Flashback Tidbits: Flashback Checker, OpenDNS Protection, Apple's Low-Visibility Security Team

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Apr 10, 2012.

  1. MacRumors macrumors bot


    Apr 12, 2001

    The Flashback malware affecting OS X systems has gained quite a bit of publicity since it was disclosed last week that over 600,000 Macs have been infected by the malware. Flashback began life last year as a trojan and has morphed into a drive-by download taking advantage of a vulnerability in Java that Apple did not patch until last week, despite Oracle having released patches for other systems back in February.

    Over the past few days, a few additional tidbits of information on Flashback have surfaced, including the arrival of some new tools to help users manage the threat.

    - As noted by Ars Technica, a new Mac app by the name of Flashback Checker has been released to help users determine whether their machines have been infected. Users have been instructed to use Terminal to enter commands searching for files created by the malware upon infection, and Flashback Checker offers a simple packaging of these commands behind a user interface. While the app is incredibly simple and does not offer assistance with removing Flashback if it is found on a given system, it does provide a more familiar interface for those who might be intimidated by delving into Terminal on their own.


    - OpenDNS has announced that it has included filtering of Flashback in its services. OpenDNS offers a number of features to improve resolution of domain names, and the new filtering of Flashback helps prevent infection while also preventing already-infected machines from communicating with the command-and-control servers being used to deliver instructions to the infected machines.

    - Forbes has an interview with Boris Sharov of Russian security firm Dr. Web, which was first to bring the magnitude of the Flashback threat to light. In the interview, Sharov describes how difficult it was to even track down the proper team at Apple with which to share their data, also noting how uncommunicative Apple has been throughout the process. In fact, the only sign of interest they've seen from Apple is the company's efforts to shut down the "sinkhole" Dr. Web was using to reroute traffic from infected machines to gauge how widespread the infections are.
    Security experts at Kaspersky Lab, which verified Dr. Web's assessment of Flashback's prevalence, indicate that Apple is indeed taking the proper steps to address the threat, including tracking and shutting down the servers being used by the malware. But the company has little experience with threats of this magnitude and is undoubtedly scrambling to keep on top of the situation.

    Article Link: Flashback Tidbits: Flashback Checker, OpenDNS Protection, Apple's Low-Visibility Security Team
  2. Michaelgtrusa macrumors 604


    Oct 13, 2008
    Everywhere And Nowhere
  3. Doc750 macrumors 6502a

    Aug 11, 2010
    Typical apple ...
  4. jasonxneo macrumors regular


    Sep 7, 2010
    Ozone Park, New York
  5. sha4000 macrumors regular

    Feb 19, 2012
  6. ddarko macrumors 6502

    May 7, 2007
    Well, it's good to know Apple is going after the botnet's command and control servers but wouldn't it have been great if it had pushed out the patch for the Java exploit back in February? They'd probably be dealing with far fewer infected Macs if Apple security hadn't been so complacent.

    I'm assuming you were being sarcastic? Open DNS is a welcome - and canny - move on its part but obviously, it only works if you use it and probably the vast majority of infected people don't or aren't even aware they have the trojan. Plus, it would be an endless whack the hole chase - there'd always be a lag between new servers being set up and Open DNS blocking it.
  7. dr Dunkel macrumors regular

    Nov 3, 2008
    I think it is wise to shut up about it, we don't want to scare the users, do we?
  8. I8P'CS macrumors 6502

    Jul 29, 2010
  9. Derpage Suspended

    Mar 7, 2012
  10. Thadon macrumors member

    May 28, 2010
    I like how when Mac gets a virus/trojan/malware it is fixed quickly and not just by Apple but third parties try also.
  11. miles01110 macrumors Core


    Jul 24, 2006
    The Ivory Tower (I'm not coming down)
    Maybe, maybe not. It wouldn't be surprising if the vast majority of those infected don't even know it. Malware on all platforms is perpetuated by the type of users least likely to install any updates at all.
  12. Matthew Yohe macrumors 68020

    Oct 12, 2006
    Wait, so it was difficult to contact someone because you don't have direct email addresses to internal people? Why do you need to know this? Here it clearly states how to contact Apple.

    You don't need to become pen pals with the folks inside Apple just because you found a security vulnerability.
  13. dotheDVDeed macrumors member


    Jul 13, 2007
  14. Supermacguy macrumors regular

    Jan 3, 2008
    Secrecy has it's place for new product announcements, but Apple needs to get its head out of its ass in regard to security issues. Start working with the good guys, communicate a little bit with them. Playing ostrich doesn't help anyone examine or solve problems.
  15. fruitycups macrumors 6502

    Jun 12, 2011
  16. MonkeySee.... macrumors 68040


    Sep 24, 2010
    I'm still not even sure how 600,000 people got this? What sort of sites was this on?
  17. D.T., Apr 10, 2012
    Last edited: Apr 10, 2012

    D.T. macrumors 604


    Sep 15, 2011
    Vilano Beach, FL
    Step 1: Fake trojan outbreak news

    Step 2: Create bogus removal tool that infects Mac when run

    Step 3: 20 millions of Macs now trojan’ed


    I’m sure it’s fine, and if you’re paranoid you can compile the source yourself (though if you can compile source, you should be able to perform the manual check easily...)
  18. ddarko macrumors 6502

    May 7, 2007
    "Maybe, maybe not"? You can't seriously doubt that SOMEBODY would have and applies patches and updates. Yeah there are folks who don't update their machines who wouldn't have been helped by the patch - and are still getting infected today - but patches would have helped those who do update regularly. That's a sizable group. Open DNS may be blocking the communication channels now but it wasn't when no one knew about the botnet, meaning there was a open window for how long? And Open DNS doesn't prevent the infection.

    And Flashback infection has nothing to do with a user's technical expertise because it installs without user intervention. Kaspersky research indicated that the trojan was distributed by infected the Wordpress platform, which is used to build 1 out of 7 sites on the internet. People who got infected likely didn't get it from visiting an obscure porn site but from a site they visit regularly and visited in the past without any problems.
  19. thejadedmonkey macrumors 604


    May 28, 2005
    Typical Apple, shoot the messenger and hope the bad news he was bearing doesn't happen.

    "If I close my eyes I can't see you!"
    How you found that link is beyond me. I went to Apple.com, clicked contact, and found this page.

    EDIT: Bing manages to find it for me, so I guess it's findable, just not through Apple.
  20. miles01110 macrumors Core


    Jul 24, 2006
    The Ivory Tower (I'm not coming down)
    Obviously a patch would have helped those who update regularly, but that's not a sizable group. Some of the 600,000 Macs might have avoided infection, but it would still be a huge botnet.

    Not really sure where you're going with this tangent. I never said it had anything to do with technical expertise.
  21. sxdev macrumors newbie

    Jun 22, 2009
    Remember the instructions and cleanup are for initial infection only, not subsequent downloads. The one infected machine I found had installed an additional item which had a perl script in it, downloading and running a .sh file every 900 seconds and not cleaned up by the instructions.
  22. nikhsub1 macrumors 68010


    Jun 19, 2007
    mmmm... jessica.'s beer...
    5 years here. All my clients too. It really helps cut malware.
  23. Rocketman macrumors 603


    This might be one of those moments Apple can ask Microsoft for help.

  24. ddarko, Apr 10, 2012
    Last edited: Apr 10, 2012

    ddarko macrumors 6502

    May 7, 2007
    We don't know how many people do update regularly and we don't know if it would have been huge. What we do know is that the botnet would have been smaller - it surely wouldn't have been bigger if patches were available - and closing know security holes as quickly as possible is to be encouraged and allowing them to remain open for months is a Bad Thing.

    The tangent is there to point out that that even the most security conscious Mac user would have been infected without the patches (outside of disabling Java). In other words, Flashback isn't the type of malware that, as you wrote, "is perpetuated by the type of users least likely to install any updates at all" - it perpetuated and infected even the type of users MOST likely to install updates.
  25. nagromme macrumors G5


    May 2, 2002
    The end of an era!

    We’ve gone from:

    * 2001: Macs are just as dangerous as Windows, probably worse, because, even though there has never been a successful real-world malware infestation on OS X, thousands of them are just about to happen any minute now!


    * Macs are just as dangerous as Windows, probably worse, because there has been ONE successful real-world malware infestation on OS X.

    (I definitely do count this instance: it’s not a virus, not a worm, but it’s not a mere Trojan either—it’s a Trojan that installs itself; meaning the web site itself is the Trojan Horse—and one link is all it takes to get to a web site.)

    P.S. I’d like to see more on the other side of the story: first a web site must be compromised, and only then can a Mac visiting it (with Java on) be compromised too. How are these web sites being compromised, which ones are they, how many of them, can we detect them, and can they be blocked if not fixed?

Share This Page