According to one security company named Dr. Web there are over 600,000 infected Macs running OSX in the world. About 50% of these are located in the US with about 250 of these located right in Apple’s own home city. The Flashback Trojan first reared its ugly head back in late 2011 when it was found to perform many of the same things to the OSX internal protection system that Apple fans have called Microsoft out for. The Trojan poses as a Flash Player plug in that a compromised site needs to install to show content (or a video). This drive-by style of attack is a very common way to infect systems and in compounded by the way many advertising systems work. On many sites the ads you see are served up by third party servers (like Google ads etc), these servers can be compromised easier than the main server that the website is running on. This makes it fairly simple for the malicious code to be injected into an ad that might be served on multiple web sites. This makes those ad servers an even bigger target as you get more bang for the buck by breaking into one of these.
Once the Flashback Trojan gets downloaded it will ask for the admin password. If a user gives it out, it will install itself onto the system in the Applications Folder. Now before you think that all you have to do is not type in that admin password you will want to know that Flashback has something in store for you there as well; even if you decline to type in the password the malware will install itself, but this time into the user accounts folder. This will actually give it more freedom to operate.
One Flashback is embedded into the system it goes after the built in protections that OSX has. To do this is unloads the XProtectUpdater daemon and then overwrites the files with empty place holders. This means that you cannot update your internal protection system to deal with future threats. To make matters worse, Apple delayed releasing a patch for this until only a couple of days ago. Oracle patched Java for Windows and Linux to prevent this attack vector in February of this year, but Apple only released its patch for this this week. Simply updating the system to protect against this does not remove the Trojan. Fortunately there are methods to remove this infection (as well as ways to tell if you have it).
This incident should stand as a VERY important reminder to people, there is no such thing as a secure OS and every OS out there can be infected with Malware.
Discuss this in our Forum
Thursday, 05 April 2012 12:02
Apple Finally Releases a Patch for the Flashback Trojan After 600,000 Macs are Infected
Written by Sean KalinichReading time is around minutes.
There is nothing like a botnet to remind us all that there is truly no such thing as a “secure” operating system. For years Apple presented the Mac as impervious to viruses and Malware. They had commercials stating “Macs do not get viruses” and continued this mythology despite many Java, Flash and other attacks that existed in the wild. The fact that many of these were centered on pirated software or required user interaction did not deter the myth. Now with Flashback things have gotten very real very quickly.
Latest from Sean Kalinich
- ConnectWise Slash and Grab Flaw Once Again Shows the Value of Input Validation We talk to Huntress About its Impact
- Social Manipulation as a Service – When the Bots on Twitter get their Check marks
- To Release or not to Release a PoC or OST That is the Question
- There was an Important Lesson Learned in the LockBit Takedown and it was Not About Threat Groups
- NetSPI’s Offensive Security Offering Leverages Subject Matter Experts to Enhance Pen Testing
Leave a comment
Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.