Wednesday, April 4, 2012

Over half a million Macs infected?

Update 5: The Legacy

I wasn't expecting to update this post again, but this Mac botnet is not going away, suggesting that click-happy Mac users that get infected with trojans are less click-happy when it comes to installing Apple's updates.

As of two days ago, the Flashback botnet is just as large as when I first posted this story on April 4th! I suspect there will be a "learning phase" as Mac users get used to having to patch and remove malware. Part of the problem is likely that users don't realize they are infected. I'm not sure Apple's current approach is going to cut it in the long run. Personally, I think Apple should round up the brain trust like Microsoft did in the early 2000s, and come up with a sustainable solution. A future where Mac most users feel like they need to run antivirus would be sad.

Update 4: The Aftermath

  • We received independent confirmation of the numbers reported by Dr.Web.
  • The numbers I've heard report 2-3% of all Macs are infected, or were infected at the peak.
  • Dr.Web has a tool you can use to see if you are infected. Though it is using HTTP, I'm fairly sure the hardware UUID of your Mac isn't intended to be kept secret.
  • A downloadable App is also available to check for infection.
  • An apparent issue with the original java patch for Lion resulted in a second patch being released by Apple three days after the first.
  • Sites everywhere are reporting (some almost celebrating) that Apple's reputation as malware-resistant is dead.
  • Common suggestions to ditch Java are unhelpful and unlikely for the average user. It is far too ubiquitous.
  • Unless there is a huge resurgence in infections caused by variant of Flashback that uses a new vuln/exploit/vector, this will be my last update to this article.

Update 3

Where are we now?
  • Dr.Web claims the number of infected Macs has risen to 600,000, and that a significant number of them (273!) are reporting in from Cupertino.
  • F-Secure has posted instructions for manual removal of the trojan. If you've never done it, manually removing malware is a fun and empowering exercise. Not that I'd recommend getting infected just for an excuse to remove it. Well, maybe on your friend's computer.
  • Mikko Hypponen, F-Secure's Chief Research Officer, has spoken with Dr.Web about their methods, and seems inclined to believe the numbers.
  • I have received messages from people that are infected with the Flashback trojan.
  • I was very careful when opening those messages.
  • Dr.Web and F-Secure detail that the Flashback trojan is sending the Mac's Universally Unique Identifier (UUID) in the payload to the C&C server. This would definitely make it easy to get an accurate count of the number of infected hosts.
  • Mikko also tweeted that the number of infected Macs is now roughly equivalent, in relative terms, to the number of PCs infected at the height of Conficker's reign.

Update 2

Many people seem to think that Dr.Web's statistics came from the current install-base of their anti-virus software, which isn't the case. Dr.Web allegedly used botnet C&C sinkhole tactics, which have been effectively used in the past for the same purpose, and are detailed in this Trend Micro paper.

Update 1

Regardless of whether Dr.Web's results are real or not, I think our main takeaway from this should be that many Mac users have been lured into a false sense of security, and will be, or may already be, in for a rude awakening. Apple's marketing efforts are at least partially responsible for this.

Original Post

Say it isn't so!

Despite what Apple's marketing department would have you believe, Macs are not invulnerable to attacks and malware targeting OS X does exist. Though Macs are popular with security practitioners and hackers, most are well aware the BSD-based operating system isn't a panacea when it comes to security - only less targeted.

Until now, apparently.

If what the Russian security software company, Dr.Web, reports is accurate, a trojan has succeeded in infecting over 550,000 Macs, the majority of which are located in the United States. The trojan, named "Flashback", takes advantage of a vulnerability in Java that was only yesterday addressed in a patch released by Apple.

So far, I haven't seen any other reports numbering the victims of Flashback, but if accurate, such a large infection rate on Macs may change common perception of OS X as "virus-proof" and could result in a spike in Mac anti-virus software sales. However, given that the company reporting these numbers is in the business of selling anti-virus software, I think we need to see their claims corroborated before we get too excited.

It didn't look like an english version of the article was available, so I've included a Google Translate translation below:

"Doctor Web" discovered a botnet of more than 550 000 "Poppies"

 April 4, 2012


Experts of company "Doctor Web" - the Russian developer of IT security - held a special study, which allowed to evaluate a picture distribution Trojan BackDoor.Flashback, infecting computers running the operating system Mac OS X.Now BackDoor.Flashback botnet operates more than 550 000 infected workstations, most of which are located in the United States and Canada. This once again denies claims by some experts that there is no threat to users' Macs. "  

Infection by the Trojan BackDoor.Flashback.39 performed using infected Web sites and intermediate TDS (Traffic Direction System, distribution systems, traffic), redirecting Mac OS X users to a malicious site. These pages, the specialists of "Doctor Web" found quite a lot - they all contain Java-script, which loads the user's browser Java-applet, which in turn contains the exploit. Among the newly detected malicious sites appear, in particular:
  • godofwar3.rr.nu
  • ironmanvideo.rr.nu  
  • killaoftime.rr.nu
  • gangstasparadise.rr.nu
  • mystreamvideo.rr.nu 
  • bestustreamtv.rr.nu 
  • ustreambesttv.rr.nu
  • ustreamtvonline.rr.nu
  • ustream-tv.rr.nu
  • ustream.rr.nu 
According to some sources at the end of March in the Google SERP attended by more than 4 million infected web pages. In addition, Apple users forums reported cases of infection by the Trojan when you visit a site BackDoor.Flashback.39 dlink.com.
Beginning in February 2012 attackers were used to spread malicious software vulnerabilities CVE-2011-3544 and CVE-2008-5353, and after March 16, they began to use another exploit (CVE-2012-0507). The fix for this vulnerability, Apple Inc. has released only the April 3, 2012. 
 
Exploit stores on the infected hard drive "poppy" executable file to download a payload from a remote server control and its subsequent launch. The specialists of "Doctor Web" found two versions of the Trojan: approximately April 1, attackers have used a modified version of BackDoor.Flashback.39. As in previous versions, after running a malicious program checks the hard disk the following components:
  • / Library / Little Snitch
  • / Developer / Applications / Xcode.app / Contents / MacOS / Xcode
  • / Applications / VirusBarrier X6.app
  • / Applications / iAntiVirus / iAntiVirus.app
  • / Applications / avast!. App
  • / Applications / ClamXav.app
  • / Applications / HTTPScoop.app
  • / Applications / Packet Peeper.app 

If the specified file could not be found, the Trojan creates a particular algorithm list management servers, sends a message has been successfully installed on server statistics created by hackers and performs a serial poll command centers.  

It should be noted that the malware uses a very interesting mechanism for generating addresses of managing servers, allowing, if necessary, dynamically adjust the load between them, switching from one command center to another. After receiving a response management server, BackDoor.Flashback.39 checks passed to the command center at the post match signatures RSA, and then, if the test proves successful, loads and runs on the infected machine payload, as which can be any executable file specified in the resulting Trojan directive.  

Each of the bot sends the management server in the query string unique identifier for the infected computer. Using the method of sinkhole specialists of "Doctor Web" was able to redirect traffic to botnet on their own servers, thus making counting of infected hosts.  

On April 4, bot networks are more than 550,000 infected computers that are running the operating system Mac OS X. In this case it is only a part of a botnet that uses a modification of this Trojan BackDoor.Flashback. Most of the infections accounted for by the United States (56.6%, or 303,449 infected hosts), in second place is Canada (19.8%, or 106,379 infected computers), third place is taken by the United Kingdom (12.8% or 68,577 cases of infection ), in fourth place - Australia with the index 6.1% (32,527 living units).  

In order to protect their computers from the possibility of penetration of the Trojan BackDoor.Flashback.39 specialists, "Dr. Web" recommend Mac OS X users to download and install offered by Apple security update: support.apple.com/kb/HT5228.

4 comments:

  1. Adrian,

    Before I purchased my Mac, I followed the hype that Mac systems don't really need an antivirus software.

    Although this can't be false hype but since I heard there were a lot of mac owners get their system infected, I was in doubt.

    John.

    asus a53e-as31

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete