“Russian security firm Dr Web warns that at least 600,000 Macs are infected and part of a growing bonnet,” Ed Oswald reports for ExtremeTech. “76% of these Macs are located in the US and Canada, with another 13% in the UK.”
“Possibly more embarrassing for Apple is the fact that 274 infected computers are located in Cupertino, California, which may indicate Macs belonging to Apple employees or even on the company’s campus might be infected,” Oswald reports. “Mac users are advised to ensure their Macs are up-to-date to prevent infection, and some four million compromised web pages are believed to exist, including portions of DLink’s website, Dr Web claims.”
Oswald reports, “The Flashback Trojan is the culprit here, but is nothing new. The Trojan first appeared disguised as a Flash installer last September, and disabled Mac OS X’s built in malware protections. This version makes its way into Macs through a Java vulnerability, and is loaded onto unpatched Macs without interaction from the user.”
MacDailyNews Note: Apple on Tuesday released Java for OS X 2012-001. It is available via Software Update and also via standalone installers for Mac OS X 10.6 Snow Leopard (more info here) and OS X 10.7 Lion (more info here).
Read more in the full article here.
To check your Mac (a clean Mac will deliver the message “does not exist”) follow F-Secure’s instructions here.
Related articles:
OS X trojan variant preys on Mac users with unpatched Java – February 27, 2012
Warning: Flashback Trojan horse spreading; Mac users should be wary of Flash installers – September 28, 2011
Apple updates OS X Lion, Snow Leopard malware definitions to address new trojan – September 26, 2011
Is it OK just to disable Java in Safari preferences or should you also disable Javascript. If I disable Javascript some elements of websites I visit regularly do not function.
Yes. In spite of the names, Java and Javascript are entirely different and separate entities. It is safe to leave Javascript enabled.
Windows computers unaffected…..
My machines are clean too but this raises concerns I didn’t pay much attention to with past similar reports. In the past it’s always been about knowing better than to run as an Admin and not giving your password when something wants to install.
“This version makes its way into Macs through a Java vulnerability, and is loaded onto unpatched Macs without interaction from the user.”
Okay, it’s only one but gees, this is so Windoze like. To me, that’s the real story here. “Nothing to see here, move along” ? I don’t think so. Do we have to start running resource draining protection software now?
Did “resource draining protection software’ help hundreds of millions of Windows users?
BTW, clean here. FUD.
I hope Apple finds a way to get Flash and Java off the Mac platform. Both are buggy resource hogs that are potential vectors for hackers to invade your system. Best to purge them entirely for the sake of the user.
…i feel a scratchy throat and slight fever coming on… but my Mac is just fine…damn viruses…!
YAY I’m clean!
I’m clean. In a related topic, did anyone read how relatively easy it is to remove this thing? It’s just a matter of locating the files and deleting them. Not in the same class as Windows malware at all.
——RM
Clean!
NOTE: The Flashback Trojan horse has 14 versions, according to Intego. The F-Secure method of checking for infection ONLY checks for ONE of those versions, the most dangerous version that uses a Drive-By web infection method not requiring your Admin password.
I you or one of your users is a beginner, newbie or ‘LUSER’ user, it is well worth using the free ClamXav app to check for ALL versions of the Flashback Trojan. You can read about and download ClamXav at the link below. I’m part of a team that works to keep the source ClamAV project up-to-date with current Mac malware.
ClamXav Website
Grammar police. Please read:
‘IF you or one of your users is…’
Thanks frist time to go there ! It was easy just like you said. Apple was no help and I am not happy about that because everything I own is apple. Thank you again.
Answer me this. Let’s say I was infected. Will updating with mac update remove the threat?
Thanks for your help.
No
You guys are a bunch of holocaust/Mac malware deniers. It is security through obscurity, plain and simple. Don’t keep listening to Derek Currie “the computer store worker” who’s main line is “FUD, it is all FUD”. With more popularity of Apple will come more malware. It will be on a progressive scale and not a linear one.
You can keep saying “FUD” but the malware will keep coming. It the malware writer wanted to infect more Macs he just should of laid the code into an iframe in every third party ad server with a load timer that serves up the Mac community and we would of seen a million plus infections easily. The pros have not even lifted a finger yet. This is only one of many to come.
You don’t think the Russian Business Network and China’s Red Dawn malware writers are watching this easy Pwnage of Macs?
You are an idiot or a liar.
There were a handful of viruses for the Mac back during the pre-OS X days. Are you seriously claiming that Macs are MORE obscure now than they were then?
Malware writers HAVE been targeting the Mac all along. But it is just so much harder to create successful malware for a platform that is, gee, I dunno… SECURE.
Flashback has shown that Macs are not invulnerable. But the scope and degree of the threat is microscopic next to the security train wreck that is Windows.
The Russian Business Network and China’s Red Dawn were not around then. Let’s talk today’s reality. Let’s talk the last two years. Not 30 years ago with OS 8 and script kiddies.
Mac’s have for the most part have just been of recent “value” to code malware for in the past two years, and the value of pwning them is only going up as their #’s increase.
I know all my Windows only friends are going Mac after owning an iPhone and iPad. The numbers of people owning Macs has come to the point that writing and distributing malware for organized crime is profitable.
Yea, but look at the holocaust/Mac malware deniers. “They say ” I am not infected so there for it is all FUD. Dr. Web is selling FUD”. Hello!!! Dr Web sink holed the command and control servers. They know what the he(( they are talking about, and they know what they are doing.
Half the people who posted on this thread are total frickin idiots with the way they are talking. Clueless to advanced malware and it’s delivery system and delivery plan.
Are you mentally incapable of stating factually correct information? I am talking about 12 years ago, a time when the Mac platform was THE choice for graphic designers and the motion picture industry. No value, riiight.
So in the entire 11 year history of OS X, the total count of malware capable of infecting the platform without user assistance is now ONE.
And if you ever read anything other than anti-Apple propaganda, you would have noticed that the tech press, especially the Mac-oriented sector of it, is giving this malware major coverage. And they are also pointing out the easy way to identify, remove and guard against the threat WITHOUT needing to spend any money or even install a new program. Contrast that with the state of “security” in the Windows world.
No, 12 years ago Mac malware was a -10 value for organized crime because organized crime as we see it today did not exist.
Oh, I think have a handle on how malware is proliferating on the internet. I have about 3000+ hours of security podcasts from AV venders, analyses venders, academics, corporate penetration experts, gray hat hackers, and white hats.
The OSX malware you saw in the past 2 years has been amateur malware. badly written code that doesn’t complete the writers roadmap of completion. IE amateur. This last Flashbacks variants had some “pro” skill with a strong viable roadmap of completion. More will come, organized crime saw just how easy it was on this one.
Here is another guy who gets it. His name is honeymonster.
“But obviously they are not happy about this publicity. They used a good number of tricks to try to fly under the radar.
Obviously these guys know their stuff. They are in it for the money, not publicity.
Still, this attack is only moderately advanced. It is certainly more sophisticated than a simple trojan as it now infects at drive-by as well. But it is only a taste of what is yet to come.
Expect them to bring over more tricks from their Windows experience, such as morphing code, blended attacks and a hole suite of exploits.
With thus success rate you can be *certain* that they will be back. Stronger. The smug Apple crowd is in for a brute awakening.
As I have written before, Apple has a systemic problem where they *do not* control or materially influence the publication of information about vulnerabilities in their stack. The various open source libraries follow their own schedules and Apple will have a hard time reigning them in and making them commit to coordinated publication when Apple is ready to patch.
In effect, *every* time an external project on which OS X depends publicizes a vulnerability (because a patch is available), this is the equivalent of a zero-day vuln in OS X.
And we know from the Windows experience that only a fraction of 1% of attacks uses attacker-discovered vulns. Attackers now can simply sit back and wait for patches to libxml, apache, java etc.
They know that OS X will be notoriously late, so they’ll have a window of opportunity practically every time.
And the best part: The Mac users are shockingly complacent (evidenced in these very talkbacks) and refuse to accept that they can be affected. They are easy targets.”
First off Derek, I think using Sophos Free for Mac is far superior to ClamXav. Sophos is very very light on resources and scans in real-time. ClamXav is only an on-demand scanner except for if it is setup with it’s Sentry Scanner for downloads and email. With such light use of resource use Sophos scans http traffic and all processes.
Here is a question I asked Chester Wisniewski of Sophos labs..
http://nakedsecurity.sophos.com/2012/04/07/sscc-87-mac-botnet-global-payments-flash-player-updater
Ted asks…
Could this java vul be used in a third party ad server where the Mac community hangs out, IE mac geek sites and be used in a hidden i-frame and install and pwn under the radar? If yes, and if they laid out the attack different, it looks like they could of pwned millions. Comments please.
Reply
Chester Wisniewski says:
April 9, 2012 at 9:17 pm
Unfortunately, yes. Just like any other web vulnerability targeting Windows users the malicious code can be embedded/distributed through any method you can dream up.
This is not Apple’s fault so no need for them to be embarrassed. Adobe should strap up, step up and do something about Flash, like Microsoft did with macro vulnerabilities for many years.
I’m not sure why but this website is loading incredibly slow
for me. Is anyone else having this issue or is it a problem on my end?
I’ll check back later and see if the problem still exists.