Half a million Mac computers 'infected with malware'

BBC ^ | April 2012 Last updated at 08:54 ET

[null and void]

An investigation by Dr Web suggests that about 600,000 Macs have the malware - potentially allowing them to be hijacked and used as a "botnet".

It says that more than half that number are in the US.

Flashback was first detected last September when anti-virus researchers flagged software masquerading itself as a Flash Player update. Once downloaded it deactivated some of the computer's security software.

Remote control

"By introducing the code criminals are potentially able to control the machine," the firm's chief executive Boris Sharov told the BBC.

"We stress the word potential as we have never seen any malicious activity since we hijacked the botnet to take it out of criminals' hands. However, we know people create viruses to get money.

"The largest amounts of bots - based on the IP addresses we identified - are in the US, Canada, UK and Australia, so it appears to have targeted English-speaking people."

Dr Web also notes that 274 of the infected computers it detected appeared to be located in Cupertino, California - home to Apple's headquarters.

Update wait

Apple released its own "security update" on Wednesday - more than eight weeks later. It can be triggered by clicking on the software update icon in the computer's system preferences panel.

The security firm F-Secure has also posted detailed instructions about how to confirm if a machine is infected and how to remove the Trojan.

Although Apple's system software limits the actions its computers can take without requesting their users' permission, some security analysts suggest this latest incident highlights the fact that the machines are not invulnerable.

"People used to say that Apple computers, unlike Windows PCs, can't ever be infected - but it's a myth," said Timur Tsoriev, an analyst at Kaspersky Lab.

Apple could not provide a statement at this time.

[SlowBoat407]

I love the pop-up windows I get occasionally that say a virus has been detected in my Windows software, and all I have to do is download their product to clean it up - on my Mac.

[itsahoot]

Not Possible! Swordmaker and the macbots have told me that only windows gets stuff like this.

Swordmaker nor any other MacBott have told you any such thing, less likely or unlikely yes, impossible? No.

I have been on line with my Macs a little over 20 years and have never been infected, and I run no virus ware because I consider most of it as obnoxious as the Virus it is supposed to protect me from.

If I am so unfortunate to encounter a Virus, I know a fix will be posted on MacSurfer.com so I don't worry over concern trolls like yourself.

[itsahoot]

To see if you haven’t got it:

In terminal run:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

You should get this error:

The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

Then run:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

You should get this error:

The domain/default pair of (/Users/YOURUSER/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

If you do you are clean of this variant!

[Tribune7]

Make it a point though to set up a standard account & use it for day to day stuff.

[SunkenCiv]

Yeah, I had a laugh about that. The work machine is Windulls, and slows to a crawl dozens of times a day because the OS is so vulnerable to virus attacks that the virus prevention program consumes a lot of the CPU.

[itsahoot]

Yes, that comes with pricetags I don’t care for, ungodly overpriced hardware,

I had to laugh at this because I was listening to Rush just now explain why advertising has no effect on him. He just looks for the most expensive version of what he would like and buys that. Admittedly he is not typical, but he is a Fan-Boy.

[for-q-clinton]

You’re the one that is narrowing it down. Not a single person is talking about OS8, so why should we be talking about windows 95 and such.

Let’s just focus on the OS that is current or even one old. So let’s go with Vista and Win7. No it’s your turn...point me to a website that will infect my machine.

I’m still waiting.

Also we all know why OSX has been relatively safe on the Internet...1st it has decent security (much like Windows Vista); however, it also enjoys the luxury of no one using it. But now that it is more popular we will continue to see attacks like the one in this thread. Which is what I’ve always said and I’ve now been proven right. This is 3 pretty big attacks in what 6 months? Imagine what would happen if OSX had the market penetration Windows has!

There isn’t a single thing you can say to dispute these facts. So obfuscate all you want and keep comparing the latest OS from Apple vs Microsoft’s OSes from over a decade ago. That’s how sad this truly is...to compete Apple needs to focus on a decade old OS to say it’s better.

[itsahoot]

For years people have listened to the lies of macbots and being over the top helps drive home the point to everyone that isn’t a zealot.

That has worked so well that you have pushed Apple to the Brink of becoming the first Trillion dollar company. Good work, keep it up.

Apple is doomed, I tell ya

[for-q-clinton]

Here’s another one of those people who don’t exist.

[for-q-clinton]

I too have never received a virus no anyone in my family. I guess windows is just as good if not better because there are 5 people I’m vouching for and you only mentioned 1.

That’s some great logic there isn’t it?

[for-q-clinton]

The work machine is Windulls, and slows to a crawl dozens of times a day because the OS is so vulnerable to virus attacks that the virus prevention program consumes a lot of the CPU.

Please point me to one website that will install a virus on my machine. Now you said virus so I expect it to be self replicating and all that stuff that gets thrown at me for using the term virus in the generic sense. But I'll give you the fact that you really meant malware, so if you can point me to a malware site that will infect my windows machine please do. Otherwise this is just more FUD.

[for-q-clinton]

Huh? You know that’s not what I meant. What I’m doing is pointing out to the idiots who believed the lies that OSX was malware proof. They need to wake up and follow good PC security or else they will end up just like they were when using windows.

[itsahoot]

I have given links several times in the past and you know it.

No you haven't because they don't exist, not in SwordMaker's DNA to do that, or any other genuine Mac user. I suspect some of those over the top comments by so called Mac users are just that.

I can say this, For over 20 years I have been on line with a Mac and to my knowledge I have never had a virus of any kind, can you say the same thing?

[itsahoot]

So windows XP counts but previous versions of mac oses don’t.

You can bout all of them even before system 7 and I dare you to show me on Virus. They were a non issue in those days, which is something you should know.

[itsahoot]

Need I say more.

I am sure you would, if you could. You look at a post that is nothing but facts and decide it is a bunch of MacBot lies.

[itsahoot]

They need to wake up and follow good PC security or else they will end up just like they were when using windows.

Well that should make you very happy, so why are you trying to warn the idiots?

[Aliska]

Thank you. I forgot how to run terminal but looked it up. I copied and pasted both those strings at your link and got does not exist both times.

I was a little worried because my Safari crashes a lot, I disabled Java when things went bonkers not too long ago and flash drives me crazy because it requires updating about once a week. I always go to Adobe.

Well, the last time I went to Adobe because the eaglecam wouldn't work suddenly. I dl'ed and ran the update, went back to the eaglecam, and it still wouldn't work. I got the flash prompt again and ran it from the eaglecam page. It took. Usually I never run the update from a popup, so I don't know what happened with that but it worried me I might have picked up something that way.

Thank you for posting that although I had to trust blindly that it was ok to run it as I don't have a clue what those commands mean. Seems like it's comparable to going into DOS in Windows which I had to do sometimes.

[dayglored]

Hi Swordmaker,

Kaspersky claims to have confirmed the ~1/2 million infected computers, of which he says probably 98% are running OS-X.

http://www.pcmag.com/article2/0,2817,2402715,00.asp

I'm willing to believe Kaspersky; he's often run around with his hair on fire, but he seems to have done a good job of checking on this one.

I'd say, at this point, this looks to be the first big "Java-bites-OS-X" event that didn't get stopped quickly enough. F-Secure has a page with good information (quite technical) here:
http://www.f-secure.com/weblog/archives/00002336.html

[jacquej]

Please quit bashing Macs. It gets tiresome.

Coming on the thread to gloat about a story that is weeks old (Swordmaker warned us not to download from a pop-up back in February, if I remember right).

I don’t get the hostility from PC enthusiasts toward thos of us who prefer Macs. There must be some deep insecure anxiety in their precious liitle hearts.

Happy Mac user since the original IIe.

[dayglored]

> Please quit bashing Macs. It gets tiresome.

You must be joking. I'm regularly called a Macbot for my defense of Apple against untrue attacks.

Swordmaker, help me out here! :)

Jacquej, you misunderstand. I've had Macs since 1984 (and worked on an Apple ][ and Lisa before that). I like Apple's hardware products -- they make terrific workstation platforms and virtual machine hosts. I run OS-X on them along with Win7, XP, Linux, and NetBSD. I'm typing this on a MacBook, which is sitting next to my iPad, and I'm listening to the stereo playing MP3s off my iPod Touch. The Mac Mini (bootcamped Snow Leopard and Win7) is presently turned off. The older PPC Mini which runs Fedora 10 Linux is likewise off at the moment.

AHEM.

Now with all the above said, I refuse to stick my head in the sand, either. This particular attack based on Java vulnerabilities seems to have escaped Apple's attention for long enough that it got pretty widespread. That's a new thing.

I'm not going to deny that one of the main reasons I use OS-X as my personal favorite interactive operating system is that it is quite robust against malware. (The other reason is that it's based on BSD Unix, my favorite system OS.)

But I'm also not going to deny that ALL operating systems can have vulnerabilities, and that those problems require addressing in a timely fashion.

---

Meanwhile, I found these pages useful to determine whether one is infected, and what to do about it.

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

Run the following in Terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

If you're not infected you should see:
The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If you're not infected you should see:
The domain/default pair of (/Users/rff/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

If you see other stuff, follow the instructions on the linked page above to clean it out.