Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Apple Snubs Firm That Discovered Mac Botnet, Tries To Cut Off Its Server Monitoring Infections
Forbes ^ | April 9, 2011 | Andy Greenberg

Posted on 04/10/2012 12:04:43 PM PDT by dickmc

Until it was revealed last week that more than half a million Macs were infected with Flashback malware, Apple had little experience working with the community of security researchers who aim to dissect and shut down botnets. And according to the firm that discovered this new outbreak, it could use a lesson in teamwork.

(Excerpt) Read more at forbes.com ...


TOPICS: Business/Economy; Computers/Internet
KEYWORDS: apple; flashback; malware
Boris Sharov, chief executive of the Moscow-based security Dr. Web says he learned Monday from the Russian Web registrar Reggi.ru that Apple had requested the registrar shut down one of its domains, which Apple said was being used as a “command and control” server for the hundreds of thousands of PCs infected with Flashback. In fact, that domain was one of three that Dr. Web has been using as a spoofed command and control server–what researchers call a “sinkhole”–to monitor the collection of hijacked machines and try to understand their behavior, the technique which allowed the firm to first report the size of Apple’s botnet last week.
1 posted on 04/10/2012 12:04:54 PM PDT by dickmc
[ Post Reply | Private Reply | View Replies]

To: dickmc
From the article...."In fact, Sharov says that since Dr. Web first contacted Apple to share its findings about the unprecedented Mac-based botnet, it hasn’t received a response. “We’ve given them all the data we have,” he says. “We’ve heard nothing from them until this.”"
2 posted on 04/10/2012 12:09:13 PM PDT by dickmc
[ Post Reply | Private Reply | To 1 | View Replies]

To: dickmc

I think paranoia is warranted here.

Russians and Chinese develop all the most sophisticated viruses. Yes, a lot of it is stupidity by pranksters with egos, but at the top end with rootkits and botnets, I’m not so sure...

I think it’s a serious game with national security implications and if you think about it, they might be doing dry runs and live tests for more sophisticated versions they are keeping for a special occasion.

If there are government agencies behind some of the top virus, wouldn’t it make sense they would also want to measure its success and progress? No I wouldn’t trust this agency


3 posted on 04/10/2012 12:12:35 PM PDT by Mount Athos (A Giant luxury mega-mansion for Gore, a Government Green EcoShack made of poo for you)
[ Post Reply | Private Reply | To 1 | View Replies]

To: dickmc

gotta destroy the evidence


4 posted on 04/10/2012 12:12:35 PM PDT by driftdiver (I could eat it raw, but why do that when I have a fire.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Mount Athos

They are doing it for many reasons. To steal money and information. The industrial espionage is just as valuable as the national security information. They are able to rapidly increase their own technology by stealing it from others, without any significant investment.


5 posted on 04/10/2012 12:18:20 PM PDT by driftdiver (I could eat it raw, but why do that when I have a fire.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: dickmc; Swordmaker
more than half a million Macs were infected with Flashback malware

This was never the case. These so-called "experts" took an uninformed guess... and WAY over-stated the case (by upwards of 90%).

6 posted on 04/10/2012 12:32:25 PM PDT by TheBattman (Isn't the lesser evil... still evil?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: dickmc
I downloaded "Flashback Checker" from Github.com Easy/quick/free download.

Result? "No Infection Found."

I cannot find anyone I know who picked up this nasty on their Mac...

7 posted on 04/10/2012 12:52:42 PM PDT by donozark (We're ALL Greeks now...and possibly, quite soon, Portugese.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: donozark

My wife has been complaining that our Mac has been acting flakey for the last few months. I’ll use your link to check it, thanks.


8 posted on 04/10/2012 12:59:40 PM PDT by dangerdoc (see post #6)
[ Post Reply | Private Reply | To 7 | View Replies]

To: TheBattman
This was never the case. These so-called "experts" took an uninformed guess... and WAY over-stated the case (by upwards of 90%).

Have you got a cite for that information? According to whom? Some friends who use Apple are freaking out over this whole thing.

9 posted on 04/10/2012 1:02:52 PM PDT by Bob
[ Post Reply | Private Reply | To 6 | View Replies]

To: dickmc

PC’s are very hard to infect with viruses now.

Just so you know.:)


10 posted on 04/10/2012 4:21:35 PM PDT by Jonty30 (What Islam and secularism have in common is that they are both death cults.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Jonty30

It is possible, if Tim Cook asks nicely and buys the dinner, Microsoft might lend its expertise to Apple.


11 posted on 04/10/2012 4:27:29 PM PDT by Jonty30 (What Islam and secularism have in common is that they are both death cults.)
[ Post Reply | Private Reply | To 10 | View Replies]

To: Bob

Well, my 5 Macs are fine. Would like to get some authoritative, non biased estimates of the supposed infection. From what I understand, it requires you to enter your Admin password. Since I run “Click-to-Flash”, i very rarely run Flash anymore. And I know my 9 iOS devises are immune...


12 posted on 04/10/2012 7:07:43 PM PDT by ace2u_in_MD (You missed something...)
[ Post Reply | Private Reply | To 9 | View Replies]

To: donozark

I just checked our Mac, no virus.

It was suffering from random reboots for a while, seems to be better now.


13 posted on 04/11/2012 6:37:01 AM PDT by dangerdoc (see post #6)
[ Post Reply | Private Reply | To 7 | View Replies]

To: dickmc; ~Kim4VRWC's~; 1234; Abundy; Action-America; acoulterfan; AFreeBird; Airwinger; Aliska; ...
Apple has taken legal action to take down Doctor Web's sinkhole server... which so far is the only identified FLASHBACK server on the web—PING!

Mac users are notorious for complaining when something goes wrong. If there WERE a 600,000 member Macbot out there, the number of infected users would be all over the forums announcing their machines infected and asking for help in removing it. I have been diligently searching to tech and non-tech forums seeking users who are reporting that THEY have Macs that have been infected by this Flashback Trojan... and I am simply NOT seeing them saying they are using the tools provided and found their computers infected. Even on the Apple help forums, at the peak of the news, there were only 217 comments, most asking how do "I detect this?" and reports back about "My computer is clean!" The few that I have found are obvious non-Mac using trolls...

So, WHERE ARE THE INFECTED MACS? I am simply NOT FINDING THEM!

Do any of you Freeper Mac user's have it?


Apple Security Ping!

Please, No Flame Wars!
Discuss technical issues, software, and hardware.
Don't attack people!
Don't respond to the Anti-Apple Thread Trolls!
PLEASE IGNORE THEM!!!

If you want on or off the Mac Ping List, Freepmail me.

14 posted on 04/12/2012 11:11:03 AM PDT by Swordmaker
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
Do any of you Freeper Mac user's have it?

Nope. Clean. Some could argue that Flash itself is a destructive virus because of the resource hogging. The only place I have heard of the "virus" is here of FR by non-mac users. SSDD.
15 posted on 04/12/2012 11:19:42 AM PDT by PA Engineer (Time to beat the swords of government tyranny into the plowshares of freedom.)
[ Post Reply | Private Reply | To 14 | View Replies]

To: Swordmaker

None of my Macs have it.

Ed, hoping for a Mac Pro refresh!!!


16 posted on 04/12/2012 12:19:17 PM PDT by Sir_Ed
[ Post Reply | Private Reply | To 14 | View Replies]

To: Swordmaker
So far out of about 20 Macs owned by friends and family, ZERO infections. And not one of those people knows anyone who has found it. No one has even heard about anybody who has it who is identifiable.

NOT EVEN ONE CONFIRMED INFECTION YET OUT HERE. Still looking around, of course...

17 posted on 04/12/2012 6:27:55 PM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 14 | View Replies]

To: dayglored
NOT EVEN ONE CONFIRMED INFECTION YET OUT HERE. Still looking around, of course...

Frankly, I think it really doesn't exist in the wild. I think we are seeing a concentrated spoof attack on these servers... perhaps orchestrated FUD??? I have yet to find ANYONE with a confirmed infection! I have over 200 clients with Macs... all running bare... and not one has had an infection. There should be at least two.

I have not seen one on the major news media comment sections, except the obvious trolls who don't even know how to spell Mac. . . claiming their MACs were infected, or others feigning bitterness that their $3000 and $4000 iMacs they bought to avoid virus infections were a waste of money because they are now infected and how they were going to buy a much more economical and powerful Windows 8 computer for their next computer for under $500!

What I have seen are numerous people using the Terminal commands or the now ubiquitous downloadable Flashback check programs, reporting their machines are "CLEAN!" Not even once have I seen someone post, "I ran the check and found my computer was infected!"

18 posted on 04/12/2012 7:54:40 PM PDT by Swordmaker
[ Post Reply | Private Reply | To 17 | View Replies]

To: Swordmaker
I gotta admit, Swordmaker, this is looking more and more like a fraud, for the purpose of... what? Hoping to drive Apple's stock price down? Preparation for Windows 8 launch? or just some stupid A/V researcher getting bored and deciding to kick up some dust?

Here's my current take on it:

  1. The Java vulnerability is very REAL.

  2. The vulnerability is exploitable and malware exists that uses it.

  3. Apple took an inordinately long time to produce an appropriate security update.

  4. Somebody decided it was an opportunity to attack Apple and announced a huge botnet.

I actually hope that it's either REAL (i.e. that there are real infected Macs out there), or that it's an HONEST mistake.

Because the only other possibility -- that the A/V community has stooped to fabricating huge, worldwide lies -- is extremely troubling. These are the people we trust our computers to, to keep them safe. WTF???!?!!!!

19 posted on 04/12/2012 8:12:59 PM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 18 | View Replies]

To: dayglored
NEWS FLASH!
"Symantec said today the number of bots had been cut to 270,000 as of 11 April, whilst yesterday Kaspersky said the number had been reduced to 237,103 as of 8 April. Almost all infected machines are Apple Macs."
WOW! Kaspersky was widely quoted on the 10th as confirming the 600,000 number... but they KNEW on the 8th that it was only 237,103??? I smell FISH! Rotten fish!

I am still not finding ANY infected Macs... not one. If true, the infection rate is less than 0.4%...

20 posted on 04/12/2012 11:39:56 PM PDT by Swordmaker
[ Post Reply | Private Reply | To 19 | View Replies]

To: Swordmaker
I am still not finding ANY infected Macs... not one.

Asked around here. No one has had the problem. I asked my brother who works with a major bank on the Mac platform. His response was a simple "meh." I'm only seeing the problem here on FR amongst non-mac users. SSDD.
21 posted on 04/12/2012 11:50:16 PM PDT by PA Engineer (Time to beat the swords of government tyranny into the plowshares of freedom.)
[ Post Reply | Private Reply | To 20 | View Replies]

To: donozark; Swordmaker; All
I checked for it with Unix via Terminal (comes with OSX). It's not on my MBP...

~~~~~~~~~

To see if your Mac is infected:
In Terminal:

go to SHELL / New Command

paste in the bold line below

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

-- and RUN.

You should get this error:

The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

Then run:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

You should get this error:

The domain/default pair of (/Users/YOURUSER/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

If you do, you are clean of this variant!

~~~~~~~~~~~

(Can't hurt anything; those are read-only commands...)

22 posted on 04/13/2012 6:00:02 AM PDT by TXnMA ("Allah": Satan's current alias...)
[ Post Reply | Private Reply | To 7 | View Replies]

To: dickmc

So a company that supposedly specializes in computer security actually is the perpetrator in this attempt to attack Macs... at least that is what this all appears to boil down to. They have been caught red handed, Apple is trying to force a shutdown of the servers playing “host” to the attack attempts.

I still say Symantec, McAfee, and others have done similar... a good way to generate business (tinfoil hat is firmly in place).

And as I have read many articles on this supposed “widespread infection” - I have actually found no actual userland reports of said infection, but lots of paranoia.


23 posted on 04/13/2012 1:44:08 PM PDT by TheBattman (Isn't the lesser evil... still evil?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Historically, Apple hasn’t had a very good relationship with security researchers. Most companies don’t. It took a long time for Microsoft to wake up and realize they essentially constitute free security research for the company.


24 posted on 04/13/2012 4:25:27 PM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 14 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson