The extent of the threat to Apple Mac users from the Flashback Trojan is coming into clearer focus, with security software vendor Kaspersky Lab confirming previous reports that more than 600,000 systems have been infected, making it among the largest cases involving the Apple systems.
The Flashback situation has shaken the notion that Macs were relatively safe from security compromises, and security experts, like security software maker F-Secure, are giving users steps to take to protect their Macs from infection.
The Flashback virus first showed up last year as a classic Trojan, looking like an update to Adobe Flash that, when executed, would infect the system. Flashback returned in March as less of a Trojan and more of a drive-by threat. Rather than relying on users to download the malware onto their Macs, the Flashback exploit infects vulnerable systems when a user visits a compromised Website.
Security experts and analysts have said that the threat to Mac users is high because many of them bought into the idea that their Apple systems are essentially invulnerable to attacks, and thus many have not secured the Macs as well as they could have. Mac users have to understand that their systems are open to threats, according to Forrester analysts David Johnson.
Of course, the Mac is vulnerable, Johnson wrote in an April 6 blog post. Every Internet-connected device is vulnerable.
For Mac users, the real question is how to protect the systems. Johnson questioned whether traditional antivirus software is appropriate for Macs, noting what he called an abysmal track record for such approaches on Windows machines. Such software takes a lot of computer resources when scanning the system, and theyre too reactive. He said that in researching management best practices for Macs, hes talked with a number of people running Macs in highly secure environments.
One thing that has emerged from the dozens of conversations I've had with people who actually manage Macs in both large and small firms every day, is that not one of them has any illusions about the potential risks, Johnson wrote. Even so, only a few were using a traditional anti-virus solution for Macs, preferring instead to have effective patching and system backup/recovery capabilities, and user education programs.
Security firms said they began seeing new variants of the Flashback malware in mid-March, and researchers with a Russian firm, Doctor Web, reported last week that through a sinkholing operationwhere they essentially were able to gain control of command and control (C&C) serversthey were able to determine that more than 600,000 Macs worldwide had been infected, with more than half being in the United States and Canada.
That number initially drew skepticism, but in an April 6 post on Kasperkys SecureList blog, security expert Igor Soumenkov said Kaspersky researchers were able to confirm Doctor Webs numbers. Through a similar sinkholing operation, Kaspersky noted that more than 600,000 unique bots connected to a domain the company had set up, and that the Flashback malware used more than 620,000 external IP address.
Kaspersky wasnt able to say whether all the bots coming into its server were running Mac OS X, but that by using passive operating system fingerprinting techniques, researchers were able to get a rough estimation.
More than 98 percent of incoming network packers were most likely sent from Mac OS X hosts, Soumenkov wrote.