eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
More than 600,000 Apple Mac computers worldwidemore than half of them in the United Stateshave been hit by a new fast-moving variant of the Flashback Trojan malware that uses Javascript code rather than relying on user interaction, according to security researchers.
Officials with security software company Intego said in an April 3 blog post that they found samples of the new Flashback Trojan March 23, and noted that the new malwarelike the previous version discovered last yearuses two Java vulnerabilities, they said, one of which was patched by Apple April 3. The malware attacks Macs running the Mac OS X operating system.
Bloggers from Russian security company Doctor Web said in a post April 4 that the new Flashback variant had compromised up to 550,000 Mac computers, more than 300,000 of which were in the United States and more than 106,000 in Canada. Later in the day, Ivan Sorokin, an analyst with Doctor Web, said in a Twitter update that the number of Macs infected by the Trojan had jumped to more than 600,000.
In addition, Sorokin noted that 274 of the infected Macs were found in Cupertino, Calif., where Apple keeps its headquarters.
Doctor Web officials said in their blog that they were able to redirect some of the botnet traffic to their own servers in an operation, known as sinkholing, and were able to count the number of infected hosts.
The number of variants seems to be growing. Intego officials said they have been finding new samples and variants of the malware almost daily since March 23, and those samples are not all the same as those that other security companies are reporting they have found. The latest variant that Intego has is called Flashback.R.
In any case, the safest thing that users can do is turn off Java in their Web browser, Intego said in its blog post. If you use Safari, choose Safari > Preferences, then click on Security. Uncheck Enable Java, to ensure that no Java applet can run. For other browsers, check in their security preferences as well.
Security software vendor F-Secure began talking about the new Flashback variants April 2, with a blogger saying that company officials have been anticipating something like this for a while now.
It appears that the Flashback gang is keeping up with the latest in exploit kit development, the blogger said, noting that a report by another security blogger the week before said the latest Flashback variant had been incorporated into the Blackhole exploit kit. And that’s not all. Though it is unconfirmed, there are rumors of yet another available exploit for an as-yet unpatched critical flaw in Java on sale. So if you haven’t already disabled your Java client, please do so before this thing really becomes an outbreak.
F-Secure couldnt say whether an outbreak has actually occurred. On Twitter April 4, Mikko Hypponen, the companys chief research officer, said he couldnt confirm Doctor Webs number of more than 600,000 infected Macs, saying, We dont have good stats on Mac malware.
Doctor Web officials on their blog said, Systems get infected with BackDoor.Flashback.39 after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system. JavaScript code is used to load a Java-applet containing an exploit. Doctor Web’s virus analysts discovered a large number of Websites containing the code.
The Russian company said cyber-criminals began exploiting two vulnerabilities in February, then switched to another after March 16. That last vulnerability was closed by Apples patch April 3.
The exploit saves an executable file onto the hard drive of the infected Mac machine, Doctor Web said. The file is used to download malicious payload from a remote server and to launch it. Doctor Web found two versions of the Trojan horse; attackers started using a modified version of Backdoor.Flashback.39 around April 1.
Like older versions, the latest variant first searches the hard drive of the infected Mac for particular components, thenif the files arent foundthe Trojan uses a special routine to generate a list of control servers, sends an installation success notification to intruders’ statistics server and sends consecutive queries at control server addresses.
Security experts have seen a growing number of Mac malware incidents since last year, including the Tsunami Trojan and the Revir/Imuler Trojan. The Flashback malwarenamed as such because it masquerades itself as an update to Adobe Flash, or Flash Player installerwas first detected in September 2011.
Macs for a long time were thought to be particularly resistant to malware attacks. However, researchers late last year warned that future attacks were inevitable.
“If the bad guys think they can make money out of infecting and compromising Macs, they will keep trying,” Graham Cluley, a senior technology consultant at Sophos, said in a blog in October 2011, predicting more malware targeting “poorly defended Mac computers.”
Mike Geide, senior security research at Zscaler ThreatLabZ, agreed.
“This latest wave of infections is a wake-up call to Mac users that their system is not immune to threats,” Geide said in an email. “And the need to follow best security practices, such as remaining current with patches, is ubiquitous — it doesn’t matter if you’re using Windows, Mac, or even [a] mobile phone.”
