than a small problem, overhyped by Apple affiliates to attempt making Macs look safer in comparison?

And anyway, this being the internet, if you have one website claiming something false, specially concerning something as well regarded and rigorously defended as your average Mac, you'd have at least 50,000 different websites going out of their way to disprove it. The only things I've seen thus far on the subjects are articles on Ars Technica, which only state that the methods used to come up with the numbers are sound, and thus could potentially be true.

What actually happened?

Macs became more popular.

 

[Chlloret]

The only things I've seen thus far on the subjects are articles on Ars Technica, which only state that the methods used to come up with the numbers are sound, and thus could potentially be true.

Well, yes, but even they could not show a live one. Believe me, I, and our IT folks in the office, ARE looking. We would like to find a website that infects, without user interaction, a Mac. And, once infected, actually makes it out to there control server. On its own. As "DrWeb" (another mystery in this story) claimes, after all, they registered hundreds of domains this trojan tries to contact. Now, if this is true, then where is this half a million strong botnet going? To DrWebs servers? Who programs a trojan that is not phoning home but creates random Hosts? And even that only according to DrWeb and everybody that repeats there statements?
Why is nobody publishing the drive by website that has infected over half a million Macs? After all, it must be a very popular site with Mac users and repell Windows users, because they did not get infected. How many sites have half a million visitors or at least a quarter million a month (over two month) exclusivly Macs and are not told that they send out a trojan?

There are so many incredible stories and none are adding up. At least, show some real infected Macs but even that they can not do. All that has been surfaced is a few machines that claim to have this two files on board that means they are affected. None has been shown to phone home, none has been shown to do anything in fakt.

 

[Renzatic]

Well, yes, but even they could not show a live one. Believe me, I, and our IT folks in the office, ARE looking. We would like to find a website that infects, without user interaction, a Mac. And, once infected, actually makes it out to there control server. On its own. As "DrWeb" (another mystery in this story) claimes, after all, they registered hundreds of domains this trojan tries to contact. Now, if this is true, then where is this half a million strong botnet going? To DrWebs servers? Who programs a trojan that is not phoning home but creates random Hosts? And even that only according to DrWeb and everybody that repeats there statements?
Why is nobody publishing the drive by website that has infected over half a million Macs? After all, it must be a very popular site with Mac users and repell Windows users, because they did not get infected. How many sites have half a million visitors or at least a quarter million a month (over two month) exclusivly Macs and are not told that they send out a trojan?

There are so many incredible stories and none are adding up. At least, show some real infected Macs but even that they can not do. All that has been surfaced is a few machines that claim to have this two files on board that means they are affected. None has been shown to phone home, none has been shown to do anything in fakt.

The reason why this bug isn't affecting Windows users is probably because it isn't written to do so. Just because both platforms have the same potential security hole doesn't mean any malware written to take advantage of it will be universal.

I'll rebut more once I'm back home. I'm on my iPad right now, and it isnt the best place to write out long replies.

 

[Chlloret]

The reason why this bug isn't affecting Windows users is probably because it isn't written to do so. Just because both platforms have the same potential security hole doesn't mean any malware written to take advantage of it will be universal.

I'll rebut more once I'm back home. I'm on my iPad right now, and it isnt the best place to write out long replies.

I'm on my iPad, like it better then anything else. Most amusing was with the test tool on DrWebs website after stating my UID (from the iPad) I was promtly informed that my system was infected by Flashback.

Should not really be possible. But, just for the hell of it, I tested my Android phone, my Macs, two Windows machines and a Amazon Kindle. I used real UIDs and made up ones, I was always infected.

So much for the facts. Very convincing show.

Oh, and yes, the java hole DID affect windows. It affected Java running on Intel and compatible machines, the host system was not important.

 

[-hh]

The 15% Leo and 5% older ARE the old PPC machines...

I'd have to check the historical sales numbers, but I don't necessarily believe that there were enough PPCs sold to realisitically represent 20% of today's installed base.

... and why would Apple mention the fact, that these are not affected?

1. because it is good news;
2. because it is easy;
3. because it is true;
4. because it helps with public image & perception of Apple as a company who actually cares about their customers;

Do you really think, that somebody that runs with these old machines is in any way reachable for support? Most of them are not even online anymore...

...but...if they're not online, then how was Hitslink able to see them to count them? Clearly, you need to rethink this claim and adjust accordingly.

...AppStore is indeed asking for SL and if you have an old Intel Mac with Leopard on it, you get the upgrade to SL FOR FREE from Apple.

Not quite: those "Free SL" reports were only for select MobileMe customers.

How is that for support? Why should they write a patch for a system when they can simply upgrade you to the new one? Of course, they hope that you, after receiving your free copy of SL, purchase an upgrade to Lion, but there is no must for that.

Leopard is still younger than 5 years old, so some level of support is IMO expected (regardless of PPC vs Intel). Granted, a "free upgrade" (to SL) would be one acceptable way of accomplishing this, but this option has not been acted upon by Apple.

So, all in all I think Apple did a graet job here...

And I don't, for the reasons I've stated. We will just have to agree to disagree.

Still waiting for a real existing and working flashback trojan, anywhere, neverming half a million.

And equally anecdotially, I personally have over a million miles flown in commercial aircraft and I am still alive & well ... so by your line of reasoning, I can only conclude that airplane crashes must be fictional too.


-hh

 

[Chlloret]

And equally anecdotially, I personally have over a million miles flown in commercial aircraft and I am still alive & well ... so by your line of reasoning, I can only conclude that airplane crashes must be fictional too.

-hh

Well, I think everyone seen a plane crash, either in reality or at least in a non fictional documentary, you do not need to be personal involved to know that its true. So, while I'm not saying that I have to be personally involved, there must be at least ONE system documented to have been affected by this trojan? Anywhere? one of the computer sites or blogs should be able to produce one? With half a million infected, that should not be too difficould. All I'm saying is, show me the money and not statistics that vary from one site to another.

I know you can be judged by cercumstances alone or even rumors but also by fabricated "evidence" (countries even go to war over that, killing there own and everybody else in the way) but in the eternal battle regarding Apple one should be allowed to see at least a tiny bit of fakt. Even if this site is called Mac rumors.

 

[-hh]

Well, I think everyone seen a plane crash...

Nope, never have seen one in person. And just as you point out that we need to be cautious of ' ..fabricated "evidence..." risks, we cannot trust any secondhand reports of airplane crashes.

FWIW, I do understand your cynicism, and I'd not be too surprised if something more nefarious is going on. However, there are statistics to consider, and in this regards while 0.5M machines does sound like a lot, we do need to also look at the statistics question from the flip side.

The flip side is that we're looking at a "needle in a haystack" paradigm, where while the good news is that there's ~500,000 needles, the size of the haystack is unfortunately ~1,000,000,000 units (yes, that's Macs+PCs) in magnitude, so the odds of finding a needle on any random draw are only ~0.05%.

If I recall my statistics correctly, to have a reasonable chance of finding at least one defect, you would need to inspect ~6,000 machines...and if you wanted a 95% or 99% detection probability, that inspection sampling requirement will go up quite a bit further. Granted, you can tailer this to be slightly less random by only looking at Macs and adjusting, but even if we simplistically say that Macs are 10% marketshare, then you're still looking at 600 units to inspect just to have a decent chance of detection.


-hh

 

[Chlloret]

Nope, never have seen one in person. And just as you point out that we need to be cautious of ' ..fabricated "evidence..." risks, we cannot trust any secondhand reports of airplane crashes.

FWIW, I do understand your cynicism, and I'd not be too surprised if something more nefarious is going on. However, there are statistics to consider, and in this regards while 0.5M machines does sound like a lot, we do need to also look at the statistics question from the flip side.

The flip side is that we're looking at a "needle in a haystack" paradigm, where while the good news is that there's ~500,000 needles, the size of the haystack is unfortunately ~1,000,000,000 units (yes, that's Macs+PCs) in magnitude, so the odds of finding a needle on any random draw are only ~0.05%.

If I recall my statistics correctly, to have a reasonable chance of finding at least one defect, you would need to inspect ~6,000 machines...and if you wanted a 95% or 99% detection probability, that inspection sampling requirement will go up quite a bit further. Granted, you can tailer this to be slightly less random by only looking at Macs and adjusting, but even if we simplistically say that Macs are 10% marketshare, then you're still looking at 600 units to inspect just to have a decent chance of detection.


-hh

Well, we inspected 15000, all of our Mac Systems worldwide, add to that a thousend of friends in other companies, the Macs of our employees, that amounts to some 3000, at least the ones that bothered to report in, we asked in Cupertino directly (our boss got some numbers) and came out, across the board, negative.
This "mass infection" is really really elusive and after some time you really must ask the question "qui bono?"

 

[-hh]

Well, we inspected 15000, all of our Mac Systems worldwide...

Oh, so you work at Google?

Afterall, Google is Apple's #1 customer, followed by Axel Springer AG. There aren't that many businesses with over 10K Mac seats.

This "mass infection" is really really elusive and after some time you really must ask the question "qui bono?"

Sure, although a highly related question is: what percentage of these 15K machines were patched early enough to never have become vulnerable? Or similarly, what percentage of these seats were locked down with the user not having Admin privileges to have had authorized? And so on.


-hh

 

[Renzatic]

Oh, and yes, the java hole DID affect windows. It affected Java running on Intel and compatible machines, the host system was not important.

The hole was a potential exploit in Windows, yeah. But just because this malware takes advantage of it on OSX through an SDK that both platforms happen to share doesn't mean it would automatically do the same amount on damage on Windows as is.

Windows and OSX are too structurally different for a one size steals everyones credit cards on both type solution. While the same Java weakness can be exploited on both OSes, they'd have to use different revs of the trojan to target both. Like you know how everyone always brags about OSX not getting PC viruses? This applies both ways. To simplify, getting a piece of malware that scans your /library/documents folder in Windows won't it much good for getting at those sweet, sweet credit cards, nor will it find any nice programs to infect in /Applications. Same applies to looking for C:\Users\Blah\Documents or C:\Program Files in OSX.

You have to write your malware specific to each platform. Just because both share the same gaping security hole doesn't mean both will be vulnerable to the exact same exploits that take advantage of said gaping security hole.