Flashback Tidbits: Flashback Checker, OpenDNS Protection, Apple's Low-Visibility Security Team

[BC2009]

Secrecy has it's place for new product announcements, but Apple needs to get its head out of its ass in regard to security issues. Start working with the good guys, communicate a little bit with them. Playing ostrich doesn't help anyone examine or solve problems.

So so true. The one area I have been frustrated with Apple has been in their lack of partnership with the White Hat community. People who would say "I use a Mac so I am secure" are so naive. No system is safe. I heard a variant of the same thing just recently where folks touted "I use Chrome so I am secure" because it had not been hacked on Pwn2Own (since then it has been hacked). Let me share one simple truth.... No system is fully secure. There is always a way in for determined hacker -- always.

Apple does a good job of making things more difficult (especially with Lion and upcoming features in Mountain Lion), but a hacker need only find a single hole in any public facing interface and he is in. Even the new GateKeeper feature in Mountain Lion would have likely been vulnerable to this because I'm pretty sure it relies on setting a bit in a downloaded file that is downloaded via Safari or Mail. I'm pretty sure if you download something via FTP or via vulnerable Java Runtime that bit is not going to be set and the code will still run just fine.

Apple really needs to constantly hammer and harden their OS as well as the commonly installed components like Java. You can say that "Flash" and "Java" are not Apple's responsibility, but they can make a Mac vulnerable and therefore require proper sandboxing as well. There are things Apple can do on their end to better protect users. This is why Mac App Store developers are now required to use the API's to support sandboxing -- it is so very important to prevent installed software from exposing the rest of the system to Malware.

White hat folks know all the tips and tricks to compromising a system. Simply give them access to some Apple-hosted macs and see if they compromise the systems in a new and unique way and pay them for every new exploit they find. But even if Apple does that -- it would still be true that no system is fully secure -- you are just increasing the skill level required for a hacker to compromise the system and thus narrowing the likelihood of an epidemic.

 

[3282868]

Just did the command-line step-by-step:
http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

I'm clean too. I'd like to see a more proactive attitude from Apple. Microsoft already has a pretty decent antivirus/antimalware built-in.

Lately Apple seems to be taking an arrogant approach to these matters, including any criticism of their latest OS and lack of focus on OS X while iOS appears to be their golden child and OS X their redheaded stepchild. It would behove Apple to be more receptive in regards to OS X. Sure, Lion and Mountain Lion have added some security measures, but this recent overall attitude that they can do no wrong is hubris and will bite them in the behind.

 

[CrickettGrrrl]

The end of an era!

P.S. I’d like to see more on the other side of the story: first a web site must be compromised, and only then can a Mac visiting it (with Java on) be compromised too. How are these web sites being compromised, which ones are they, how many of them, can we detect them, and can they be blocked if not fixed?

From this article: http://www.macworld.com/article/1166255/security_experts_600_000_plus_estimate_of_mac_botnet_likely_on_target.html

“A lot of things happened at the same time,” said Mike Geide, senior security researcher at Zscaler ThreatLabZ. “There have been mass compromises of WordPress sites, and the controllers [for those hijacked websites] match the domain structure Doctor Web described. That’s been ongoing since at least early March.”

WordPress is a popular open-source blogging and content management platform used by about one in seven websites.

Those usurped WordPress sites have been redirecting users to malicious URLs, where hackers have hosted the Blackhole exploit kit. Blackhole tries multiple exploits, including several aimed at Java bugs on Macs, to compromise machines.

The sheer size of the WordPress installed base and the scope of the WordPress injection campaign means that it would not have been impossible for hackers to poison more than 600,000 Macs.

This is one of the clearest articles I've read so far:
http://www.macworld.com/article/1166254/what_you_need_to_know_about_the_flashback_trojan.html

 

[ddarko]

It's not really "disclosed" (or "confirmed" as I've seen in other reports on this) that there are 600,000 Macs infected with the Flashback trojan. It's an ESTIMATE. If there were more accurate reporting around this story, there would be less chance for fanatics on either side to trot out their tired old cliches...

I also have a question about the authenticity of a never-before-heard-of security company who is running a "sink hole" server to make these estimates of infection. It doesn't seem very far removed from the actual bad guys - indeed the Dr. Web guy says that it would be part of a malicious scheme if it wasn't them running it because they're not doing any harm to users.

It seems you haven't been following this story closely. The 600,000 figure is derived from widely used and accepted techniques and it's being reported as "confirmed" or "disclosed" because Kaspersky Labs, a very well known and prominent security firm, reproduced Dr. Web's findings. Here's Kaspersky's writeup:

https://www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

Kaspersky used the same exact technique as Dr. Web - they set up a fake command and control server that all the computers infected by Flashback report to and counted the number of unique IP addresses - 600,000. They then used "passive OS fingerprinting techniques" and concluded that 98% of those bots came from Macs. Outside of inspecting each individual infected bot in person, this is as good and sound a number as we're going to get.

 

[tonjik]

Of course available patches translate into more patched system. The only question is how many.

And installs of patches and updates every few days translate into screwed users ;-)

 

[Vegasman]

Seems to me Apple is playing game: shoot the hacker and his servers and hope it will demotivate other hackers to make viruses for Macs.

That was a great strategy when Sony used it

 

[Dragado]

No one ever claimed OS X was invulnerable to malware. This isn't the first piece of malware for OS X anyhow.

Even more to the point, Apple has said that Macs don't get "PC" viruses; They make no claims as to viruses in general. That being said, Macs are less prone to Viruses just due to the nature of the OS. Lion is just about the most secure OS out there, definitely more secure than Windows.

 

[Sensation]

Poor show Apple, sort this mess out

 

[KnightWRX]

Even more to the point, Apple has said that Macs don't get "PC" viruses; They make no claims as to viruses in general. That being said, Macs are less prone to Viruses just due to the nature of the OS.

There is nothing in the OS that prevents viruses, that is a myth. Macs are not prone to viruses at all though for the simple fact that none yet exist for OS X.

Lion is just about the most secure OS out there, definitely more secure than Windows.

Lion is not the most secure OS out there, far from it. OpenBSD currently would be one of the contenders for that spot, with their massive code audits.

Come on guys, it's not hard to stick to the facts.

 

[blackhand1001]

Even more to the point, Apple has said that Macs don't get "PC" viruses; They make no claims as to viruses in general. That being said, Macs are less prone to Viruses just due to the nature of the OS. Lion is just about the most secure OS out there, definitely more secure than Windows.

Your kidding right? You realize that mac os is one of the easiest os's to hack. Even worse, if you have physical access to it you can even create an admin account without the need to even log in.

 

[KnightWRX]

Your kidding right? You realize that mac os is one of the easiest os's to hack. Even worse, if you have physical access to it you can even create an admin account without the need to even log in.

Something that can be done with physical access to about every OS out there... how is that surprising ?

Once you throw in physical access, no OS can really be secure. Heck, even OpenBSD.

 

[Renzatic]

Even more to the point, Apple has said that Macs don't get "PC" viruses; They make no claims as to viruses in general. That being said, Macs are less prone to Viruses just due to the nature of the OS. Lion is just about the most secure OS out there, definitely more secure than Windows.

"Ha! At least I'm not using Winblowz, right? They've got, like, 50 billion viruses. We've got one! OSX! It just works", he said, as thousands of dollars suddenly comes up missing from his bank account.

I love it. All the comments I'm reading on all these Mac websites all saying basically the same thing. "Yeah? Well...WINDOWS SUCKS OLOL I DON'T KNOW A SINGLE PERSON WHO'S GOTTEN THIS IT MUST BE FAKE THESE VIRUS COMPANIES ARE TRYING TO SELL ME THEIR STUPID PROGRAMS BY STARTING A PANIC". No. It's not just a big scare. 600,000 Macs have been infected by a bug that slipped past elevation permissions and installed itself without any forewarning. It blows, sure. But it was an inevitability. Why? Because there's no such thing as a perfectly secure OS. Someone was eventually bound to take advantage of a weakness in OSX to get some credit card numbers.

Why people are treating this like it's a personal offense, I have no idea. I mean it's your damn computer getting a bug, not someone telling you your wife has been pimping herself out at truck stops or something, forcing you to pull the denial card to save some face. Having an attitude like that will only make it that much easier for it to happen again in the future. Just accept what went down, and get your updates more often. Life will go on as usual.

 

[nostaws]

Of course available patches translate into more patched systems. The only question is how many.

In 2012 Microsoft and Apple are better about pushing out security updates. Whether it is Windows with a little bubble that pops up, or OS X with the software update. Users of modern OSes are much more likely to install security updates than they would have 5+ years ago.

While I personally don't like Software Update always contacting their servers I do leave the feature enabled so I don't miss a security update.

 

[Asclepio]

Goodbye Mac OS, Hello Windows 8 ®

 

[Rocketman]

I think he means MS has more experieince at handling major malware outbreaks.

Correct.

 

[nostaws]

"Arrogant" isn't the word I would use. No company is going to say: "hey! check out our new OS, it is bloated, buggy, inefficient, and prone to trojans!"

OS X is a PRODUCT. They are going to put it in the best possible light in order to sell more copies, computers, etc.

Lately Apple seems to be taking an arrogant approach to these matters, including any criticism of their latest OS and lack of focus on OS X while iOS appears to be their golden child and OS X their redheaded stepchild. It would behove Apple to be more receptive in regards to OS X. Sure, Lion and Mountain Lion have added some security measures, but this recent overall attitude that they can do no wrong is hubris and will bite them in the behind.

 

[NorEaster]

Why people are treating this like it's a personal offense, I have no idea. I mean it's your damn computer getting a bug, not someone telling you your wife has been pimping herself out at truck stops or something, forcing you to pull the denial card to save some face. Having an attitude like that will only make it that much easier for it to happen again in the future. Just accept what went down, and get your updates more often. Life will go on as usual.

Bravo...well said As Macs become more popular, more malware (trojans, viruses, etc) is inevitable. Accept it and move on.

Let's hope Tim Cook and Co. have the foresight to take this seriously (which I actually think they do, even though I don't have proof of it.). You don't/can't run a world-class software (+hardware) company without taking security seriously these days.

 

[bsolar]

I'm clean too. I'd like to see a more proactive attitude from Apple. Microsoft already has a pretty decent antivirus/antimalware built-in.

Antiviruses tend to hit performance very hard and actually are not that effective. You need to update the signatures basically every day, hope that false positives don't screw some perfectly legit application, and hope that the updated signatures actually are enough up-to-date to cover the last security threat.

It would be better to invest all of the effort which goes into antiviruses into educating users, setting up safer practices (ala Mountain Lion's "only run if from App Store" by default) and fixing security issues much faster.

 

[SockRolid]

Easy to fix

Seems trivial to detect and remove Flashback Checker. I would expect the next Lion update to include a script that removes it as part of the upgrade process.

Of course, not everybody updates their OS X installations as fanatically as us MacRumors regulars...

----------

Antiviruses tend to hit performance very hard and actually are not that effective. [...]

It would be better to invest all of the effort which goes into antiviruses into educating users, setting up safer practices (ala Mountain Lion's "only run if from App Store" by default) and fixing security issues much faster.

+1.

Eventually, OS X could become as closed (and as safe) as iOS.
It's the only way to ensure security.

 

[lostngone]

Eventually, OS X could become as closed (and as safe) as iOS.
It's the only way to ensure security.

But iOS is NOT safe...

 

[RedCroissant]

Apple and Security

I don't think that Apple's lack of communication with the general public or other companies in regard to security is equal to sticking their heads in the sand and pretending that nothing is happening. The fact that OS X is by its design more secure has been known since its introduction and the fact that serious infections of a system requires a user's authorization is another testament to how great it is.

What makes people think that Apple is arrogant in regards to security anyway? Would you want to ignore security vulnerabilities when that would decrease your ability to exist as a corporation? The only way that one could claim that they were arrogant is if they suddenly fired their security staff and got rid of a security department(I doubt that will ever happen).The fact that Macs don't ship with Flash(and that Apple is partially responsible for the increase in alternative forms of web-based content development) or Java(probably because they know that it is a vulnerability) shows that they are taking this seriously. OS X 10.8 will include another security measure called "Gatekeeper" to help as well. This is in addition to the security measures one can already take in regards to Safari, location services, your own customizable firewall, and common sense when installing applications and updates.

Now take those points along with Apple working with Safari developers to make extensions that also help security. I have Adblock, Cookie Stumbler, and ClickToFlash installed along with having Java disabled for some time now. I also have Google Disconnect and Facebook Disconnect to decrease even further the number of cookies and partial system intrusions and tracking that I have to deal with. So when people claim that Apple is not being communicative or cooperative enough, I just take a look at my own system and the tools that have been made available to users to help them protect themselves from the existing malware and realize that they are doing a great job.

 

[C. Alan]

I’m sure it’s fine, and if you’re paranoid you can compile the source yourself (though if you can compile source, you should be able to perform the manual check easily...)

Heck, given that it is just uses a command line script, there may be 20 total lines of code involved in this checker all together.

Iv'e said it once, and I will say it again: 600k machines being infected is at best a WAG. I think the actual number is much much lower.

 

[toronado455]

Does Flashback only threaten Snow Leopard and Lion? What about Tiger?

 

[D.T.]

Iv'e said it once, and I will say it again: 600k machines being infected is at best a WAG. I think the actual number is much much lower.

I agree, and though it’s ~totally~ unscientific, nobody in my group of family, friends and colleagues got it. That’s people that range from the “hardcore” to the “I can’t kind my Safari icon” level users

I’d say that most of them probably didn’t have Java installed (especially the more casual users, I can’t think why they’d run into needing it), which leads me to wonder about the users that _do_ have it installed. Of the “600K” that were supposedly infected, that must have had Java installed, what and why?

You also have to wonder if there’s some other connection between the users that did get it (whatever actual number that is). Like a common website that maybe had a redirect (or was directly infected)[?]

 

[tbrinkma]

I find this whole thing somewhat amusing. Sure, 600k systems is a pretty big number. On the other hand, news about bot nets hunting for Windows systems doesn't start making the rounds until they cross the multi-million system mark.

Apple has never been known for their transparency. That's fine in most cases, but sub-optimal in this one. They need to work on that moving forward. That said, even the security researchers think Apple was taking the right steps, proactively hunting down the control servers and getting them shut down. They just weren't talking to the security researchers about their progress in the mean-time.

Definitely something to work on. Unfortunately that flaw isn't particularly rare across the industry.