'Flashback' trojan estimated to have infected 600K Macs worldwide

12346

Comments

  • gatorguygatorguy Posts: 14,332member
    For those using FireFox, the No Scripts plug-in is also a worthy add-on.
  • theghosttheghost Posts: 1member
    For those who still don't believe that the trojan is real, Kaspersky confirmed it and explained how they got the number: https://www.securelist.com/en/blog/2...tnet_confirmed
  • MarvinMarvin Posts: 13,622member, moderator
    Quote:
    Originally Posted by Thorin View Post


    I've been using Safari almost exclusively; looks like it's time to give Chrome a try. And thanks for that last link.



    Chrome would only help prevent the Java exploit, there are other install methods it uses, some methods disable Little Snitch. The actual trojan is a dynamic library that is preloaded and overrides application or system libraries:



    http://hactheplanet.com/blog/80



    This functionality seems quite dangerous to me. I can't imagine many legitimate scenarios that would require overriding code like this. Apple should certainly consider preventing code injection into critical apps like browsers.



    The other problem is that reports of Apple patching the Java version will make people feel safer but that's neither removing the trojan nor is it preventing the trojan from being installed via some other method. The trojan is running from the Users folder ~/Application Support and /Users/Shared - not areas that require higher write privileges.



    Apple needs to take some drastic action on this one. 600,000 installations is not a trivial amount.
  • gatorguygatorguy Posts: 14,332member
    Quote:
    Originally Posted by theghost View Post


    For those who still don't believe that the trojan is real, Kaspersky confirmed it and explained how they got the number: https://www.securelist.com/en/blog/2...tnet_confirmed



    Mildly surprised they came up with the same infection numbers, around 600K and probably rising.
  • egraregrar Posts: 29member
    http://reviews.cnet.com/8301-13727_7...are-infection/



    Lets get out of that Apple shell, and deal with the truth.. this trojan is real and its out there..

    protect your privacy, clean up your system, change your online account passwords..
  • gatorguygatorguy Posts: 14,332member
    Dr. Web, the same company who counted infections, can also tell you if you're one of the unlucky ones, matching you with their list of infected machines.



    Details at CNET

    http://news.cnet.com/8301-27076_3-57...?tag=cnetRiver
  • easy288easy288 Posts: 80member
    Close your eyes tight, use both hands to cover your ears, turn your head repeatedly left and right and repeat after me, "Macs cannot get viruses or malware or whatever bad things that are out there."



    There, there. Feel better now?
  • cgjcgj Posts: 276member
    Weird thing here, I use ClamXav on both my iMac and MacBook Air. ClamXav discovered the Flashback trojan file on both computers, yet the trojan hadn't spread (did the advised Terminal commands).



    To double check, I did defaults write com.apple.Finder AppleShowAllFiles TRUE and killed Finder, turns out it was hiding. I'd advise doing this too, to your Home folder.
  • ljocampoljocampo Posts: 657member
    Quote:
    Originally Posted by Thorin View Post


    I've been using Safari almost exclusively; looks like it's time to give Chrome a try. And thanks for that last link.



    Leaving Safari for this reason only, doesn't make much sense. Just disable Java (not Javascript) in Safari Prefs and the browser won't run any Java on any of these malware sites. It's also wise to disable "open safe programs automatically," in the prefs too since you really shouldn't open any program ever automatically, especially if you run as an administrator.
  • blasevblasev Posts: 4member
    clamxav and intego pce (both provided in mac app store) are on demand av, so I think there's no reason for user not to install them. Since it won't us any resource while not running scan.



    Little snitch is a great firewall, TCPBlock is the free alternative for more tech savvy user
  • gooddoggooddog Posts: 93member
    Quote:
    Originally Posted by AppleInsider View Post


    A trojan horse named "Flashback" that surfaced last year is believed to have created a botnet including more than 600,000 infected Macs around the world, with more than half of them in the U.S. alone.



    Russian antivirus company Dr. Web issued a report on Wednesday noting that 550,000 computers running OS X had been infected by BackDoor.Flashback variants of the malware, as highlighted by ArsTechnica.



    An analyst for the company later updated the figure to note that the size of the botnet had reached 600,00. He also pointed out that 274 bots are originating from Apple's hometown of Cupertino, Calif.



    According to a map released by the firm, 56.6 percent of infected computers are located in the United States. Canada was second with 19.8 percent, followed by the U.K. with 12.8 percent of cases.



    Apple released a Java Security update on Tuesday to resolve the vulnerabilities that the malware is exploiting, but not before a number of Mac users had been hit with the malicious software. Oracle first issued a fix for the vulnerability in February.









    Security firm Intego publicized the Flashback trojan last September. Some variants of the software were even discovered with the potential to disable anti-malware protections within OS X.



    Researchers F-Secure have provided instructions on how to detect and remove the malware.



    [ View article on AppleInsider ]





    ********************



    The fix commands that I read look very intimidating.

    Then there is an applet available ...

    BUT, how do I know that the command I am to enter or applet to run comes from the white hats ?

    I hope this is not showing extreme ignorance; but I need to know this fix can be trusted at least as much as an Apple Software Update.



    Also, I boot into Lion from an external Firewire drive. My internal drive, in my MBP iCore7, runs the latest SL. So, are they both in danger or only Lion ?



    Thanks,
  • MarvinMarvin Posts: 13,622member, moderator
    It seems that the malware may not in fact be stealing passwords but redirecting search results:



    http://www.pcadvisor.co.uk/news/secu...ave-600k-macs/



    "In a Twitter reply to security blogger Brian Krebs, Dr Web's Ivan, said the Trojan is not trying to steal passwords, but rather hijacking Google search results, which means Google itself is not affected, but the Trojan manipulates Google search results returned to the infected Mac.



    In other words, it could lead the user to a site that could host malware or generate cash for the botnet controllers through referral programs."



    https://twitter.com/#!/hexminer/stat...27438346473472



    If that's the case, it makes the malware a lot less serious but precautions are worth taking in case different payloads do different things.



    Of course, redirecting traffic could mean that they redirect the results of a search for Paypal to a fraudulent Paypal site and capture your password that way. That would actually be an easier way than scanning for input text. Entering the URLs directly into the browser will avoid visiting malicious sites.
  • pondosinatrapondosinatra Posts: 463member
    Quote:
    Originally Posted by irnchriz View Post


    OMFG I'm infected









    NOT.







    I'm sure 600,000 other smug people are saying the same thing....
  • tallest skiltallest skil Posts: 39,898member
    Quote:
    Originally Posted by pondosinatra View Post


    I'm sure 600,000 other smug people are saying the same thing....



    And being perfectly correct. I don't expect more than about 80,000 to actually have this.
  • ddarkoddarko Posts: 22member
    Quote:
    Originally Posted by Tallest Skil View Post


    And being perfectly correct. I don't expect more than about 80,000 to actually have this.



    And your methodology was...?



    Kaspersky Labs, a security firm that some people have heard of, reproduced Dr. Web's estimates:



    https://www.securelist.com/en/blog/2...tnet_confirmed



    The methodology used is sound and accepted. It's a hard count of bots that check in - it's not based on statistical sampling, modeling or mathematical extrapolation. It's literally just counting the number of bots that phone home to the mothership. It couldn't be more straightforward. Until you can provide an explanation for why their procedure is wrong, I'll take Kaspersky's and Dr. Web's number over yours.
  • egraregrar Posts: 29member
    we know how this trojan works... now protect your mac!

    without installing anything to your apple.



    http://blog.opendns.com/2012/04/09/w...et-up-opendns/
  • john.bjohn.b Posts: 2,611member
    Quote:
    Originally Posted by ddarko View Post


    And your methodology was...?



    Kaspersky Labs, a security firm that some people have heard of, reproduced Dr. Web's estimates:



    https://www.securelist.com/en/blog/2...tnet_confirmed



    The methodology used is sound and accepted. It's a hard count of bots that check in - it's not based on statistical sampling, modeling or mathematical extrapolation. It's literally just counting the number of bots that phone home to the mothership. It couldn't be more straightforward. Until you can provide an explanation for why their procedure is wrong, I'll take Kaspersky's and Dr. Web's number over yours.



    Kaspersky has a dog in this fight. They are in this to sell Malware prevention software and are the last source I'd use to develop any sort of accurate estimate.
  • ddarkoddarko Posts: 22member
    Quote:
    Originally Posted by John.B View Post


    Kaspersky has a dog in this fight. They are in this to sell Malware prevention software and are the last source I'd use to develop any sort of accurate estimate.



    That's nothing more than an ad hominem argument - question the motive of the person making the argument without addressing the argument itself. I'm still waiting to hear what the flaw or defect in their procedure is. Let me ask again: what's wrong with their methodology? Everyone has a financial stake in this. Apple is self-interested to minimize or underplay the extent of the infection. If you're so troubled by the self-interest of the security firms, why aren't you equally skeptical of Apple due to their corresponding self-interest? Funny double standard.



    Just because Kaspersky the company sells security software doesn't mean the specific findings of some of its researchers are lies. Kaspersky and Dr. Web have publicly outlined how they reached their estimate. You're so skeptical then reproduce it yourself or better yet, point out what's wrong with Kaspersky and Dr. Web's methodology. If you're saying their methodology is sound but they're just flat-out lying about the number, then what's your proof of their dishonesty? Is the "proof" that you "know" they're lying because they're self-interested? That's a conspiracy theory, not a serious argument.



    And by the way, Symantec posted a very interesting blog post today about Flashback that provided another independent confirmation of the initial 600,000 infection rate (three independent confirmations but since they're all security companies, they're all lying, right?). But there's some good news - using the same sinkhole server technique that Dr. Web and Kaspersky used, they've tracked that the number of infected machines contacting the command servers has been steadily dropping, down from 600,000 on April 5 to 380,000 on April 10 to 270,000 on April 11. They don't address how many machines are being cleaned of the trojan versus how many are still infected but are being prevented from contacting the command servers by DNS blocks like the one Open DNS has set up. Symantec also provide additional details about how the trojan generates new domain names each day for infected bots to contact:



    Quote:

    OSX.Flashback.K uses a domain name generator (DNG) algorithm that allows it to generate a new domain each day in order to contact the command-and-control (C&C) server. The domains for the next few days can be seen below. These domains are currently sink-holed by Symantec Security Response so that we can gather more statistics data on the size of the infection over the course of the week and in effect prevent Flashback from contacting the C&C server to receive further instructions.



    In other words, Symantec has registered the future domain names that the botnet was set to contact, preempting the botnet writers and preventing them from setting up servers there.



    Quote:

    We have also identified a number of distinct IP addresses that are used in the OSX.Flashback.K variant.



    The “.com” domains were registered on March 26th and April 4th. These dates fall in line with the preparation for the recent Flashback attack. These IP addresses hosted the exploit itself (CVE-2012-0507) in order to install OSX.Flashback.K, serve up additional payloads, and record statistical data sent to the server from the Flashback Trojan. The IP addresses are no longer serving malicious content related to OSX.Flashback.K; however, we are monitoring the situation closely should the Flashback gang decide to redistribute their operations.



    Based on the registration dates of domain names, it seems the botnet writers started setting up the command and control servers during the week right before they launched the attack. It's interesting stuff and can be read in full here:



    http://www.symantec.com/connect/blog...ns-down-270000
  • pbpb Posts: 4,208member
    Quote:
    Originally Posted by ddarko View Post


    I'm still waiting to hear what the flaw or defect in their procedure is. Let me ask again: what's wrong with their methodology?



    I cannot tell about Dr. Web but here is what I found about Kaspersky. The have set up a web site where you can check if a Mac has been infected by the Flashback/Flashfake trojan, based on its UUID. I did the check and my Macbook was found infected. But I know it is not since I already ran the available tools (command-line from f-secure and the Symantec utility) to check this out for myself. So, I am clean and Kasperksy insists that I am not. Two explanations come into mind:



    (1) They are liars and their intention is to increase sales.

    (2) Their methodology is fundamentally flawed.



    If you have any other explanations I am very curious to hear them.
  • ddarkoddarko Posts: 22member
    Quote:
    Originally Posted by PB View Post


    I cannot tell about Dr. Web but here is what I found about Kaspersky. The have set up a web site where you can check if a Mac has been infected by the Flashback/Flashfake trojan, based on its UUID. I did the check and my Macbook was found infected. But I know it is not since I already ran the available tools (command-line from f-secure and the Symantec utility) to check this out for myself. So, I am clean and Kasperksy insists that I am not. Two explanations come into mind:



    (1) They are liars and their intention is to increase sales.

    (2) Their methodology is fundamentally flawed.



    If you have any other explanations I am very curious to hear them.



    Here's some: (1) you entered your UUID incorrectly; (2) the tools and instructions from F Secure and Symantec are wrong, you are infected; (3) it's just an plain old false positive, i.e. an error by Kaspersky's online tool.



    (3) is probably the most likely but it says more about your mindset that you would jump from having a single false positive to the conclusion that a widely known security vendor are "liars." And how would they increase "sales"? The Flashback removal tool they and other vendors offer are all free with no obligation to pay for anything else. You can choose to buy their paid solutions but you're free not to - use the Flashback tools and delete them and never deal with them again.



    If I was as distrustful and quick to label folks as liars as you, I might question whether you actually got a false positive - all we have is your claim that Kaspersky's tool identified your computer as infected while the tools from F-Secure and Symantec did not. Maybe you're so keen and eager to "protect" Apple that you're lying. How's that for questioning someone's motives instead of addressing the content of their arguments?



    But I take you at your word. All I'd say is that it's a massive leap to say a single false positive demonstrates the existence of a Big Lie to hookwink and scare Mac users worldwide. My blood work comes back from my doctor and if the results turn out to be a false positive, I hardly jump to the conclusion that my doctor, the lab and the pharmaceutical industry as a whole are engaged in a vast conspiracy to drive up medical spending. Your case appears to be a false positive, nothing more, nothing less. Your tiny bit of evidence doesn't support either of your conclusions. At most, it demonstrates Kaspersky's tool isn't perfect and makes mistakes. It hardly proves the counting methodology is "fundamentally flawed."



    What I'm still waiting for is an explanation of HOW the methodology is so flawed that it can't be trusted at all - why doesn't counting the number of bots that check in with a command server as those bots are instructed to do by the trojan give you an accurate count of the size of the infection? If you have any explanation why this doesn't work - one that doesn't resort to charges of lying, which doesn't actually rebut or undermine the methodology but only attacks the integrity of the researchers - I am very curious to hear it.
Sign In or Register to comment.