Flashback infection lets hackers into
‘hundreds of thousands’ of systems
Apple users’ relative indifference to the
threat of viruses has again been called into question by a malware outbreak.
But a lack of anecdotal reports from ordinary users casts doubt on estimates of
its scale.
Earlier this month, Russian security firm
Dr. Web said its research show that up to 600,000 Macs around the world had
been recruited to a botnet - an illicit network of computers unwittingly
controlled by a hacker to launch attacks on other systems - by a program known
as Flashback. Although O S X users were affected by the malware, the
vulnerability it exploited wasn’t in the operating system itself but in the
Java runtime environment, an optional extra that can be installed to support
applications and web applets that require it. Apple doesn’t supply Java as
standard with new Macs.
Malware hits Macs
Despite widespread publicity, Apple offered
no immediate response. Sometime later, a patch appeared in Software Update that
fixed the hole in Java when installed by the user. After a further week,
another update for OS X Lion and Snow Leopard added the ability to remove
Flashback from already infected Macs. A standalone Flashback malware removal
tool was then released to remove Flashback from systems without Java installed,
preventing its propagation.
Both of these tools scan a Mac for
Flashback and remove it if it’s there, before displaying a dialog box
explaining what’s happened. The Lion version also disables the Java web plug-in
if it hasn’t been used for 35 days, thus preventing Flashback from running if
it’s later downloaded. Java applets can be re-enabled manually by the user.
Security firm Intego, which first
discovered Flashback in September 2011, pointed out that Apple’s update didn’t
remove all instances of the malware. ‘We are not sure which variants this
covers; Intego currently has 18, from Flashback A to Flashback R, and Apple’s
tool clearly does not detect and remove all of them,’ it wrote in a blog post.
Inevitably, this advice was followed by a link to Intego’s own anti-virus
software. Other firms, including F-Secure, Kaspersky and Symantec, also
released tools specifically to detect and remove Flashback.
Apple released Software Update patches to remove Flashback and prevent it
from infecting a Mac in the future, but was it too little too late to prevent a
major outbreak?
“The delay in Apple’s response created the
worst ever security threat to OS X, some commentators said”
Apple came under fire for taking weeks to
respond to the Flashback outbreak. The delay meant most of the computers
infected were Macs, a stark contrast to the typical scenario of malware
affecting only Windows systems. Some commentators described Flashback as the
worst security threat OS X had ever seen. Dr. Web’s estimate of 600,000 systems
included 47,000 in the UK, all of which the company said had been added to a
botnet that was used to track web browsing data, user IDs and passwords.
Flashback -> despite these huge numbers,
which would represent about 1% of all Macs in use, stories of individual users
actually confirming that their machines were infected were oddly scarce. Over
several days of responses from Twitter followers who between them were responsible
for hundreds of Macs, only one example was discovered by Mac User of an
infection in the UK.
![Description: Flashback relies on computer servers hosted by [its] authors to perform many of its critical functions,’ the company said in a statement.](http://programming4.us/image/102012/4/15959859.jpg)
Flashback
relies on computer servers hosted by [its] authors to perform many of its
critical functions,’ the company said in a statement.
Apple later moved to limit the damage
caused by the botnet by asking hosts to shut down servers accessed by the
malware. ‘In addition to the Java vulnerability, Flashback relies on computer
servers hosted by [its] authors to perform many of its critical functions,’ the
company said in a statement. ‘Apple is working with ISPs worldwide to disable
this command and control network.’
Ironically, among the first command centers
apparently targeted was one operated by Dr. Web, which was using it as a
‘sinkhole’ to monitor and thwart the botnet. A failure of communication was
blamed by some for the slow and uncoordinated response to the outbreak. ‘Apple
needed to deal with outside security experts,’ wrote Tim Dickinson at
TechFruit, ‘except as is with the case with Apple, they don’t work well with
others.’
Flashback first appeared as a Trojan horse:
disguised as an updater for Adobe’s Flash Player, it relied on the user
agreeing to install what looked like an innocuous app. Subsequent version added
the ability to bypass OS X’s built-in malware detection, making it immune to
the automatic updating mechanism that killed off the Mac Defender malware a
year ago. But the user still had to be fooled into manually entering an
administrator password, making it a social attack rather than a virus.
Significantly, the most recent variant was a ‘drive-by1, where the download
initiates without the user’s knowledge or interaction. It exploited
vulnerability in Java which was, until the beginning of April, unpatched by
Apple, despite Java maker Oracle having issued a fix for Windows in February.
And it didn’t need an administrator password to install itself.
Flashback
first appeared as a Trojan horse: disguised as an updater for Adobe’s Flash
Player
“Drive-by downloads install, without user interaction,
from websites that have been ‘poisoned’”
Drive-by downloads are typically hosted on
websites that have been ‘poisoned’, usually by hosting infected adverts or
videos. The malware itself, or payload, is known as a ‘backdoor’ because, once
downloaded, it opens ports on the infected machine to allow access from remote
computers.
Security experts warn that more variants of
Flashback are likely to emerge, but Mac users who have updated to the latest
version of Java should have nothing to worry about. Within a few days of
Apple’s Java update, security firm Symantec reported the number of infected
Macs had dropped to 270,000; at the time of writing, this had fallen to
140,000. ‘Many of the domain names that were in charge of the botnets have been
taken over, so the chances of the attackers building their botnets again from
those machines is pretty slim,’ Symantec Researcher Liam O Murchu told
TechNewsWorld.
Another security researcher, Trend Micro’s
Ivan Macalintal, was keen to point out that Mac users needed to be vigilant.
‘You’ll see more of these things in Macs in the future, ‘he told
TechNewsWorld’s John P Mello. ‘They’re on the radar of cybercriminals right
now.’ But McAfee’s Dave Marcus noted that ‘how successful they are will be
spotty’.
Although widely reported, the estimate of
600,000 infections has not been verified.
