New data shows older OS X versions more susceptible to malware

New data shows older OS X versions more susceptible to malware

Summary: New details about the extent of the Mac-specific Flashback malware epidemic emerged today. The Russian security firm that has been actively investigating infected Macs found older versions of OS X are more vulnerable, and many infected Macs have missed security updates.

SHARE:

Dr. Web, the Russian security company that has been the most prolific source of information on the Flashback malware infestation, published new data today based on its successful interception of infected Macs.

The new blog post methodically breaks down how infected machines communicate with the control servers in the bot network, using data that was gathered on April 13, when the outbreak was at its peak.

According to the new research report, the Trojan horse program running on the infected Mac sends requests to control servers. These requests contain detailed information on the infected system, including the bot version, the OS kernel number, and whether the malware was installed with elevated privileges or as an ordinary user account.

The kern.osrelease value uses the Darwin version number, which might confuse a casual observer looking at the data in the Dr. Web chart. (Darwin kernel 9.8, I plugged the Dr. Web data into a spreadsheet and converted those numbers into the equivalent OS X versions. Here’s how they broke down:

  • 10.5 (Leopard) – 25%
  • 10.6 (Snow Leopard) – 63.4%
  • 10.7 (Lion) – 11.2%

The percentage of infected Macs running Lion, the latest release of OS X, is lower than its share among machines in use. That’s not surprising. This malware spreads through an exploit in Java, which is included in Leopard and Snow Leopard but not in Lion.

It’s also noteworthy that 25% of the infected machines were running Leopard, which is no longer supported by Apple. The owners of those machines cannot get a patch for the vulnerable Java release, nor can they uninstall Java. Their only recourse is to disable the Java plugin in the browser.

Breaking down the data even further, I was alarmed to see how many of the infected Macs are running outdated versions of OS X. Nearly 24% of all infected Macs running Snow Leopard in this sample were at least one version out of date, and more than 10% of those users had skipped three or more major updates.

Similarly, among Lion users, nearly 28% of infected machines had skipped at least one update.

As part of its installation routine, the Flashback malware prompts the user for an administrative password. If the user types in that password, the malware installs in a location with system privileges. If the user doesn’t enter a password, the malicious executable file is saved in the user's home directory and launched with the current user permissions, which is sufficient to perform its malicious tasks.

Dr. Web found that 12% of infected Macs were running with administrator privileges, which means that the malware’s social engineering was effective on 1 in 8 users.

Last week, Symantec researchers confirmed Dr. Web’s report that the number of Flashback infections remained high. In a separate statement today, Kaspersky Lab independentlyconfirmed those findings:

Last week Kaspersky Lab provided an updated number of the Flashfake botnet’s size, which was based on the findings of the company’s sinkhole. The sinkhole showed that the botnet was significantly decreasing in size as the number of unique bots went from 650,748 (as of 6th April) to 30,629 (as of 19th of April).

However, Kaspersky Lab found that its statistics were being affected by a third-party sinkhole, which was limiting the infection counts of unique bots connected to Kaspersky Lab’s sinkhole. The third-party sinkhole, which was registered for research purposes at IP address 74.207.249.7, was causing Flashback connections to hang as it never closes the TCP handshake, in effect preventing Flashback from hitting subsequent domains.

Kaspersky Lab confirms the botnet’s size is larger than previously estimated, and will publish updated research findings on the size of the botnet once its analysis is finished.

Meanwhile, a report this week found a new variant of the Flashback malware in circulation, suggesting that its authors were still actively at work and aiming at vulnerable Macs.

See also:

Topics: Malware, Apple, Browser, Hardware, Open Source, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

46 comments
Log in or register to join the discussion
  • Err...

    Isn't this the least surprising research since they discovered hitting yourself with rocks can cause injury?

    Correct me if I'm wrong but this would hold for Windows too - right?

    Wow, the more I think about this, the more I realise I don't even need to think about this.

    What's next, newer computers contain less dust than old computers? Fat people have bigger clothes?
    jeremychappell
    • I feel sorry for you

      Seriously.
      Ed Bott
      • So?

        @Ed - It is somehow surprising that as operating systems get old (and stop getting patched) there is more malware?

        Ed, it's simple "low hanging fruit". And utterly obvious.

        Most malware exploits a flaw that's been patched - far easier to write code that uses a known attack vector than discover a new attack vector and exploit that. I know there is a popular view that malware is written by "crack programmers", but it isn't true. Most malware is pretty shoddy, written by programmers looking for an easy way to make money, not a clever one.

        Given all this, the fact that older versions of the OS will have a worse time seems a given.

        But it's worth noting I was talking about the "research" not your writing per se.
        jeremychappell
    • Calling DTS, where are you?

      @jeremychappell
      [i]Err... Isn't this the least surprising research since they discovered hitting yourself with rocks can cause injury?[/i]

      This post is too much of a hoot to deserve a negative score. Bott's rejoinder makes it that much funnier.

      Earth station to DTS ... you're overdue.
      klumper
    • Apple softspot touched? Diddums. Get over it.

      --
      Patanjali
    • The hunt for more customers

      @jeremychappell
      of their useless antivirus software continues.
      Be carful, their software is so bad actually that your Mac will become slower, more unstable and in some cases is the AV software known to destroy essential parts of the OS and your private data.

      In other words, useless AV software may do more harm than any of these alleged threats ever have. :-||
      Mikael_z
    • Double post!

      -
      Mikael_z
    • Agreed completely.

      We are security researchers. Our livelihoods depend on fear. People fearing malware, fearing the unknown. Constantly churning this fear makes us sell more things (speaking engagements, research papers, etc.) So we have a vested interest in creating "The sky is falling" headlines.

      And then there's the AV vendors who see a new and upcoming platform that for the most part sees no need for their software. Why? Because the platform has less attacks. So you see they have a vested interest in perpetuating the myth you need AV on all platforms.

      So, really it's someone pimping their stuff that really is not needed but they need to create FUD for which they have the solution.
      itguy10
  • Flashback was certainly a big deal

    It's just funny to see a Microsoft reporter obsessively write articles about it. Seriously, it seems you write a ton about Windows, Google privacy concerns, and Mac malware (and occasionally about how evil the iBooks EULA is) . The Ed Bott Report is still very much Ed Bott's Microsoft Report. At least Paul Thurrott and Mary Jo Foley provide a bit more of a centrist view. I still read your articles because I am very interested in Windows 8, but seriously, why are you so obsessed with writing about Mac malware?
    Kingw00t
    • Name Changed

      It's now the Ed Bott Report and he's free to follow his interests.
      DannyO_0x98
      • But not his expertise apparently

        Ah well.
        ego.sum.stig
    • Three possibilities as I see it

      @Kingw00t
      [i]I still read your articles because I am very interested in Windows 8, but seriously, why are you so obsessed with writing about Mac malware? [/i]

      1. Maybe: It's slower than usual on the tech news scene overall.
      2. More likely: It's his job to write about tech news, and like other bloggers here, he tries to cover a variety of subjects and platforms beyond his own specialized field. If he didn't, he'd likely starve - or bore himself to death.
      3. Most likely: It's only a thin line that separates help from constructive criticism, but he continues to point out, replete with news updates, that Apple users can no longer cling to the belief that Macs are immune to virii and malware, something many of us have known before this latest attack spelled things out [i]de facto.[/i]
      ---+
      Why some of the Mac faithful continue to grind their teeth over such a transparent reality is beyond me. :|
      ---+
      But sadly, the bigger story is that these things have long gone from mischievous hackers looking for bragging rights, to full criminal enterprises looking for easy pickings by way of extortion. As a class it's too bad these miscreants couldn't be liquidated upon discovery, as this mayhem affects one and all. Look for it to come to your neck of the woods soon enough, if it hasn't already -- REGARDLESS of chosen platform.

      SOLUTION: In the spirit of ol' Ben Franklin, EB tries to show it usually comes >> one ounce at a time.
      klumper
    • He's about the only one on ZDNet talking about Flashback

      Besides Emil.

      The Apple blog guys here are tightlipped - perhaps so that they still get some love from Apple!
      Patanjali
      • That's because everyone else is burying their heads in the sand about it.

        [i]He's about the only one on ZDNet talking about Flashback[/i]

        They're pretending it doesn't exist.
        ye
      • The ostrich factor

        Patanjali: [i]He's about the only one on ZDNet talking about Flashback.[/i]
        Ye: [i]They're pretending it doesn't exist.[/i]

        There's some truth to this. I've noticed it myself.

        [i]The Apple blog guys here are tightlipped - perhaps so that they still get some love from Apple! [/i]

        You have to cut O'Grady a little slack though, as he sticks it to Apple with a fair degree of regularity. The fact that Cupertino regularly sends his inquiries to the kill file speaks volumes. And to his credit, not theirs!
        klumper
      • No beef.

        I have no problem with that either. Flashback was a real problem, and totally Apple's fault (the flaw they used was astonishing old, the fact that Apple had failed to patch it was unforgivable).

        But I don't see how this "research" adds any new information - the results are predictable. This would be no different for Windows. And I'm not talking about Windows XP as the benchmark here - rather Windows 2000 (something long unsupported). This has always been a theme, old versions of the OS stop getting patches (or at least patched with such urgency) but people still run them, they represent "easy meat" for malware. It seems as obvious as night follows day.

        I have systems that don't run the latest versions of the their OS - they don't get connected to the Internet (and hence they don't get used). It just isn't smart.

        This isn't denial. Quite the opposite. Macs don't get "special treatment" here, I'd treat a Mac or a PC the same way; if there aren't patches actively being released then it isn't connected.

        This seems like common sense.
        jeremychappell
    • Is it as humorous as a Linux or Apple writer

      obsessively writing articles about Windows 7 and Windows 8? I only ask this as this site appears to have a few writers that fit that description.
      :|
      Tim Cook
    • What's even funnier.....

      ...is the response from people that one would think [i]should[/i] follow Mac malware issues. Either silence or denial. Somebody's gotta take up the slack.
      Lester Young
  • Older versions of the OS missing security updates?

    Sounds like the Mac ecosystem and the Windows ecosystem are more alike than popular perception might allow. A great many issues I tackle in handling malware issues in my shop often enough arise from that very thing; older XP machines that haven't been updated (and which often enough either have out of date antivirus solution or no antivirus solutions at all in addition.)

    Mr. Bott, I like the way you are scrupulously fair in your reporting here. You make it clear that for the current issues beginning to show on the malware front for OS X that it's "older versions of the operating system" that are often missing one or more updates most at risk.

    On the Mac side of things, what I tend to notice is a lack of that same fairness. In a lot of Mac reporting, they just lump "Windows" into one big pile and make no distinction between the issues facing XP users as opposed to the many fewer issues facing Windows Vista and Win 7 users. (Some of that same Mac attitude often shows up in comments here I note.)
    Romberry
    • Agreed

      While Windows XP rightfully earned a reputation for having horrible security, Windows 7 is the exact opposite of XP in terms of performance and security. Windows 7 has been a joy to use and none of my family or friends have had any issues with security. It's annoying to see so many Mac users still make jokes about security issues in Windows when the last time they used Windows was during the XP days. My primary machine is a MacBook Pro running Lion (with Windows 7 installed via Parallels 7), but I'm not blind to the security issues that are prevalent in computing, whether you use OS X Lion or Windows 7 or something else entirely.
      Kingw00t