Posted on 04/05/2012 8:45:23 AM PDT by null and void
An investigation by Dr Web suggests that about 600,000 Macs have the malware - potentially allowing them to be hijacked and used as a "botnet".
It says that more than half that number are in the US.
Flashback was first detected last September when anti-virus researchers flagged software masquerading itself as a Flash Player update. Once downloaded it deactivated some of the computer's security software.
Remote control
"By introducing the code criminals are potentially able to control the machine," the firm's chief executive Boris Sharov told the BBC.
"We stress the word potential as we have never seen any malicious activity since we hijacked the botnet to take it out of criminals' hands. However, we know people create viruses to get money.
"The largest amounts of bots - based on the IP addresses we identified - are in the US, Canada, UK and Australia, so it appears to have targeted English-speaking people."
Dr Web also notes that 274 of the infected computers it detected appeared to be located in Cupertino, California - home to Apple's headquarters.
Update wait
Apple released its own "security update" on Wednesday - more than eight weeks later. It can be triggered by clicking on the software update icon in the computer's system preferences panel.
The security firm F-Secure has also posted detailed instructions about how to confirm if a machine is infected and how to remove the Trojan.
Although Apple's system software limits the actions its computers can take without requesting their users' permission, some security analysts suggest this latest incident highlights the fact that the machines are not invulnerable.
"People used to say that Apple computers, unlike Windows PCs, can't ever be infected - but it's a myth," said Timur Tsoriev, an analyst at Kaspersky Lab.
Apple could not provide a statement at this time.
(Excerpt) Read more at bbc.co.uk ...
I followed F-Secure's instructions (the two Terminal commandline commands above) on my main MacBook and came out clean.
I noticed a curious thing on the F-Secure page:
Well, I don't run any anti-virus on my Macs. But I install the developer package Xcode on all my machines by default because it gives me the C compiler, RCS version control, etc. Who would have guessed that it gave me an inoculation against this nasty piece of malware too!! :)On execution, the malware checks if the following path exists in the system: * /Library/Little Snitch * /Developer/Applications/Xcode.app/Contents/MacOS/Xcode * /Applications/VirusBarrier X6.app * /Applications/iAntiVirus/iAntiVirus.app * /Applications/avast!.app * /Applications/ClamXav.app * /Applications/HTTPScoop.app * /Applications/Packet Peeper.app If any of these are found, the malware will skip the rest of its routine and proceed to delete itself.
Thank you!
I’m clean. :)
We are STILL not seeing large numbers of people reporting finding the malware existing on their computers. This simply does not compute with the reports of what Kaspersky and Dr. Web are reporting... I would be more suspicious of a false bombing attack with a few computers forging signatures than that many Macs being infected from the few non-popular website so far identified carrying the Trojan such as:
godofwar3.rr.nu
ironmanvideo.rr.nu
killaoftime.rr.nu
gangstasparadise.rr.nu
mystreamvideo.rr.nu
bestustreamtv.rr.nu
ustreambesttv.rr.nu
ustreamtvonline.rr.nu
ustream-tv.rr.nu
ustream.rr.nu
Can you conceive of hundreds of thousands of Mac usersno make that millions of Mac users (counting the immune ones without JAVA installed), visiting THOSE websitesin just a couple of months, and either being tricked into, or drive by installing, the Trojan? Frankly. I can't.
And what's with 98% of the signatures being OSX???? This is a JAVA script vulnerability! When have you known Windows users to have such a complete install of a patch to any vulnerability that almost ALL hits from a cross platform bot are from a non-Windows source??? Doctor Web on first report said 56% were Macs... now, suddenly Kaspersky says 98% are Macs? What gives? I simply don't believe it.
I think the OS signatures are being spoofed by the Trojan, an easy thing to dosince Mac users are NOT reporting finding the Trojan in large numbers on the forums! Mac users are notorious for reporting problems when they find themand they simply are not reporting this.
My goal is to help everyone know and practice good PC security. In the past the macbots made it difficult for the ignorant to know the truth. Heck there are still some even in this thread acting like this proven malware on OSX in the wild doesn’t really mean anything. I need to make sure people don’t believe those fools. They need good PC security practices and a 3rd party firewall and ac solution. Relying on one company alone is a big risk and yes that includes apple and Microsoft.
But their (ahem) enthusiasm doesn't invalidate the actual facts (whatever they are) behind the stories.
For example, I don't think that list of infected websites is complete, or that that is the only mechanism for infection. We still have more to learn about this malware. And it's POSSIBLE that the low number of user reports of infections could just be that (like myself) most Mac users tend to not bother much with anti-virus software and testing.
Now, as you know, I'm skeptical by nature, suspicious of marketers' motives, and cynical as hell about virus writers and the companies that make money "fighting" them.
We'll all know in a few months whether this was real or not. In the meantime, it appears to me that it COULD be real. We won't know for a while how it progresses. Perhaps like the Y2K event, if it is handled sufficiently well, the aftermath will be minimal and most people will say, "What was that all about? Nothing went wrong!". That would be a nice outcome for this malware.
But that requires action. I'm of the opinion that this COULD be the first successful widespread attack, and that it's worth a reasonable effort to pound it back down into oblivion, on the off chance that if we don't take it seriously enough, we'll learn in a few months that it was worse than we thought.
I'd rather be wrong in the safe direction. :)
> I need to make sure people dont believe those fools.
Oh BULL. Any conceivable good you might have done in that regard was completely obliterated early on by your obnoxious trolling. Do you really think the people you think you're "helping" like to be called nasty names while being "helped"???
Besides, at this point there are only a couple of us die-hards left on this thread. You can back off without guilt.
> My goal is to help everyone know and practice good PC security.
Thanks for the laugh. You're a riot and a half. And self-righteous to boot. What a combination. :)
A year ago, the installed base of Mac OSX computers topped 60 million. In the year since, Apple sold approximately 16 million more Macs, making a total of approximately 75 million OSX Macs in the installed base! A Trojan that can infect 0.8% of the installed base SHOULD be making waves on the forums by people reporting they have found it on their computers, especially in the US... so where are they? The word is out about how to find it easily and how to easily eradicate it.
I am not seeing ANY widespread reports of Mac users reporting they are infected. with a supposed 600,000, they should be all over the place, and they are not. Even in the comments in the articles, no one is reporting THEY are infected. Instead, you see numerous reports of people reporting "I am clean!" Nor are they reporting they KNOW of someone who found they were infected... only the security labs are reporting how to detect the infection on computers they have deliberately infected! That is why I say this stinks!
Note that the websites carrying the Trojan are NOT US websites... but supposedly the vast majority of the "infected" Macs are in the US (56.6%) and Canada (19.8%)... that alone is strange. There are lots of Macs in foreign places, but the Dr.Web does not find proportional infections in Europe or Asia. 46% of Mac sales in the past four-five years have been in Europe... but only 12.4% of the infections are there, with the VAST majority concentrated in the UK?? Germany has a large representation of Macs... and only 0.4% infected??? France has a large Mac presence... but only 0.6%? Macs used to be manufacture in Ireland, and have a very large presence there, especially ones that would be susceptible to this Trojan, but the infection rate is only 0.1%! What gives????. Japan has a very large Mac presence... but their infection rate is only 0.1%! Austraila, with a much smaller Mac presence than Japan has a 6.1% infection listing. Strange.
A year ago, the installed base of Mac OSX computers topped 60 million. In the year since, Apple sold approximately 16 million more Macs, making a total of approximately 75 million OSX Macs in the installed base! A Trojan that can infect 0.8% of the installed base SHOULD be making waves on the forums by people reporting they have found it on their computers, especially in the US... so where are they? The word is out about how to find it easily and how to easily eradicate it.
I am not seeing ANY widespread reports of Mac users reporting they are infected. with a supposed 600,000, they should be all over the place, and they are not. Even in the comments in the articles, no one is reporting THEY are infected. Instead, you see numerous reports of people reporting "I am clean!" Nor are they reporting they KNOW of someone who found they were infected... only the security labs are reporting how to detect the infection on computers they have deliberately infected! That is why I say this stinks!
Note that the websites carrying the Trojan are NOT US websites... but supposedly the vast majority of the "infected" Macs are in the US (56.6%) and Canada (19.8%)... that alone is strange. There are lots of Macs in foreign places, but the Dr.Web does not find proportional infections in Europe or Asia. 46% of Mac sales in the past four-five years have been in Europe... but only 12.4% of the infections are there, with the VAST majority concentrated in the UK?? Germany has a large representation of Macs... and only 0.4% infected??? France has a large Mac presence... but only 0.6%? Macs used to be manufacture in Ireland, and have a very large presence there, especially ones that would be susceptible to this Trojan, but the infection rate is only 0.1%! What gives????. Japan has a very large Mac presence... but their infection rate is only 0.1%! Austraila, with a much smaller Mac presence than Japan has a 6.1% infection listing. Strange.
Oh you misunderstand. I’m not helping those idiots that support OSX as if it’s flawless...those are the ones I’m calling out and making fun of and proving how stupid they are. The lurkers are my target...not those that like the smell of their own farts who think Apple can do no wrong.
Honest question...does Null and Void not count? He's the first post. Or did he confirm he wasn't infected?
What happened to Pug, or PSS?
Banned but also wrong, wrong wrong. Apple did not go out of business. It’s stock did not tank. There are no rivals to iPad! The iPhone still is viable!
I'll bet that the high number of alleged "infected" Macs in the US represents people who have visited those dodgy *.rr.nu sites -- without realizing it -- through an image or other link on some other site they hit intentionally (or otherwise), like a porn site.
> Note that the websites carrying the Trojan are NOT US websites.
Ummm, how do you figure that? Although the TLD ".nu" is assigned to island state of Niue, it looks like the domain "rr.nu" is in New Jersey.
Anyway, I agree that it's really really odd that there aren't any reports of infected machines by users. If that continues for a few weeks, we'll look for apologetic statements from the anti-virus folks. [...crickets...]% whois rr.nu ------------------------------------------------------------------------ .NU Domain Ltd Whois service Domain Name (ASCII): rr.nu Technical Contact: InfoRelay abuse@sitelutions.com 4 Bridge Plaza Drive Englishtown NJ 07726 US Phone: (703) 485-4600 (voice) Record last updated on 2011-Oct-17. Record expires on 2016-Nov-4. Record created on 1998-Nov-4. Record status: Active Registrar of record: .NU Domain Ltd Referral URL: http://www.nunames.nu
You hate Apple. You STILL hate Apple. Give it up!
I do know that my iMac didn't "feel right" for about a month. It was losing ability to respond to mouse clicks and balking at closing some aps and at shutting down.
Since then no problems.
And yes, I did get stupid and allow a flash player update before the trouble started.
Off hand, I'd say I was zombiefied, but I'm not 100% certain.
Against my better judgment... let me assume you're playing straight with that comment. If so...
True Macbots who come out with silly absolute statements that OS-X is "flawless" or "there can never be a Mac malware" -- things which we know are not true but which they are completely serious about -- are rare on FreeRepublic. We're mostly conservatives, and we're not that easily duped.
But I'll grant that there are a few of them. And you are free to argue with them.
But it makes no sense for you to instead aggravate and antagonize EVERY OTHER Mac user and Apple customer, with your tiresome, obnoxious crap-name-calling. Those are the ones you're supposedly "helping". But believe me, you only make them turn away in disgust at your trolling.
I would like to give you the benefit of the doubt here, but it's a real stretch....
Maybe you can explain why you think obnoxious trolling behavior and name-calling is the best way to state your case for caution and security.
It could be real... I have always tempered my advice with "yet..." I have never said, as for-q-clinton claims, that it was impossible. The Macs have YET to be breached. This may be the first successful attempt. But I am not seeing the real world evidence that there are THAT MANY infected Macs out there.
EVERY exploit used against the Mac in CANSEC West has been a JAVA exploit through Safari. Every single one an exploit that Sun did not know about as well. That is why Apple dropped Java as a default inclusion of the installation more than two years ago for OSX Snow Leopard and Lion. Even before, it was an optional install, one of the reasons I have my doubts about the large numbers they are claiming for the infected Macs. Now, if you want Java, you have to download it as a free app from the OSX App Store! Javascript is OK and is still included.
The easiest method of protection from this exploit is to go into Safari and FireFox and any other browser you run's preferences and turn off JAVA. Done. Safe. No body needs JAVA to run for surfing the Internet.
Then, the only other vulnerable Mac users are those that have automatic updates turned off. They don't get the pushed security updates when they are ready, or the new Trojan definitions that come out every 24 hours or sooner as necessary. But you can't protect the terminally stupid... they took a deliberate step to TURN OFF the updates. Why? I haven't got a clue.
I know I probably do pick fights randomly and often on the Internet when you are arguing with one macbot another non-macbot jumps in and catches the brunt of the response.
But that’s Internet posting and I can’t deal with everyone 1:1. Plus when a non-macbot tries to defend against the point I’m making they are jumping into the fire and I can’t switch mid-stream as I’m making my point.
So yes most on the Internet to debate to the extremes because that’s who they are debating. Everyone else jumping in the will catch the arrows.
Ah, would that it were that easy!
Java is required by all the Citrix tools we use everyday at work (and I use from home) -- GoToMeeting, GoToWebinar, GoToMyPC/Mac.
It's also required for talking to the Cisco firewalls, routers, switches, etc. in my networks. And it is worse yet -- the poorly written Cisco code in some of the units requires OLD versions of Java!!! Newer Java versions throw errors on some of the device code.
*SIGH*
Granted, that might be atypical for average home users, but it's not uncommon for tech professionals and business users who rely on communications software like GoToMeeting. A surprising amount of stuff is written with the Java environment in mind.
The Doctor Web stated the websites with the malware were out of country websites, hard to track down and shut down. I went with their statement. I did not search the ownership of the Domain. However, according to international law, hosting is supposed to be in the country of the domain assignment... even if the ownership may be a New Jersey corporation. Wikipedia says that in 2010, Niue, the country NU is assigned to, found that hosting websites was a good revenue source and opened up their domain to the world... and are not too picky about who, or what, they allow. Apparently it is sort of an Internet Domain Switzerland...
Honest answer. I saw that... but he doesn't know and there really is no way, beyond testing, to know. I have not seen his response.
How about it, null and void? Did you test, and were you infected with the Flashback trojan? If so, what version of OSX are you running? What version of Java?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.