For Mac owners, the nightmare scenario finally arrived. A piece of malware called Flashback, which has been in existence and steadily evolving for at least seven months, has infected more than 600,000 Macs worldwide, based on forensic analysis by a Russian antivirus company.
Update 6-Apr 10:50 AM PDT: Researchers at Kaspersky Lab have independently confirmed the research of Dr. Web:
We reverse engineered the first domain generation algorithm and used the current date, 06.04.2012, to generate and register a domain name, "krymbrjasnof.com". After domain registration, we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots. Our logs indicate that a total of 600 000+ unique bots connected to our server in less than 24 hours. They used a total of 620 000+ external IP addresses. More than 50% of the bots connected from the United States.
More than 98% of incoming network packets were most likely sent from Mac OS X hosts.
What makes this outbreak especially chilling is that the owners of infected Macs didn’t have to fall for social engineering, give away their administrative password, or do something stupid. All they had to do was visit a web page using a Mac that had a current version of Java installed.
Some commenters seem to have missed that point, so let me repeat those details more emphatically. The Flashback malware in its current incarnation does not use an installer. It does not require that the user enter a password or click OK in a dialog box. It is a drive-by download that installs itself silently and with absolutely no user action required, and it is triggered by the simple act of viewing a website using a Mac on which Java is installed.
I’m not surprised.
Last May, I wrote a post titled “Why malware for Macs is on its way,” in which I pointed out evidence that a “tipping point” was near, thanks to the growing popularity of Apple’s software:
A gain of a few percentage points in the Mac market might not seem like a lot, but in a universe with a billion Internet-connected devices, each percentage point equals a potential 10 million victims. A market with 60 million, 80 million, or even a hundred million Mac users is big enough for the bad guys.
Upcoming versions of crimeware kits will probably be cross-platform, with the capability to build and deliver Windows and OS X packages using as many vulnerabilities and social engineering tricks as possible. On every poisoned web page, visitors get sorted by OS: Windows users this way, OS X users over there. Each group gets its own custom, toxic blend. If all it takes is a tick of a check box, the gangs using these kits can jump into the Mac market literally overnight.
So now the question is when will that day come? This year? Next year?
We now know the answer.
If you think 600,000 users isn’t a lot, let’s put it in perspective. According to the latest statistics from Net Market Share, there are roughly 13 Windows PCs for every Mac in the world. So an equivalent infection rate in the Windows population would translate to 7.8 million Windows PCs.
And that’s for one strain of one malware attack, launched over a very short period of time.
This won’t be the last, either. Unfortunately, the Mac community is ill-prepared for a sophisticated wave of attacks like these. Here’s why.
These attacks are designed to be quiet. The gang that unleashed Mac Defender last year was anything but quiet. Their business model was based on being very visible and convincing victims to pay for a rogue antivirus product that would remove the malware they had just installed. By being so obvious, they forced a response (and some of them wound up in jail). This gang, by contrast, managed to infect 600,000 machines while barely tripping any alarms.
Macs are not immune. For years Apple owners have been told that Macs don't get viruses, but we know that's not true. And Apple’s casual approach to security updates makes them arguably more vulnerable to this sort of attack than other platforms. Like all operating systems, OS X has its share of vulnerabilities that can be exploited. In that May 2011 post, I looked at a single OS X update, which repaired 23 separate vulnerabilities:
Every one of the vulnerabilities in the April update had existed in OS X for a minimum of 18 months before being patched. Every entry on that list was capable of executing hostile code on an unpatched system with little or no user interaction. If an attacker develops a successful exploit of one of those vulnerabilities, your system can be compromised, silently and with deadly effect, if you simply download a document, view a movie or image, or visit a website.
That’s an awfully big window of opportunity. And that pattern is found in other OS X updates.
Third-party software is an ideal vector. The current exploit is triggered by a known flaw in Java, which was installed on every copy of OS X until the release of Lion (OS X 10.7) last summer. The flaw was reported in January and patched by Oracle in February, but the Apple version of Java didn’t get a patch until early April. So for several months, every Mac owner was vulnerable unless they took specific steps to remove or disable Java.
Security expert Brian Krebs points out that this behavior by Apple is sadly typical:
Apple maintains its own version of Java, and as with this release, it has typically fallen unacceptably far behind Oracle in patching critical flaws in this heavily-targeted and cross-platform application. In 2009, I examined Apple’s patch delays on Java and found that the company patched Java flaws on average about six months after official releases were made available by then-Java maintainer Sun. The current custodian of Java – Oracle Corp. – first issued an update to plug this flaw and others back on Feb. 17. I suppose Apple’s performance on this front has improved, but its lackadaisical (and often plain puzzling) response to patching dangerous security holes perpetuates the harmful myth that Mac users don’t need to be concerned about malware attacks.
Similar recent attacks have successfully targeted vulnerabilities in Word on Macs. And there's no reason not to expect attacks against other vulnerabilities in other popular third-party products like Adobe Reader and Skype.
Older Macs are especially vulnerable. According to the latest Net Market Share data, 17% of Macs worldwide are running Leopard (OS X 10.5) and Tiger (OS X 10.4), older versions of OS X that are no longer officially supported. The Java update that blocks this exploit is available for Leopard, but at least one Leopard user I spoke with says it hasn’t been offered to his Mac via Apple Software Update. The last Java update offered to users of these older Mac versions was in June 2011. If you use any version of OS X before Snow Leopard (10.6) and you have Java installed (all versions of OS X before 10.7 include Java by default), you are vulnerable to this exploit and there is no patch available.
And the biggest problem of all, as any Windows security researcher can tell you, is that a large number of PC owners don’t install updates regularly or at all. On Windows PCs, for example, the most commonly found malware in 2010 was installed using an exploit that had been patched years earlier:
Conficker’s means of propagation is a vulnerability in the Windows Server service. This vulnerability was fixed in October 2008 by Security Bulletin MS08-067, which patched Windows 2000, XP, Vista, Server 2003, and Server 2008. (Windows 7 was never affected.) There’s no excuse for that patch not being installed nearly two years later, in 2010.
Mac owners are human beings, just like their counterparts who own PCs. Some nontrivial percentage of them will ignore this and other updates and will be vulnerable to this sort of attack.
Antivirus software alone won’t help. The makers of Windows-based malware know how to build executable packages that change with every installation. These polymorphic viruses frustrate signature-based defenses. Apple added automatic updates to its XProtect lists as a response to Mac Defender last year, and that list has been updated 47 times in the past 11 months. But it’s useless against even a moderately sophisticated attacker.
It looks like the Mac malware industry has moved out of testing and into active deployment. For the bad guys, it's a tremendous untapped market. And all the pieces are now in place for a long-term problem with no easy solutions.