Over 600,000 Macs infected with Flashback Trojan

Over 600,000 Macs infected with Flashback Trojan

Summary: The Flashback Trojan botnet reportedly controls over 600,000 Macs. Thankfully, Apple yesterday released a patch for Java, which the Trojan exploits, so make sure you install it.


Update - Apple developing tool to detect and remove Flashback Trojan

Two months ago, a new variant of the Flashback Trojan started exploiting a security hole in Java to silently infect Mac OS X machines. Apple has since patched Java, but this was only yesterday. As of today, more than 600,000 Macs are currently infected with the Flashback Trojan, which steals your user names and passwords to popular websites by monitoring your network traffic.

Russian antivirus company Dr. Web first reported today that 550,000 Macs were being controlled by the growing Mac botnet. Later in the day though, Dr. Web malware analyst Sorokin Ivan announced on Twitter (via Ars Technica) that the number of Macs infected with Flashback had increased to over 600,000:

@mikko, at this moment botnet Flashback over 600k, include 274 bots from Cupertino and special for you Mikko - 285 from Finland

As you can see in the screenshot above, Dr. Web says 56.6 percent of the infected Macs are located in the U.S., 19.8 percent are in Canada, and 12.8 percent are in the U.K.

Flashback was initially discovered in September 2011 masquerading as a fake Adobe Flash Player installer. A month later, a variant that disables Mac OS X antivirus signatures updates was spotted in the wild.

In the past few months, Flashback has evolved to exploiting Java vulnerabilities. This means it doesn't require any user intervention if Java has not been patched on your Mac: all you have to do is visit a malicious website, and the malware will be automatically downloaded and installed.

Another variant spotted last month asks for administrative privileges, but it does not require them. If you give it permission, it will install itself into the Applications folder where it will silently hook itself into Firefox and Safari, and launch whenever you open one of the two browsers. If you don't give it permission, it will install itself to the user accounts folder, where it can run in a more global manner, launching itself whenever any application is launched, but where it can also more easily detected.

You can grab the new version of Java that patches the security hole in question from Apple here: Java for Mac OS X 10.6 Update 7 and Java for OS X Lion 2012-001. Additionally, F-Secure has instructions on how to remove this malware if you think your Mac may already be infected.

Update - Apple developing tool to detect and remove Flashback Trojan

See also:

Topics: Open Source, Apple, Hardware, Malware, Operating Systems, Security, Software

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • No wonder Apple hates java.

    I can just picture the ghost of Jobs ranting about Java (and flash).
    • Ehh...

      This isn't necessary *just* a Java issue. If it was, Oracle could have pushed out a patch/new version. It seems like part of it was an OS issue as well.
      • A New Version Did Get Pushed Out

        A new version of Java did get pushed out, and if you actually have your Java up to date, then you won't get this malware (at least not in this manner; there might be a Trojan version that you could "volunteer" for).
  • security patch available within 48 hours

    In case that a security hole has been discovered in Linux you can count that a security patch will be available within 48 hours for download or it will be already be available through your distributions update manager.
    • Oh yeah?

      Like this one you mean?


      Linux may have fewer vulnerabilities than OS X (but double that of Windows), but their bug-fixing process is a mess, mostly because Linus Torvalds *refuses* to categorize bug as security vulnerabilities. The result is that distributions will often *miss* patching their distro because the bug description does not give away the security impact.
      • Want some stats for actual vulnerabilities?

        I hacked a quick PowerShell script to screen-scrape Secunia.com for vulnerabilities for the 3 OSes: Ubuntu, Windows and OS X. OS X is a single product in secunia whereas Windows and Ubuntu each have multiple versions. By following the advisories all the way down to CVEs from each version and removing duplicates (vulnerabilities frequently affect multiple versions) these are the numbers, by year:

        Year OS X Ubuntu Windows
        2005 155 323 58
        2006 147 308 65
        2007 229 329 49
        2008 273 359 63
        2009 275 481 81
        2010 298 523 119
        2011 202 613 115
        2012 60 181 13

        Some have complained that the above numbers include all types of vulnerabilities, also the not-so-severe ones. If we filter so that only those with Secunia criticality level of "moderately critical" and above, the numbers look like this:

        Year OS X Ubuntu Windows
        2005 144 195 44
        2006 138 231 48
        2007 215 229 34
        2008 272 254 36
        2009 275 324 65
        2010 295 405 70
        2011 201 390 42
        2012 60 128 7

        I want to point out that these are not *advisories*. Some vendors have a habit of bundling patches into larger updates (Apple and to a lesser extent, Microsoft) so advisories don't say much. The above numbers are *vulnerabilities*

        While number of vulnerabilities discovered and patched per year does not give an evaluation of the vendors general security, it *does* give an indication as to how the vendors quality control system works - i.e. how many security bugs the products ship with.

        Note that while OS X and Windows are somewhat comparable in functionality, Ubuntu is typically distributed with much more software for added functionality.

        It want to emphasize that these numbers are for *all* versions of the operating systems combined, i.e. all versions of Ubuntu since 05.04 and Windows XP, Vista, 7. Duplicate CVEs (same vulnerability frequently exists in multiple versions) have been removed.
      • What a load of rubbish

        @ honeymonster

        As usual, your posts, which have this superficial veneer of technical merit, replete with convincing factoids and figures, are, when one peeks beneath that veneer, total and complete BS.
        Even Secunia itself, hardly the paragon of accurately displaying stats, disagrees with your tactic of using their data this way. From their site (which you appear to treat with some degree of reverence):
        "it is IMPORTANT to understand what the below comments mean when using the statistics, especially when using the statistics to compare the vulnerability aspects of different products."
        They then go one to state EMPHATICALLY that the data "is not an indication of the individual vendors security, as it is not possible to compare the vendors based on number of vulnerabilities alone".

        Much of the problem stems from how Secunia counts vulnerabilities (a fact your cute little chart conveniently ignores). Secunia themselves outline five levels of vulnerability from not critical to extremely critical, yet Secunia's reports, the ones you cite, toss all the data in together to create meaningless sums that are then used by the misinformed to make meaningless comparisons. Even Secunia warns against this. Perhaps you missed the memo.
        Perhaps more importantly, Secunia's advisory totals reset whenever an OS vendor changes the name of their product. So while Windows has gone through several iterations, from 1.0 to 3.1 to XP to NT to Vista to 7, and soon 8, OSX has remained, at least from Secunia's perspective, OSX. So the totals continue to accumulate, giving the decidedly FALSE impression that Apple as a company does not respond to security and the equally false impression that MS is hyper diligent in comparison.

        Even still, your numbers are completely bogus. In 2010 Secunia issued only 6 ACTUAL advisories, with only one not patched. And that one issue was listed as "not critical", and only exploitable by local users.
        (In 2011, Secunia issues 8 OSX-related vulnerabilities, only one, rated as non-critical, remained unpatched.)
        Windows, on the other hand, had Secunia issue 17 such advisories, and the one left unpatched had a higher level of seriousness.
        Perhaps most important, however, is the methodology Secunia uses. Secunia do NOT do original research to discover vulnerabilities, they go on external reports, often from the vendors themselves, on what flaws have been found, advisories made, and which are patched. As a result, Apple could easily get a near perfect report if they simply ceased issuing patches! No patch = no report = no data for Secunia.
        Of course, this is not going to happen.
        This is of prime significance here, since this is NOT an OSX issue, but one with the a third party product, Java. This is VERY telling. If you knew what you were talking about, instead of mindlessly regurgitating numbers to give the illusion of same, you would understand why this is a VERY important distinction in terms of these numbers. Unlike in iOS, where Apple refuses to bundle Flash or Java, in OSX, these plugins are bundled with the OS distro. As such, they also get included in their numbers as posted by Secunia, even though they are NOT part of the actual vendor product. So, for instance, in 2010, 17% of the advisories from Secunia were related to Java.
        Contrast this to Windows 7. None, 0%, of the security advisories related to Java. Same for Flash. Is this because the Windows implementation of these plugins is superior, and bullet proof? You would appear to think so, based on your abuse of the numbers. But in fact, this is due ENTIRELY to the fact that MS does not distribute Java or Flash with the OS, so they don't get dinged with the numbers.

        Again, the numbers as posted by Secunia are deceptive, and can NOT be used for ANY meaningful comparison between OSes, a fact that Secunia openly points out. But still you fell for it, hook, line, and sinker.

        What does that say?
      • What does that say?

        It says honeymonster and his sock puppets are out and about finagling with the ratings around here.

        Nobody gets 13+ without boosting himself.
      • Secunia.com for vulnerabilities for the 3 OSes: Ubuntu, Windows and OS X

        Next time why don't you take a look at what those vulnerabilities actually are, then you will see that those windows vulnerabilities are for windows, but those Linux vulnerabilities also include third party applications such as Firefox, Thunderbird, Gimp, Apache, etc... and while your doing that check to see how many are unpatched for each OS.

        But of course you already knew that didn't you, nice try though.
        Oh and how may accounts did you have to create to thumb yourself up so much?
      • Crappy stats

        @honeymonster: Way to go, including OpenOffice, Firefox and all that which is counted in the OS bug count for the Linux dists including them, while the bug count in Windows and Mac OS X do NOT include browsers, etc...

        In fact, if you'd include the bug count of all the equavilent apps (browsers, games, etc) in Windows and Mac that is included in the Linux bug count, you'd probably be so chocked you'd throw the computer out the window.
      • The Reg Rag

        The Reg is notoriously virulently anti-Apple, to the point of being nearly useless as an objective source of information. Although, they also have biting comments for MS as well. They DO like to bite the hand that feeds IT!
        But what you say is true.
      • Responses


        The point Secunia makes is that number of vulns cannot be the *only* metric, and that you have make sure that you are reasonably comparing apples to apples (no pun intended). The Secunia disclaimer in no way says that such comparisons are invalid. Indeed, Secunia occasionally produces such statistics themselves.

        Number of vulnerabilities is not the full story of a vendors security, but they *are* indicative of the security processes the vendor has installed to control quality, such as testing, fuzzing etc. Microsoft follows a strict Security Development Lifecycle process. Apple and Canonical/Linux kernel devs do not. It shows in the numbers.

        I have edited the original post to show another table where only moderately critical and above vulnerabilities are counted. I think you will find that it does not change the picture much for OS X and Windows, but Ubuntu does seem to have been inflated with a lot of less-severe bugs.

        Your comments about versions are just evidence of your reading comprehensions. Already in my original post I pointed out how I combined multiple versions of each operating system and removed duplicate CVEs.

        Then you claim the numbers are bogus and goes straight into confusing advisories with vulnerabilities. These numbers are *vulnerabilities* not *advisories*. Please learn the difference. Hint: Vulnerabilities are actual bugs with security impact, advisories is how the vendor or security researcher has decided to publicize them. Advisories frequently bundle multiple vulnerabilities.

        Java on Mac is still maintained by Apple. They originally distributed Java with OS X (only breaking this with Lion). They bundle it; they own it. For users of the OS X it doesn't really matter whether Apple obtained the code from somewhere else. They're still vulnerable. Windows is distributed with .NET which is roughly equivalent. And it is counted towards Windows.

        Nothing deceptive here.


        Still nothing but vitriol and conspiracy theories?

        @guzz46 & @Natanael_L

        Yes, the Ubuntu numbers are somewhat inflated by the fact that more software is distributed with Ubuntu. Still, there is a *lot* of library and kernel bugs in there. Firefox is fair game; Windows and OS X are counted with IE vulns and Safari vulns respectively.
      • honeymonster

        "Yes, the Ubuntu numbers are somewhat inflated by the fact that more software is distributed with Ubuntu"

        Great, so you admit your stats are inaccurate then, grossly inaccurate in fact, seeing as there are thousands and thousands of third party software in your typical Linux repo.

        Oh and you still didn't check to see how many vulnerabilities were unpatched for each OS (and I know why too)
        So let me do it for you... Ubuntu = 0 unpatched vulnerabilities, windows 7 = 5 unpatched vulnerabilities, the worst being rated as highly critical.
        And some more details on the vulnerability... system access from remote, and the release date for the vulnerability was 2010-10-29, and the solution for it is Do not open untrusted files.

        A windows vulnerability that is roughly one and a half years old and is still unpatched, but thats ok because all you have to do is limit yourself from opening untrusted files.

        How is that swiss cheese security OS working out for you?
      • No conspiracy at all

        [i]Still nothing but vitriol and conspiracy theories?[/i]

        Nope. Just some of us have you pegged, that's all.

    • hmmm.

      What I don't get though is this patch has been out since October. Why did it take so long?
      • Unfortunately it is a systemic problem with OS X

        Apple has opted to assemble its OS X stack from a number of open source products. Each individual product has its own steward - which is typically not Apple.

        When a vulnerability is found in one of these products, the steward will typically try to provide a patch as quick as possible. When the patch is made public, the vulnerability information is also provided, often explicit (description of the problem solved) but it may also be implicit (through reverse engineering). Either way, the vulnerability information is now in the open.

        The problem is that Apple assembles bugs into "updates" and has to perform regression testing before shipping. This inherently introduces a "risk-days" delay - sometimes up to 6 months where users are in high risk because 1) the vuln information is in the open and 2) OS X has not been patched.

        Any any one time you can find vulnerabilities in common libraries such as libxslt, libxml etc for which a fix exists but OS X has not been patched yet.

        This is a tough problem for Apple to fix. And if the experiences from Windows is anything to go by is will be a BIG problem going forward.

        Attackers have become lazy in that they don't really discover vulns themselves anymore; they lay waiting for good vulnerabilities to be disclosed, and then they go after the soft targets, i.e. systems which are not patched. That population is dwindling to Windows; the attackers now have a very short window of opportunity after a patch is provided (by Windows Update) until a very large percentage of the install base has been updated.

        But on OS X with the way the stack is assembled, *most* vulnerabilities will be disclosed *weeks* or even months before a patch is ready for OS X users.

        And even in this very attack it is clear that these guys know their trade. The explicitly avoid installing on systems where there are indications that the user/admin may be security aware. They go after soft targets and try to fly under the radar. This is evidence that the OS X platform has now attracted the attention of some seriously bad guys. And they use a tactic (exploiting a known vulnerability) which will create *serious* headaches for OS X users because Apple will have a very difficult time countering it.
      • @OSS is not the whole answer

        WebKit and CUPS (printer drivers) development is under Apple's command, for example. And yet, bugs in these, even when found by themselves, can take quite a while to fix.

        Most computer security experts thinks that patches should be pushed out as soon as they've been tested by the developers. Many system admins test security patches on a few computers first in their networks to see if there's troubles, then pushes it to the rest if it works fine.

        Apple want to minimize the number of updates and want to push several at once, and they want total control of the user experience, which means they can wait for quite a while before pushed an update for a critical bug, just to make sure the user don't notice anything special. Also, they often wait with pushing security patches until real-life exploits shows up, as another way to keep the number of updates low.
    • Oh?

      Then explain why The Sony Network was down for a few weeks... They run Linux based servers. Also explain why kernel.org was down for several weeks as well - again Linux based servers. And explain if you will The Linux Foundation where the best and brightest Linux users are - and yet that site was down for at least a month. Where was this 48 hour fix for those Linux servers?

      *listens for the sounds of crickets*
      • Re: The Linux Foundation volunteered to bring their site down

        > Or where the Linux Foundation volunteered to bring their site down due to a terminal's password being compromised (using a password cracker) over at kernel.org?

        Oh my. You are living in an apologists' dream world. The kernel.org and Linux foundation websites were *root'ed* for the better part of a *month* without anyone noticing it. The implications were so severe that they had *no choice* than to take the sites down. Spin it as "volunteered" all you want. They were throroughly and utterly root'ed and embarrassed.

        It is correct that they speculated that a *users* password had been compromised. But how do one get from a compromised user (Linux contributor) password to having the entire site compromised. A rootkit has been installed, which should not be possibly through a user account.

        What kind of operating system allows a site to be root'ed through a user account? Why were 2 entire sites run by *the* most knowledgeable (on Linux) people in the World compromised to thoroughly. And why didn't they notice?
      • They sure did

        [i]The kernel.org and Linux foundation websites were *root'ed* for the better part of a *month* without anyone noticing it.[/i]

        Correction: The kernel.org site was rooted. The fear was the Linux Foundation was also compromised.


        [i]The implications were so severe that they had *no choice* than to take the sites down.[/i]

        Gee, you are a drama queen, aren't you? I seriously doubt whether you care about that beyond pumping up your masters in Redmond. Right?

        [i]Spin it as "volunteered" all you want. They were throroughly and utterly root'ed and embarrassed.[/i]

        Yes the kernel.org site was thoroughly and utterly root'ed and embarrassed. As I said, the other sites felt it best that they be brought down.

        [i]It is correct that they speculated that a *users* password had been compromised. But how do one get from a compromised user (Linux contributor) password to having the entire site compromised.[/i]

        How do you know it was a "user's password"?

        You don't which means you're speculating.

        According to their story, they believe somebody had access to a kernel.org remote terminal and used a password cracker to break an administrators password to get in. The rootkit in question was named Phalanx and involved stealing SSH keys out of the repository. The Linux Foundation assumed their passwords stored at kernel.org were compromised so they voluntarily took their associated sites down as a safety measure. If you have any information the Linux Foundation's servers were attacked directly then please share them with us. I'm sure many folks out there would like to know.

        [i]What kind of operating system allows a site to be root'ed through a user account?[/i]

        Oh various flavors of Windows since the 1990s. That kind.

        [i]Why were 2 entire sites run by *the* most knowledgeable (on Linux) people in the World compromised to thoroughly. And why didn't they notice?[/i]

        I don't know. You're supposed to be the smart guy. Why don't you ask them.