Flashback Trojan: wake-up call for Mac users

Any remaining complacency about security among Mac users should have evaporated with the arrival of the Flashback Trojan, says Rik Ferguson.

The now notorious Flashback Trojan has hopefully, once and for all, exploded the myth that Macs are both more secure and less likely to be targeted by cybercriminals than PCs.

We've seen Mac malware in the past, of course. But both the scale of infections with Flashback and the disappointing response from Apple should be a wake-up call for any enterprise still labouring under the same old misapprehensions about Mac security.

First spotted back in September 2011, the Flashback malware is designed to establish a back door on a compromised machine through which it can install payloads to do things such as steal sensitive data or turn the computer into part of a botnet. The most recent attacks began in mid-March and were so successful that more than 650,000 machines were compromised in countries such as the US, Canada, and the UK.

One of the main reasons why the Trojan was so successful is that it's able to install itself on unprotected Macs without user interaction, in so-called drive-by attacks that only require the user to visit an infected site to become compromised.

Now, Macs are no stranger to malware. We saw the Mac Defender fake AV outbreak last year and more recently the Gh0st RAT advanced persistent threat (APT) attacks on pro-Tibetan organisations were uncovered.

However, Flashback has shown us that the criminals are really looking to turn up the heat on Mac users and target the platform with tried and tested techniques that have worked so well for them with the PC.

So why should firms be concerned about Mac security?

1. Macs are only going to get more popular, thanks in part to the success of the iPhone and iPad, and cybercriminals always follow the money. As the user base grows, the ROI for launching attacks becomes more compelling for the bad guys.
2. In-built Mac security software is woefully underpowered and built along traditional file-signature update lines. Put simply, it will not stop most threats, including zero-day attacks.
3. Mac users often credit themselves with being more tech-savvy than PC owners. Whether or not this perception is justified, attacks such as Flashback render the distinction spurious. User intelligence is very often not a factor in drive-by attacks, and besides, intelligent users don't leave their machines unpatched and unprotected.
4. The advance of consumerisation in enterprise IT, thanks to devices such as the iPhone and iPad, has pulled Macs into the heart of the workplace. Unfortunately many BYOD policies do not offer the same level of technical support for employee devices and place the burden of securing the machine on the shoulders of the individual. Firms can't carry on with this head-in-the-sand approach.
5. Apple was widely criticised for its tardiness in rolling out a patch for the known Java vulnerability exploited by the Flashback attacks. In the end, it came six weeks after Microsoft, Adobe and Oracle released their fixes. Cupertino does not release regular bulletins. It does not rate vulnerabilities and doesn't discuss security issues until patches are available. OS X is too popular now to continue with this outdated strategy.

What Mac organisations need to do

Firms need to extend the same protection to all devices — whether Mac or PC, employee or company-owned — that connect to the corporate network and manage them through a single, unified console. Patches must also be applied as soon as they are available.

Perhaps the most important point though is to invest in security software that does more than check for known bad files, but can prevent users from following links to, or being redirected to malicious web pages.

Companies today need security that defends against zero-day threats thanks to cloud-based threat-detection technology, which dynamically checks for reputation and behaviour as well as known malicious files. Flashback didn't use ground-breakingly new infection techniques or code but simply worked because too many Macs weren't protected.

Rik Ferguson is director of security research and communications, EMEA, at Trend Micro. He has more than 15 years' experience in the IT industry with companies such as EDS, McAfee and Xerox.