or Connect
AppleInsider › Forums › General › General Discussion › Apple reportedly tries to shut down Flashback discoverer's server
New Posts  All Forums:Forum Nav:

Apple reportedly tries to shut down Flashback discoverer's server

post #1 of 29
Thread Starter 
In what may be a case of mistaken identity, it was revealed on Tuesday that Apple attempted to shut down a server belonging to the security firm that first discovered the Flashback malware, giving insight into how the Cupertino, Calif., company handles third-party assistance.

Boris Sharov, chief executive of the relatively unknown Russian security firm Dr. Web, was notified by web registrar Reggi.ru on Monday that Apple had requested the shut-down of a domain belonging to the Moscow company on claims that it was being used as a "command and control" for Macs affected by Flashback, reports Forbes.

“They told the registrar this [domain] is involved in a malicious scheme. Which would be true if we weren’t the ones controlling it and not doing any harm to users,” Sharov said. “This seems to mean that Apple is not considering our work as a help. It’s just annoying them.”

The domain in question was one of three Dr. Web was using to monitor the spread of Flashback in what researchers call a "sinkhole," or a spoofed command and control server. This technique allowed the firm to first the trojan that has so far rooted into an estimated 600,000 machines, more than one percent of all operating Macs.

Apple may have prematurely requested the shutdown, which is standard practice in this type of security scenario, before further investigating the background of the server and Sharov believes that the move was merely a mistake.

Adding to the confusion is Apple's notoriously secretive nature. Sharov said that his company has dealt with the oft-maligned Microsoft on similar situations which, unlike Apple, has fostered fruitful working relationships with outside security firms. Apple has not seen a botnet of this scope and therefore does not share the same ties with outside security sources, he adds.

“For Microsoft, we have all the security response team’s addresses,” Sharov said. “We don’t know the antivirus group inside Apple.”


Dr. Web chief executive Boris Sharov. | Source: Forbes


By shutting down command and control servers, Apple is looking to quash Flashback, which in its current iteration has created a worldwide botnet by exploiting an unpatched Java vulnerability.

Apple recently pushed out two successive Java updates last week in an attempt to catch up with the malware, but some see the move as too little too late.

“Their response should have been much earlier when they should have updated their Java,” Sharov said. “Now calling registrars to shut down domains is not as important. The infection has already taken place. There are dozens of domains [controlling] the botnet. Shutting down one does nothing.”

Apple remains closed for comment, and hasn't released any official statement regarding Flashback.

“These are not pleasant days for them,” Sharov said. “They’re not thinking about us. The safety of Macintosh computers is going down very quickly, and they’re thinking what to do next. They’re thinking about how to manage a future where the Mac is no longer safe.”

[ View article on AppleInsider ]
post #2 of 29
This part here: (the actual basis for this being a "story" BTW)
Quote:
Originally Posted by AppleInsider View Post

... Sharov said. This seems to mean that Apple is not considering our work as a help. Its just annoying them. ...

Would seem to be a huge leap/assumption that isn't backed up by any facts and is actually quite unlikely.
post #3 of 29
Why wouldn't Apple want those servers to be shut down. If they are hosting some malware, then they SHOULD be shut down. They aren't helping anyone by having that crap available to be used. They should simply find out who posted it in the first place and go after the people that put the crap out there in the first place.
post #4 of 29
Quote:
Originally Posted by drblank View Post

Why wouldn't Apple want those servers to be shut down. If they are hosting some malware, then they SHOULD be shut down.

those servers were used to attract botnet attacks. it's like catching living specimens in a test lab so you have a controlled environment with which to study them. some botnet attacks thrive on live hosts in a peer-to-peer environment. if you purposely join the environment (in hopes of fooling everyone that you're just a innocent target of the trojan), you can quietly remain infected while you diagnose the problem and kill the trojan.
post #5 of 29
Quote:
Originally Posted by Prof. Peabody View Post

This part here: (the actual basis for this being a "story" BTW) ...

the entire article is, in fact, newsworthy. i doubt most people, here, knew how security firms track down and ultimately eliminate threats. the Forbes article gives some insight into the legitimate tactics deployed by Dr Web and other security firms.

Quote:
Would seem to be a huge leap/assumption that isn't backed up by any facts and is actually quite unlikely.

while i agree the assumption is a bit arrogant, the bigger picture is people shouldn't necessarily be equally as arrogant to dismiss the notion that OS X can be victims of certain kinds of digital threats.
post #6 of 29
I checked all our machines when this first made news a few days ago and they were clean. I have not heard where the exploit is hosted, but apparently all you have to do is visit a hacked website without any other user interaction whatsoever.

One of our printers recently got their website hacked. Somehow they were able to compromise the http file uploader using php. Perhaps they target businesses that are known to be popular with Macs like printers. They hack the website then distribute their malware to the company's regular clients.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #7 of 29
This is more embarrassing efforts by AI jr writers to regurgitate crap they don't understand.

The Fortune piece was such obvious click bait sensationalism that tells one side of a story because Apple isn't in business to generate fame for companies like this.

The piece says what Apple did (attempting to block DNS for sites involved in the malware) wasn't even suspicious, but that fact is buried under a headline and 90% of the story that's all attributing phony motives to a company out of thin air.

Might as well go interview Mike Daisey about Apple in China again.

Shame on you AI.
post #8 of 29
I'm sorry. Something here seems mighty suspicious. Russian security firm, trojan virus, servers they have to monitor, and then they have a tool where they can check your computer, but receive its identification numbers? I far prefer just checking to see if the virus is there, and updating the computer.

I am not totally convinced there is not some collaboration here, to sell antivirus software. I guess I am just naturally suspicious.
post #9 of 29
Quote:
Originally Posted by Prof. Peabody View Post

This part here: (the actual basis for this being a "story" BTW)
Would seem to be a huge leap/assumption that isn't backed up by any facts and is actually quite unlikely.

Indeed. This is some unknown company that claims to be a security firm etc but for all anyone knows they are behind this whole thing. And even if they are not, they are gathering info about infected systems that could be used for malice. I would much rather Apple assume the worse and have it shut down than not

And to claim Apple doesn't care? Says who? They might not be giving out info to this unknown company but if they didn't care they wouldnt have done two java updates after publicly saying they were stopping such updates and users need to get it from Oracle directly
post #10 of 29
Quote:
Originally Posted by Prof. Peabody View Post

This part here: (the actual basis for this being a "story" BTW)
Would seem to be a huge leap/assumption that isn't backed up by any facts and is actually quite unlikely.

I agree. Understanding the nature, signatures, and source of attacks is a tough business. It sounds like this guy is attempting to capitalize on the incident and Apple's reaction. Good marketing is where you find it, eh?
post #11 of 29
Quote:
Originally Posted by rkevwill View Post

I'm sorry. Something here seems mighty suspicious. Russian security firm, trojan virus, servers they have to monitor, and then they have a tool where they can check your computer, but receive its identification numbers? I far prefer just checking to see if the virus is there, and updating the computer.

I am not totally convinced there is not some collaboration here, to sell antivirus software. I guess I am just naturally suspicious.

Technically It was a "Trojan", not a "Virus". A trojan sits on the infected computer without user ever knowing it existed and waits for the command to launch an attack.

The only symtom were that the computer or the Internet seemed slow and crashed a lot lately.
post #12 of 29
It's never been solely about OS, it's about the users. Stupid or ignorant users will get infected and in a sense, that's just the natural way. Much the same way people scam others in real life.
post #13 of 29
Quote:
Originally Posted by charlituna View Post

Indeed. This is some unknown company that claims to be a security firm etc but for all anyone knows they are behind this whole thing. And even if they are not, they are gathering info about infected systems that could be used for malice. I would much rather Apple assume the worse and have it shut down than not

Kapersky confirmed the same thing as Dr. Web found, and used the same "sinkhole" redirect as Dr Web to gather the evidence. They're legit.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #14 of 29
I suspect Apple know more than we do.
Use duckduckgo.com with Safari, not Google Search
Been using Apples since 1978 and Macs since 1984
Long on AAPL so biased. Strong advocate for separation of technology and politics on AI.
Reply
Use duckduckgo.com with Safari, not Google Search
Been using Apples since 1978 and Macs since 1984
Long on AAPL so biased. Strong advocate for separation of technology and politics on AI.
Reply
post #15 of 29
Quote:
Originally Posted by AppleInsider View Post

“These are not pleasant days for them,” Sharov said. “They’re not thinking about us. The safety of Macintosh computers is going down very quickly, and they’re thinking what to do next. They’re thinking about how to manage a future where the Mac is no longer safe.”

This last quote of Sharov strikes me as FUD. Sharov is trying to spread FUD, what is his purpose? "Safety is going down very quickly", seriously? There are 0 self replicating and self installing viruses for the Mac. There is one active trojan, the previous trojans have been squashed. This one is in the process of being squashed. How is the safety of the Mac going down quickly?
post #16 of 29
Quote:
Originally Posted by digitalclips View Post

I suspect Apple know more than we do.

Agreed.
post #17 of 29
Quote:
Originally Posted by Gatorguy View Post

Kapersky confirmed the same thing as Dr. Web found, and used the same "sinkhole" redirect as Dr Web to gather the evidence. They're legit.

Both companies have a highly vested interest in scaring the crap out of newbie Mac users. I don't trust a word they say.
It's like running a million ads saying "Ask your doctor for our drug that cures restless nose syndrome ... you do have a restless nose don't you ...?" Cut to video of people just like you with restless noses.

The only difference is I wouldn't put it past one of that bunch of AV companies to be behind the trojans in the first place. These guys are all dead when the PC dies and they know it.
Use duckduckgo.com with Safari, not Google Search
Been using Apples since 1978 and Macs since 1984
Long on AAPL so biased. Strong advocate for separation of technology and politics on AI.
Reply
Use duckduckgo.com with Safari, not Google Search
Been using Apples since 1978 and Macs since 1984
Long on AAPL so biased. Strong advocate for separation of technology and politics on AI.
Reply
post #18 of 29
It also should be noted that this is a proof of concept trojan. It just deletes itself if it discovers any software that has a chance of detecting it. Who ever is writing this is using it to gain experience on macs without winding up on anyones radar. Unfortunately, the web being the web and Apple being such a fine click bate meme, they didn't succeed. 600,000 infections is no small number, but if this is the only active infection of that magnitude then Apple is still way ahead of Microsoft and even the Android market place. It appears that they are working on getting more proactive in security. If you don't like the pace they are working at look at the big picture. I will give them the benefit of the doubt until I see an infection in the wild. YOMV
post #19 of 29
This is more about Java.

Mac itself wasn't vulnerable, it was Java. The right thing to do would be point this to Java. If you install a vulnerable piece of software in your OS, then it makes that OS, no matter how secure, vulnerable. This vulnerability also existed on Linux boxes as well.

What Apple should do is simply remove Java from Mountain Lion. If the user needs Java, they can download it from Oracle. And if there are vulnerabilities in that, then it's Oracle's fault.

Apple stopped carrying Java a long time ago, for good reasons. Having to maintain third-party distributions is insane, and this time they were blamed for it was well.
post #20 of 29
I wonder what would cost less?

$30 for a clean install of Lion, no Java problem solved or an AV solution.
A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this...
Reply
A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this...
Reply
post #21 of 29
Quote:
Originally Posted by SixnaHalfFeet View Post

This last quote of Sharov strikes me as FUD. Sharov is trying to spread FUD, what is his purpose? "Safety is going down very quickly", seriously? There are 0 self replicating and self installing viruses for the Mac. There is one active trojan, the previous trojans have been squashed. This one is in the process of being squashed. How is the safety of the Mac going down quickly?

His purpose is to scare folks so they will buy his company's software and services to protect themselves. Same as when all these anti-virus etc companies discover some new threat that in truth only affects computers running 10.3 with Classic still installed using IE as their browser with Office installed or some other "perhaps 5 people have it" set up
post #22 of 29
Quote:
Originally Posted by AppleInsider View Post

"The safety of Macintosh computers is going down very quickly, and theyre thinking what to do next. Theyre thinking about how to manage a future where the Mac is no longer safe."

They already did by removing Java from OS X. They just need to do two things:

- block Java from use in the web browser and only whitelisted by the user on a case-by-case basis
- prevent dynamic libraries injecting code into applications at the user-level without permission
post #23 of 29
Quote:
Originally Posted by superdx View Post

This is more about Java.

Mac itself wasn't vulnerable, it was Java. The right thing to do would be point this to Java. If you install a vulnerable piece of software in your OS, then it makes that OS, no matter how secure, vulnerable. This vulnerability also existed on Linux boxes as well.

What Apple should do is simply remove Java from Mountain Lion. If the user needs Java, they can download it from Oracle. And if there are vulnerabilities in that, then it's Oracle's fault.

Apple stopped carrying Java a long time ago, for good reasons. Having to maintain third-party distributions is insane, and this time they were blamed for it was well.

Oracle patched the Java vulnerability in February. For whatever reason, Apple chose not push this patch out via Software Update (MS did). I agree Apple should probably drop Java distribution themselves, but while they do it's their responsibility to deal promptly with things like this.
post #24 of 29
Quote:
Originally Posted by jukes View Post

Oracle patched the Java vulnerability in February. For whatever reason, Apple chose not push this patch out via Software Update (MS did). I agree Apple should probably drop Java distribution themselves, but while they do it's their responsibility to deal promptly with things like this.

That's entirely the point - Apple have dropped java distribution themselves and no longer support or update it, specifically because of issues like this. They also don't distribute and update flash, shockwave or adobe and microsoft software - third party technologies are the responsibility of third parties.
post #25 of 29
Quote:
Originally Posted by jukes View Post

Oracle patched the Java vulnerability in February. For whatever reason, Apple chose not push this patch out via Software Update (MS did). I agree Apple should probably drop Java distribution themselves, but while they do it's their responsibility to deal promptly with things like this.

I don't know about the USA, but in several countries, Apple could be sued for "passive cooperation with an illegal operation" or "negligence". Pick your interpretation, I'd go for negligence

Of course, I understand a small company with limited resources like Apple cannot put a huge team to solve security holes as soon as humanly possible, while making sure nothing breaks due to the "solves"...

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

Reply

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

Reply
post #26 of 29
So many Pavlovian comments, shooting the messenger, etc. Dr web is a respectable, 20 years old company... Now who is arrogant, the one writing a mail to inform you about vulnerabilities on your platform or the one who doesn't even care to answer? Some people seems to have real cognitive troubles...

Quote:
Originally Posted by nkhm View Post

That's entirely the point - Apple have dropped java distribution themselves and no longer support or update it, specifically because of issues like this. They also don't distribute and update flash, shockwave or adobe and microsoft software - third party technologies are the responsibility of third parties.

FYI the problematic -because left unpatched- Java on Mac OS is an Apple's PORT, i.e. Apple own version, so the responsibility is well all on its side.
post #27 of 29
Quote:
Originally Posted by emacs72 View Post

the entire article is, in fact, newsworthy. i doubt most people, here, knew how security firms track down and ultimately eliminate threats. the Forbes article gives some insight into the legitimate tactics deployed by Dr Web and other security firms.



while i agree the assumption is a bit arrogant, the bigger picture is people shouldn't necessarily be equally as arrogant to dismiss the notion that OS X can be victims of certain kinds of digital threats.

Agreed, but sadly as with the majority of apps that come to the Mac platform from the PC world I'm still waiting for an AV/malware app that doesn't turn my blazingly fast Mac into a slug. I've tried several that appear to work fine for a bit but in the end my Mac always ends up acting erratic, almost like the AV software is malware.

I use ClamXAV for antivirus and that works awesome (the non-app store version lets you do realtime monitoring of certain folders). For malware I just use bit defender's free scanner, but it has no realtime monitoring. Mountain Lion will help a lot with preventing malware but nothing Apple has done so far has dealt well with what to do once it's on your system.
post #28 of 29
Quote:
Originally Posted by drblank View Post

Why wouldn't Apple want those servers to be shut down. If they are hosting some malware, then they SHOULD be shut down. They aren't helping anyone by having that crap available to be used. They should simply find out who posted it in the first place and go after the people that put the crap out there in the first place.

He or she is probably 14 years old and is defiantly a Mac user.
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
When I looked up "Ninjas" in Thesaurus.com, it said "Ninja's can't be found" Well played Ninjas, well played.
Reply
post #29 of 29
Quote:
Originally Posted by digitalclips View Post


Both companies have a highly vested interest in scaring the crap out of newbie Mac users. I don't trust a word they say.
It's like running a million ads saying "Ask your doctor for our drug that cures restless nose syndrome ... you do have a restless nose don't you ...?" Cut to video of people just like you with restless noses.

The only difference is I wouldn't put it past one of that bunch of AV companies to be behind the trojans in the first place. These guys are all dead when the PC dies and they know it.

Apple reportedly trusts Kaspersky more than some forum members. Apple has asked for Kaspersky's help in identifying OS X security problems.

 

http://www.zdnet.com/blog/btl/kaspersky-joins-apple-in-mac-security-push/76735?utm_medium=twitter&utm_source=twitterfeed

 

 

Speaking to Computing, Kaspersky’s chief technology officer Nikolai Grebennikov confirmed Apple’s call for help, but warned that the platform is “really vulnerable”.

“Mac OS is really vulnerable,” he claimed, “and Apple recently invited us to improve its security. We’ve begun an analysis of its vulnerabilities, and the malware targeting it,” Grebennikov said in the interview.

It comes only a month since Eugene Kaspersky’s comments arguing that Apple is “ten years behind Microsoft in terms of security“.

The two companies will work together in partnership to secure the Mac operating system — which will be renamed to “OS X” in the latest ‘Mountain Lion’ iteration — but remains to be seen whether Apple will integrate anti-malware software into its software.

melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Apple reportedly tries to shut down Flashback discoverer's server