Flashback malware still on 140K Macs despite fix

Posted:
in General Discussion edited January 2014


Despite Apple's release of numerous Java patches and an uninstaller tool, some 140,000 Macs worldwide are still affected by the Flashback trojan that was at one point present on 600,000 machines.



Although malware-affected Macs are on the decline, the numbers are at a point much higher than forecasted by software maker Symantec, according to a Tuesday post on the company's blog.



The security firm guessed that the number of affected machines would have dropped precipitously by now given that Apple and third-party vendors released their respective Flashback-neutralizing programs last week. The Mac maker even rolled out a removal tool for those Mac users who don't have Java installed, and thus may be harboring a dormant version of the malware.



Statistics from Symantec's "sinkhole," or spoofed command and control server, show that Flashback has been removed from some 460,000 machines since Apr. 9, but the company expected less than 99,000 would be carrying the trojan by Tuesday.



Sinkholes are used by internet security and research entities to monitor and analyze the spread of malicious programs, though the standard practice sometimes brings unwarranted suspicion to smaller, less well-known firms. For example, Apple reportedly attempted to shut down the server hosting a sinkhole belonging to Flashback's discoverer Dr. Web, mistakenly thinking that it was a legitimate command and control server. Apple's move, however, can also be considered standard practice when dealing with fast-moving malware.







Forecast of Flashback removal. | Source: Symantec







There has been no speculation as to why the remaining Macs haven't already disposed of Flashback, as the self-installing program can be easily identified and deleted. It is possible that machine owners remain unaware of the program and haven't yet performed a software update that would eradicate it.



The trojan itself continues to propagate on upatched systems. Analysis into Flashback's structure reveals that it is coded to exceed the .com top level domain, and generates domain names from .in, .info, .kz and .net. Flashback creates one new string every day that is paired with a random TLD.



Once a user visits a site carrying Flashback, the program installs itself without the need for permission and proceeds to collect sensitive data like user iDs, passwords and web browsing histories which it then sends to an off-site repository.



Just as Flashback exploited the "Oracle Java SE Remote Java Runtime Environment Denial Of Service Vulnerability" to create its botnet, another threat has surfaced that uses the same hole as a means of distribution.



Called Backdoor.OSX.SabPub.a, the newly-discovered malware was created in March and is considered an "active attack" trojan as an operator manually checks and harvests data from an affected machine. SabPub has also been seen being distributed in malicious Word documents, installing itself by exploiting a known record parsing buffer overflow vulnerability.



[ View article on AppleInsider ]

«1

Comments

  • Reply 1 of 38
    solipsismxsolipsismx Posts: 19,566member
    80% drop in a week since it was announced is pretty damn impressive for dealing with a Trojan.
  • Reply 2 of 38
    Quote:
    Originally Posted by AppleInsider View Post


    There has been no speculation as to why the remaining Macs haven't already disposed of Flashback, as the self-installing program can be easily identified and deleted. It is possible that machine owners remain unaware of the program and haven't yet performed a software update that would eradicate it.






    Why doesn't it just download and work in the background? Malware removal tools have worked that way for a decade.



    Apple needs to get its shit together and get out in front of this issue.
  • Reply 3 of 38
    tallest skiltallest skil Posts: 43,388member
    Quote:
    Originally Posted by I am a Zither Zather Zuzz View Post


    Why doesn't it just download and work in the background?



    Becoming the demons isn't the right way to go.
  • Reply 4 of 38
    pokepoke Posts: 506member
    Quote:
    Originally Posted by I am a Zither Zather Zuzz View Post


    Why doesn't it just download and work in the background? Malware removal tools have worked that way for a decade.



    Apple needs to get its shit together and get out in front of this issue.



    All you have to do is click install when Software Update notifies you of the update. Nothing more.
  • Reply 5 of 38
    jragostajragosta Posts: 10,473member
    I call BS.



    Look at the numbers in the chart. Now, note that Apple didn't release the removal tool until April 13.



    One of two things happened:



    1. The systems repaired themselves with no help from Apple



    or



    2. The numbers are entirely fabricated and meaningless.



    Obviously, the latter is far more likely.
  • Reply 6 of 38
    gtrgtr Posts: 3,231member
    Quote:
    Originally Posted by Tallest Skil View Post


    Becoming the demons isn't the right way to go.



    +1 for that!
  • Reply 7 of 38
    MacProMacPro Posts: 19,718member
    Quote:
    Originally Posted by jragosta View Post


    I call BS.



    Look at the numbers in the chart. Now, note that Apple didn't release the removal tool until April 13.



    One of two things happened:



    1. The systems repaired themselves with no help from Apple



    or



    2. The numbers are entirely fabricated and meaningless.



    Obviously, the latter is far more likely.



    Given the potential revenues involved if Mac users can be convinced to start buying AV utilities I am not surprised by exactly what you have spotted, a total con. The blog and even the real media industry want this just as they wanted to inflate the shooting in Florida. Another OJ trial has them salivating as does Macs getting infected. As I write this AI has ads from AV companies on this very page!
  • Reply 8 of 38
    mdriftmeyermdriftmeyer Posts: 7,503member
    Meanwhile. venerable Symantec has managed to make a fortune while keeping millions of Windows machines infected with various malware, virii and the occasional worm.
  • Reply 9 of 38
    mdriftmeyermdriftmeyer Posts: 7,503member
    Quote:
    Originally Posted by jragosta View Post


    I call BS.



    Look at the numbers in the chart. Now, note that Apple didn't release the removal tool until April 13.



    One of two things happened:



    1. The systems repaired themselves with no help from Apple



    or



    2. The numbers are entirely fabricated and meaningless.



    Obviously, the latter is far more likely.



    The best part of the situation is that Apple is developing security measures and not relying on a 3rd party to profit on this scenario.
  • Reply 10 of 38
    dickprinterdickprinter Posts: 1,060member
    Quote:
    Originally Posted by jragosta View Post


    I call BS.



    Look at the numbers in the chart. Now, note that Apple didn't release the removal tool until April 13.



    One of two things happened:



    1. The systems repaired themselves with no help from Apple



    or



    2. The numbers are entirely fabricated and meaningless.



    Obviously, the latter is far more likely.



    They release one Java patch on Friday the 6th http://www.appleinsider.com/articles...this_week.html with a link at the bottom of the article for those savvy enough to play with Terminal and remove it manually.



    Then Apple release the Java update with the removal tool last Thursday and the stand-alone removal tool, for those not using Java, on Friday.



    I'm not saying that Symantec isn't fear-mongering but your dates are off a little.
  • Reply 11 of 38
    jragostajragosta Posts: 10,473member
    Quote:
    Originally Posted by Dickprinter View Post


    They release one Java patch on Friday the 6th http://www.appleinsider.com/articles...this_week.html with a link at the bottom of the article for those savvy enough to play with Terminal and remove it manually.



    Then Apple release the Java update with the removal tool last Thursday and the stand-alone removal tool, for those not using Java, on Friday.



    I'm not saying that Symantec isn't fear-mongering but your dates are off a little.



    Do you really think that 2/3 of all Mac users actually used the terminal/manual removal process which is what the data indicates?



    Again, the numbers look bogus.
  • Reply 12 of 38
    dickprinterdickprinter Posts: 1,060member
    Quote:
    Originally Posted by jragosta View Post


    Do you really think that 2/3 of all Mac users actually used the terminal/manual removal process which is what the data indicates?



    Again, the numbers look bogus.



    I agree, the numbers, and the corresponding dates where infection falls precipitously, do not jibe at all.
  • Reply 13 of 38
    charlitunacharlituna Posts: 7,217member
    Quote:
    Originally Posted by AppleInsider View Post




    There has been no speculation as to why the remaining Macs haven't already disposed of Flashback, as the self-installing program can be easily identified and deleted. It is possible that machine owners remain unaware of the program and haven't yet performed a software update that would eradicate it.



    THat would be the most likely answer right there. Not a shock since I know a number of folks that are still using the hardware they bought as much as 5 years ago and haven't every updated the software. Most of them are my parents and their friends but still there are a good couple dozen just in that group
  • Reply 14 of 38
    macbook promacbook pro Posts: 1,605member
    Quote:
    Originally Posted by jragosta View Post


    Do you really think that 2/3 of all Mac users actually used the terminal/manual removal process which is what the data indicates?



    Again, the numbers look bogus.



    More specifically 2/3 of Mac users who were afflicted. One might presume that less computer literate Mac users are far more likely to fall victim as they are less likely to use deactivate Java, deactivate "Open 'safe' files after downloading, use the firewall, etc. Given this consideration, the data set seems very questionable despite the media vastly over-inflating the issue.



    Since the security of iOS appears nearly unassailable vendors may believe they can benefit if they create fear, uncertainty and doubt around Apple in general. With sixty million OS X devices and over two hundred million iOS devices with escalating sales the information security industry most likely feels their livelihood is threatened.
  • Reply 15 of 38
    Quote:
    Originally Posted by poke View Post


    All you have to do is click install when Software Update notifies you of the update. Nothing more.



    Not everyone has Software Update set to auto-check for updates. Many schools and businesses prefer to do manual checks-and-installs or on their own schedule... and then there are those people who just have absolutely no clue what they should or should not be doing.



    As SolipsismX pointed out, an 80% decrease is impressive. We still need to be vigilant for the other 20%, but we cannot control those groups mentioned in my first paragraph. We may wish we could...
  • Reply 16 of 38
    welshdogwelshdog Posts: 1,897member
    So why is there not a removal tool for those with Java? I use Java all the time and can't really turn it off. I have run the Apple updates and I also used the Terminal commands to check for files related to the Trojan. I also have had Little Snitch installed for years so I guess there is no question I am clear, but I still wonder why no tool for Java users.
  • Reply 17 of 38
    solipsismxsolipsismx Posts: 19,566member
    Quote:
    Originally Posted by david.allie View Post


    As SolipsismX pointed out, an 80% decrease is impressive. We still need to be vigilant for the other 20%, but we cannot control those groups mentioned in my first paragraph. We may wish we could...



    I should have been more clear in my comment. I did mean that it's impressive, but as jragosta notes the change is suspect. Even if the 80% change was from when Apple issued the malware fix it will still be very impressive for 80% of the infected to have installed it within the first week or it being released.



    Even with iOS 5.x having OTA updates that notify the user I still don't think we've seen anything close to those results.





    Quote:
    Originally Posted by WelshDog View Post


    So why is there not a removal tool for those with Java? I use Java all the time and can't really turn it off. I have run the Apple updates and I also used the Terminal commands to check for files related to the Trojan. I also have had Little Snitch installed for years so I guess there is no question I am clear, but I still wonder why no tool for Java users.



    It's poorly worded. It removes it from all systems, with or without Java. The take away is that it also checks machines that don't have Java installed so they aren't harboring the malware if and when they install, or potentially connect to other machines (I forget if it's a worm).
  • Reply 18 of 38
    welshdogwelshdog Posts: 1,897member
    Quote:
    Originally Posted by SolipsismX View Post


    It's poorly worded. It removes it from all systems, with or without Java. The take away is that it also checks machines that don't have Java installed so they aren't harboring the malware if and when they install, or potentially connect to other machines (I forget if it's a worm).



    Thank you for that. First time I have heard it explained that way.
  • Reply 19 of 38
    MacProMacPro Posts: 19,718member
    Quote:
    Originally Posted by mdriftmeyer View Post


    The best part of the situation is that Apple is developing security measures and not relying on a 3rd party to profit on this scenario.



    Agreed 100%.
  • Reply 20 of 38
    dickprinterdickprinter Posts: 1,060member
    Quote:
    Originally Posted by mdriftmeyer View Post


    The best part of the situation is that Apple is developing security measures and not relying on a 3rd party to profit on this scenario.



    Who best to protect those of us who relish life inside the walled garden of Apple.





    I....love....this.....company. (No, I'm not saying that in a Ballmer kind of way)

    http://www.youtube.com/watch?v=Nc4MzqBFxZE
Sign In or Register to comment.