The Number of Macs Infected Dropped Precipitously

 
 
By Jeffrey Burt  |  Posted 2012-04-15
 
 
 

Mac Flashback Attack Shows Apple's Security Weaknesses


The number of Macs infected with the Flashback malware might be abating, but the damage to Apple€™s reputation within the security community could take longer to fix.

The company was criticized for being slow to offer the patch to fix the flaws in Java that made the Macs vulnerable, and even slower to offer a tool to detect and remove the Flashback malware once it was learned that the exploit had compromised as many as 600,000 Macs worldwide. In addition, Apple was seen as being uncooperative with experts in the security community, including the small Russian antivirus vendor that first detected the extent of the Flashback infections.

The incident also shook the reputation of Apple products being relatively invulnerable to malware and other malicious code. And security experts warned that, as the popularity of Apple Internet-connected devices€”not only Macs, but also iPads, iPhones and iPods€”continues to grow, so will interest from scammers.

"This latest wave of infections is a wake-up call to Mac users that their system is not immune to threats," Mike Geide, senior security researcher at Zscaler ThreatLabZ, said in an email after Apple released a patch to fix the flaw in Java April 3. "And the need to follow best security practices, such as remaining current with patches, is ubiquitous€”it doesn't matter if you're using Windows, Mac or even [a] mobile phone."

Apple already has seen a rise in the attacks on its systems over the past year, including the Tsunami and Revier/Imuler Trojans and the Mac Defender fake antivirus program.

But it was the large number of Mac infections by the Flashback malware that made it stand out. The 600,000-plus didn€™t look like much when compared with the millions of Windows PCs that have been hit by malware in the past, but it also came out of a much smaller pool, and represented more than 1 percent of Macs in use worldwide.

€œSo one in 100 Macs is infected,€ researchers at Apple security software vendor Intego wrote in April 7 blog post. €œIt€™s clear that we are faced with an unprecedented attack of Mac malware.€

The Number of Macs Infected Dropped Precipitously


In an April 11 blog post, officials with security software maker Symantec said that the number of infections worldwide had dropped to 270,000.

It also illustrated perceived shortcomings in Apple€™s response. The flaw itself was not in the Mac hardware, but in Java that users had downloaded onto their Macs. Oracle had patched Windows PCs weeks ago, but Apple€”which doesn€™t let third-parties update Apple systems€”didn€™t sent out the patch until April 3, about the same time Doctor Web and, soon after, Kaspersky Lab found that more than 600,000 Macs had become infected.

Flashback was first detected last year, running as a classic Trojan by masquerading as an update to Adobe Flash. However, new variants discovered in March showed it had evolved into a drive-by exploit, infecting the systems of Mac users who surfed to a compromised or malicious Website.

Within days, a host of security software vendors, including Kaspersky, Intego and F-Secure, began rolling out free tools designed to detect and remove the Flashback malware. Meanwhile, Apple officials on April 10 broke their silence, saying their engineers were working on a similar tool, which was released two days later. When F-Secure released its own tool April 11, Chief Research Officer Mikko Hypponen criticized Apple€™s slow response to Flashback as inadequate.

€œApple has announced that it's working on a fix for the malware, but has given no schedule for it,€ Hypponen wrote in a post on the company€™s blog April 11. €œQuite surprisingly, Apple hasn't added detection for Flashback€”by far the most widespread OS X malware ever€”to the built-in Xprotect OS X antivirus tool. Also note that Apple has not provided a patch for the Java vulnerability used by Flashback for OS X v10.5 (or earlier).€

Security Professionals Continue to Be Critical of Apple


Other security professionals took issue with Apple. In an April 13 post on Sophos€™ NakedSecurity blog, Paul Ducklin, the company€™s head of technology for the Asia-Pacific region, took issue with the lack of information from Apple around its removal tool.

€œI'd love to tell you more about the Flashback remover supplied by Apple, but I'm afraid I don't know how,€ Ducklin wrote. €œThere's no documentation about it; there's no information about how to run it by hand in the future, or how it works, or what variants of the malware it finds; and€”at least on my uninfected 10.6 computer€”it didn't give any visual indication that it had run at all. (Three words for Apple about security bulletins: promptness, clarity and openness.)€

Some also suggested Apple needs to learn how to work better with the security community, particularly given that the number of attacks on Apple products are expected to increase. Boris Sharov, Dr. Web€™s CEO, told Forbes.com that not only did Apple never contact him after he gave them the information he had about the Flashback malware, but that at one point Apple asked a Russian registrar to shut down a domain that Dr. Web had set up and was using in a €œsinkhole€ operation to monitor the malware and lessen its impact. Sharov said he thought it was an honest mistake, but that it illustrated how Apple needs to improve how it relates to outside security experts.

€œThey told the registrar this [domain] is involved in a malicious scheme. Which would be true if we weren€™t the ones controlling it and not doing any harm to users,€ Sharov told Forbes. €œThis seems to mean that Apple is not considering our work as a help. It€™s just annoying them.€

If the security experts are correct, Apple will have plenty of chances in the future to interact with the security community. In an April 9 post on Kaspersky€™s SecureList blog, security expert Costin Raiu said cyber-criminals will continue to target Apple systems.

€œAt the beginning of 2012, we predicted an increase in the number of attacks on Mac OS X which take advantage of zero-day or unpatched vulnerabilities,€ Raiu wrote. €œThis is a normal development, which happens on any other platform with enough market share to guarantee a return on investment for virus writers, so Mac OS X fans shouldn€™t be disappointed because of this. During the next few months, we are probably going to see more attacks of this kind, which focus on exploiting two main things: outdated software and the user€™s lack of awareness.€

 

Rocket Fuel