New Mac malware epidemic exploits weaknesses in Apple ecosystem

New Mac malware epidemic exploits weaknesses in Apple ecosystem

Summary: The nightmare scenario for Mac owners is here. At least 600,000 Macs worldwide have been infected, silently, by the Flashback Trojan, with no user interaction required. Here's why this is just the beginning of a long-term problem.

SHARE:

For Mac owners, the nightmare scenario finally arrived. A piece of malware called Flashback, which has been in existence and steadily evolving for at least seven months, has infected more than 600,000 Macs worldwide, based on forensic analysis by a Russian antivirus company.

Update 6-Apr 10:50 AM PDT: Researchers at Kaspersky Lab have independently confirmed the research of Dr. Web:

We reverse engineered the first domain generation algorithm and used the current date, 06.04.2012, to generate and register a domain name, "krymbrjasnof.com". After domain registration, we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots. Our logs indicate that a total of 600 000+ unique bots connected to our server in less than 24 hours. They used a total of 620 000+ external IP addresses. More than 50% of the bots connected from the United States.

[...]

More than 98% of incoming network packets were most likely sent from Mac OS X hosts.

What makes this outbreak especially chilling is that the owners of infected Macs didn’t have to fall for social engineering, give away their administrative password, or do something stupid. All they had to do was visit a web page using a Mac that had a current version of Java installed.

Some commenters seem to have missed that point, so let me repeat those details more emphatically. The Flashback malware in its current incarnation does not use an installer. It does not require that the user enter a password or click OK in a dialog box. It is a drive-by download that installs itself silently and with absolutely no user action required, and it is triggered by the simple act of viewing a website using a Mac on which Java is installed.

I’m not surprised.

See also:

Last May, I wrote a post titled “Why malware for Macs is on its way,” in which I pointed out evidence that a “tipping point” was near, thanks to the growing popularity of Apple’s software:

A gain of a few percentage points in the Mac market might not seem like a lot, but in a universe with a billion Internet-connected devices, each percentage point equals a potential 10 million victims. A market with 60 million, 80 million, or even a hundred million Mac users is big enough for the bad guys.

Upcoming versions of crimeware kits will probably be cross-platform, with the capability to build and deliver Windows and OS X packages using as many vulnerabilities and social engineering tricks as possible. On every poisoned web page, visitors get sorted by OS: Windows users this way, OS X users over there. Each group gets its own custom, toxic blend. If all it takes is a tick of a check box, the gangs using these kits can jump into the Mac market literally overnight.

So now the question is when will that day come? This year? Next year?

We now know the answer.

If you think 600,000 users isn’t a lot, let’s put it in perspective. According to the latest statistics from Net Market Share, there are roughly 13 Windows PCs for every Mac in the world. So an equivalent infection rate in the Windows population would translate to 7.8 million Windows PCs.

And that’s for one strain of one malware attack, launched over a very short period of time.

This won’t be the last, either. Unfortunately, the Mac community is ill-prepared for a sophisticated wave of attacks like these. Here’s why.

These attacks are designed to be quiet. The gang that unleashed Mac Defender last year was anything but quiet. Their business model was based on being very visible and convincing victims to pay for a rogue antivirus product that would remove the malware they had just installed. By being so obvious, they forced a response (and some of them wound up in jail). This gang, by contrast, managed to infect 600,000 machines while barely tripping any alarms.

Macs are not immune. For years Apple owners have been told that Macs don't get viruses, but we know that's not true. And Apple’s casual approach to security updates makes them arguably more vulnerable to this sort of attack than other platforms. Like all operating systems, OS X has its share of vulnerabilities that can be exploited. In that May 2011 post, I looked at a single OS X update, which repaired 23 separate vulnerabilities:

Every one of the vulnerabilities in the April update had existed in OS X for a minimum of 18 months before being patched. Every entry on that list was capable of executing hostile code on an unpatched system with little or no user interaction. If an attacker develops a successful exploit of one of those vulnerabilities, your system can be compromised, silently and with deadly effect, if you simply download a document, view a movie or image, or visit a website.

That’s an awfully big window of opportunity. And that pattern is found in other OS X updates.

Third-party software is an ideal vector. The current exploit is triggered by a known flaw in Java, which was installed on every copy of OS X until the release of Lion (OS X 10.7) last summer. The flaw was reported in January and patched by Oracle in February, but the Apple version of Java didn’t get a patch until early April. So for several months, every Mac owner was vulnerable unless they took specific steps to remove or disable Java.

Security expert Brian Krebs points out that this behavior by Apple is sadly typical:

Apple maintains its own version of Java, and as with this release, it has typically fallen unacceptably far behind Oracle in patching critical flaws in this heavily-targeted and cross-platform application. In 2009, I examined Apple’s patch delays on Java and found that the company patched Java flaws on average about six months after official releases were made available by then-Java maintainer Sun. The current custodian of Java – Oracle Corp. – first issued an update to plug this flaw and others back on Feb. 17. I suppose Apple’s performance on this front has improved, but its lackadaisical (and often plain puzzling) response to patching dangerous security holes perpetuates the harmful myth that Mac users don’t need to be concerned about malware attacks.

Similar recent attacks have successfully targeted vulnerabilities in Word on Macs. And there's no reason not to expect attacks against other vulnerabilities in other popular third-party products like Adobe Reader and Skype.

Older Macs are especially vulnerable. According to the latest Net Market Share data, 17% of Macs worldwide are running Leopard (OS X 10.5) and Tiger (OS X 10.4), older versions of OS X that are no longer officially supported. The Java update that blocks this exploit is available for Leopard, but at least one Leopard user I spoke with says it hasn’t been offered to his Mac via Apple Software Update. The last Java update offered to users of these older Mac versions was in June 2011. If you use any version of OS X before Snow Leopard (10.6) and you have Java installed (all versions of OS X before 10.7 include Java by default), you are vulnerable to this exploit and there is no patch available.

And the biggest problem of all, as any Windows security researcher can tell you, is that a large number of PC owners don’t install updates regularly or at all. On Windows PCs, for example, the most commonly found malware in 2010 was installed using an exploit that had been patched years earlier:

Conficker’s means of propagation is a vulnerability in the Windows Server service. This vulnerability was fixed in October 2008 by Security Bulletin MS08-067, which patched Windows 2000, XP, Vista, Server 2003, and Server 2008. (Windows 7 was never affected.)  There’s no excuse for that patch not being installed nearly two years later, in 2010.

Mac owners are human beings, just like their counterparts who own PCs. Some nontrivial percentage of them will ignore this and other updates and will be vulnerable to this sort of attack.

Antivirus software alone won’t help. The makers of Windows-based malware know how to build executable packages that change with every installation. These polymorphic viruses frustrate signature-based defenses. Apple added automatic updates to its XProtect lists as a response to Mac Defender last year, and that list has been updated 47 times in the past 11 months. But it’s useless against even a moderately sophisticated attacker.

It looks like the Mac malware industry has moved out of testing and into active deployment. For the bad guys, it's a tremendous untapped market. And all the pieces are now in place for a long-term problem with no easy solutions.

Related:

Topics: Software, Apple, Hardware, Malware, Open Source, Operating Systems, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

270 comments
Log in or register to join the discussion
  • Malware...

    ...is not a virus. Keep trying if you want to earn your pay from Microsoft...
    Tony Burzio
    • Now that's a really embarrassing answer.

      It doesn't make any sense. None whatsoever.
      cgdams
      • Yeah, but as an example of a knee-jerk reaction it was funny...

        And didn't it make you feel good to recognize that you haven't been that bonkers about anything since your first crush on a teacher/classmate wayyyyy back in middle school?
        ibsteve2u
    • You're part of the problem

      "Malware is not a virus."

      Wow. Just ??? wow.

      You represent the problem with the Apple community very well. Because you believe that what IS HAPPENING NOW cannot happen, you are a more likely victim.
      Ed Bott
      • The "problem" doesn't exist

        It's NOT happening now. As a writer, Ed, you need to check your facts before you simply publish some PR company's "advertorial." Show me the infected Macs (that don't have Virus applications, Trojans or other malware on them that only runs on Windows). I'll bet that F-Secure can't show YOU 1,000???let alone 600,000 Macs infected with this Trojan.
        mhollis55
      • Yes, real infections.

        @mhollis55: https://twitter.com/#!/bynkii/status/188083432818089984

        There you go. Five infected Macs in a single location. When a serious sysadmin like the author of that tweet says they're seeing infections, you should take it seriously.
        Ian.Betteridge
      • @mhollis55-the life and times of a Mac Apologist...

        You know, there was a time a few years ago that I was so astounded by the sheer lack of apparent intellectual capacity of many Mac users to simply recognize the blatantly obvious, they made me angry in their overly obstinate refusal to believe that a Mac was anything less than flawless.

        After this episode it???s become very clear that for many Mac users the problem is almost pathological and there appears to be no amount of proof or ranting and raving at them that will get them to acknowledge the obvious.

        You would think that anyone, who can at least operate a computer, type, read and every other bit of intellectual capacity required to post here at ZDNet, would realize that some of the things they are writing on their computer screen to post here are out of this world absolutely bizarre. But alas; clearly they do not.

        "Show me the infected Macs"

        What an unbelievable thing to say. No, seriously, that???s just wrong.

        It has now got to a point where the best defensive position a Mac apologist can take in the withering spotlight of fact about the vulnerability that exists in Macs is to demand that those who point it out as existing, is to demand they produce the infected computers as proof. And that must be what he means because he simply cannot mean show me the report because the report has been shown.

        http://news.drweb.com/show/?i=2341&lng=en&c=14

        And I say fine, sooner or later if the report is found to be overblown or even dead wrong, then that will come out, but to dismiss it by virtue of the fact that you are a Mac user and cannot bring yourself to believe Macs can be subject to this level of infection is pure insanity. Its a stance without an excuse.

        And to now say, "show me the infected Macs" is quite possibly the saddest defensive argument I have ever seen. Knowing full well neither Ed or any other human is going to go out and collect up even a dozen such infected computers, never mind the reported 600K, and present them to the apologist is not an argument at all. Its lunatic speak.

        I have no question in my mind of any kind where obstinate maniacal talk of "show me the Macs!" that actually resulted in showing him the Macs would result in a further request of "prove they are infected" which would result in "prove it wasnt done on purpose to make Macs look bad"...it would never end.

        And it would never end because that???s the way the mind of the "troubled" works. Everything is a conspiracy or it???s simply dead wrong where the facts seem to run counter to that which they feel compelled to believe.

        Apples greatest invention appears not to be any iGadget. It really appears to be the iBrainwash.
        Cayble
        • Brainwashed?

          Usual mock concern about the dumb, naive, intellectually-challenged mac users. Most mac users are well versed in windows-related malware issues. They came from that platform and are actually bright enough to realise that no OS is invulnerable. Period. However, they are not deluded or brainwashed into thinking that OS X is currently less of a hassle to use - it is, whether you like it or not. If the situation changes, it changes. End users are are either au fait with using their machines wisely or they aren't. Common sense isn't platform-specific.
          Aidan Taylor
          • Really - they prove you wrong, every time they post nonsense like Uhn-uh!

            It is interesting to be because the distinctions between Malware, Trojans and Viruses matter little to those who become infected by them. This Trojan gets installed just by visiting a website with no user interaction at all. That is a huge blow to platform users who have been living under the influence of Apple's marketing muscle.

            The idea that most Mac users know about malware having come from Windows is pretty telling. It tells me that many of those migrating to Mac aren't really all that computer savvy. I've been using Windows since DOS/Windows 3.1 and I have been infected by one virus that came in on a DOS game a friend gave me. Come to think of it, it was the first computer virus that ever spread widely.

            I haven't been infected since. I practice safe computing and use software to keep my OS and software patched, I use a good AV suite, OpenDNS to scan my URLs, and don't click on everything that pops up on my screen. Besides, if I was truly looking for another platform, I'd be selecting one that was open and didn't lock me into only buying hardware and increasingly software from a single vendor. I'd be looking at Linux and running it on industry standard hardware from multiple vendors.

            I got over my vendor lock in days when Commodore went under. That was enough for me, no more single source vendor for the hardware that runs my operating system thank you. I'd rather run a real niche platform OS that hasn't become just as much the man, as Microsoft ever was, if not more so.

            Talk about vertically integrated monopoly - Apple even makes its own CPUs. Can you imagine if Microsoft tried to do that - we'd hear screams of bloody murder that they were an evil monopoly.

            Stop drinking the Koolaid - Macs aren't more secure, they do crash, they aren't better for graphics, aren't better for sound, and they aren't any easier to use than any other mainstream platform today. You just like them better. That's fine, now get over it already and stop acting like salesman for another greedy corporation that pretends to 'Think Different', while being just like the other guys if not worse.
            Nickoftime-3fb2f
      • Plugin free future...

        It seems both Microsoft and Apple are contemplating a "plugin free future". Apple have this with iOS, Microsoft will with Windows 8 on ARM. This is probably the only thing that's going to "work" long term.

        And Malware isn't a virus - the confusion between the two won't keep users safe. Better to understand that "something nasty" can come from something you install - just relying on A/V software isn't enough.

        No technical solution is going to be a "silver bullet" - users (all users, not just Mac or just Windows) need to realise they probably have the biggest role to play.

        But not using the proper description for 'malware' (virus, trojan etc...) isn't going to promote user comprehension. Without this, users on any platform will be the weak link.
        jeremychappell
      • Mac Malware

        Well said, Ed. In addition to your "blogs" and other such info articles, we need "What to do!"

        Those of us who moved from long-time Windows to Mac are well aware of the possibilities; but, so far, there seems to be little in the way of Mac protection.

        ed
        n781lc
      • How else is Tony gonna' earn his pay

        from Apple unless he produces?

        But seriously, a major weakness is the user themselves - in the sense that when you have college profesors and what not advocating their students buy Mac as "they don't get viruses or malware", then you have a group of people ripe for picking in terms of helping these malware writers spread their wares.

        Education is the key.
        William Farrel
      • You're part of the problem

        Well put Ed...I think we all know a Mac user or group of Mac users that think this way and actually bought into those cute little commercials a few years ago where they attacked MS on the security front but at least MS takes initiative and releases patches in a timely manner. Apple has all this money so use it to protect your investment.....YOUR CUSTOMERS!
        Rob.sharp
      • Their a victim of something.

        Every 3~5 years I retake a 'this is your computer' class because the class covers new programs and new ways to do things in old programs. Anyway,

        I retook the class a year ago. Part of the class is a presentation on computing related subjects. The person doing a presentation on Apple stated (paraphrase) 'Unlike windows apples don't get infected because a password is needed to install anything'.

        A year ago. When whatever it was was making the rounds and infecting Macs. The first version needed a password. Not so in later versions?

        What it is is someone told them Macs are secure which sates their thirst for the feeling of safety, false as that feeling of safety may be.

        Once someone believes something, especially if its something they want to believe, its near imposable to tell them anything else. Its just how humans are wired.

        For ... I don't want to call them 'fan boys' because of the pejorative nature of the phrase ... it takes something cataclysmic for people to change their beliefs, and for these people to realize their really no safer than Windows users, and the same can be applied to Linux, its going to take more than a 'program' that sits in the background harvesting data. Its going to take code that wipes out their machines.

        But there is no profit in wiping out machines so that code will probably not be written or deployed.

        .
        rmhesche
      • Their a victim of something.

        Every 3~5 years I retake a 'this is your computer' class because the class covers new programs and new ways to do things in old programs. Anyway,

        I retook the class a year ago. Part of the class is a presentation on computing related subjects. The person doing a presentation on Apple stated (paraphrase) 'Unlike windows apples don't get infected because a password is needed to install anything'.

        A year ago. When whatever it was was making the rounds and infecting Macs. The first version needed a password. Not so in later versions?

        What it is is someone told them Macs are secure which sates their thirst for the feeling of safety, false as that feeling of safety may be.

        Once someone believes something, especially if its something they want to believe, its near imposable to tell them anything else. Its just how humans are wired.

        For ... I don't want to call them 'fan boys' because of the pejorative nature of the phrase ... it takes something cataclysmic for people to change their beliefs, and for these people to realize their really no safer than Windows users, and the same can be applied to Linux, its going to take more than a 'program' that sits in the background harvesting data. Its going to take code that wipes out their machines.

        But there is no profit in wiping out machines so that code will probably not be written or deployed.

        .
        rmhesche
      • Complacent no more

        Yes, I used to be part of the problem, smug in my assertion that Macs don't get infected (at least not OSX.)
        However, recently I'm sure that something evil this way comes.
        Just this morning every move on this Mac came with the spinning beach ball. Firefox would not quit, kept giving "script will not complete" messages. It took three restarts and a manual fsck -f to get the thing straight again.
        Java has always been a bit problematic, as programmers simply refuse to follow the rules of this "universal" scripting language. Now, it has become the enemy.
        captainanalog
      • Perspective

        Yup here it comes. It's real, it's malware, and it's on a Mac.

        It's also 2012, and after 17 years, Apple's popularity finally warrants enough attention from malware authors to give the time of day. To have been a Mac user for those 17 years meant a level of "protection" such as it is??? from malware. It stemmed from being a small target. So, I think as far as you are concerned Ed, we are part of the problem for our complacency. Apparently, we've not been proactive enough within in our illusion of safety. Certainly not so much as those battle hardened vets who went through the PC plagues. So this is the price we'll pay I suppose. Was 17 years of trouble free use worth a slap from Ed Bott in 2012?

        Here's a clue. The answer is yes. I for one, hardly felt it. Billions of dollars in lost revenue stemmed from PC viruses and malware. Much can be directly attributed to a monopoly OS that sneered at security for years. A OS that you advocated Ed. These were troubles that you encouraged folks to involve themselves with. Yet we are the problem?

        What "IS HAPPENING NOW" as you put it, is happening ONLY now. FINALLY now after 17 years. For that period of time, the goal of computer security, to keep users safe, was being delivered by a platform that you snidely dismissed. The best possible results were being delivered to users and being ignored by yourself and the rest of the PC protection racket. What kind of narcotic allows one to be so oblivious of results and so focused on procedure as to be dazed for 17 years? Take some responsibility for what you've been pushing.

        Tell me what difference it makes to non-technical users who enjoyed the peace of mind WHY they enjoyed it. What is so revelatory about your "told ya so's" now? Is it so difficult for even the most complacent user to get up to speed or learn a lesson? Is it not fair to say that the pool of malware is now diluted across 2 successful platforms rather than one, and that this will be a good thing for everyone? Do you think the PC plagues of the last 17 years will return to either platform?

        So thanks for taking the bullet I guess. It wasn't very smart but thanks. Apple users will think of you as they armour up and prepare for another 17 years of productivity. Apple shareholders will think of you as they receive their dividend cheques.
        norgate
        • With a straight face?

          You can actually call Windows a monopoly OS with a straight face when running an OS from a vendor who will not let any other hardware maker install it onto their hardware? Really, Apple is a far worse closed monopoly than Microsoft has ever been. I am not a huge fan of Microsoft, coming from Amiga and loving Linux but I have to say that Apple users take the cake. Every time they open up and try to promote their platform all I hear is nonsense.

          Don't get me started on productivity, with the number of work around we have to come up with for our Mac labs to function in a standards based environment or even in an Apple only environment is far larger than the ones we have to in our Windows labs. It is like a constant battle to keep our end users working on a platform that is supposed to be easier to use.

          It's funny, it seems like 'Thinking Different" means not doing a lot of thinking at all. Be a sheep and be completely faithful to a single vendor and go out and market for them for free. Sell as much of their product as possible because somehow "Thinking Different" only means something if everyone else starts to do it, oh wait, it's not really "Thinking Different" then is it. It is more of a herd mentality.

          I've been using DOS/Windows->Windows NT for years, had one virus and it was the first one ever to propagate. It's not really hard to keep clean but users aren't really all that smart - regardless of the platform. With Apple you just get to feel smug about it because you pay so much more and it's a status symbol.
          Nickoftime-3fb2f
      • Perhaps it is the behaviors, not the OS?

        >And I say fine, sooner or later if the report is found to be overblown
        >or even dead wrong, then that will come out, but to dismiss it by
        >virtue of the fact that you are a Mac user and cannot bring yourself
        >to believe Macs can be subject to this level of infection is pure
        >insanity. Its a stance without an excuse.

        I think the perspective to have, is that Mac users, perhaps don't visit all the random sites, nor exchange all the "videos", "zips" and other transporting content via email, that PC users have been plagued with as virus and malware transporters.

        Certainly, this one, is just a web transported malware. That means you have to end up at an exploited web site to get it.

        There is a lot to be said for "behavior" on the web. I, for example, have never had/used any antivirus software, and never have had a virus or malware on my computers. I just don't go to random places, and I don't exchange email with people who end up infected. I don't use Microsoft's browser or Email software, or any other of the prime target environments.

        There are lots of ways to avoid being exploited, even when there is something to be exploited. I do use MSE on my PCs now, since it is a very unobtrusive AV. But, I still stay away from random web sites.

        If I need to go to one, I will pull out Opera, or some other non-mainstream browser which I keep configured with options to avoid download and any embedded content.

        The smarter Apple users (as you've indicated you believe that might be, if they are posting here), probably have similar behavioral practices that help them not become infected, and thus they can feel confident enough to say, I don't have any chance of problems on my Mac.
        greggwon@...
      • @norgate...once you were blind...now you can see?

        Dear norgate:

        You have clobbered the living hell out of mhollis55 post. You have single handedly made the outright saddest display apologist commentary I personally could imagine, and trust me, I have witnessed plenty of it from both Windows users and Mac users alike.

        You literally just said that all should be found to be fine with Apple simply because their lousy sales performance for the last couple decades has kept them under the radar for malware activity and now that the hackers have taken notice they should be forgiven for never really have had any real security in place.

        You really have to make at least some effort to get real. You really do.

        In years gone by countless Windows users have had their heads torn off by Mac apologist users JUST LIKE YOU because they dared to say Macs were getting by against security risks because they had low profile on the web due to low sales. And I mean sometimes the comeback was ridiculously beyond rude. There were literally threatening remarks.

        Now we have to put up with the likes of you who have pushed the ART OF apology to a masterfully perverse level by now insisting that the very situation so many like you denied for years is now what should be accepted as a ???JUST FINE REALITY???.

        There is really something seriously wrong with people who find it so necessary to grasp at straws to this degree. Beyond suggesting you and all like you go get some help Im so fed up with this Im done.
        Cayble