Flashback Malware a Wakeup Call for Mac Users

A big reason for Windows users to consider a move to Mac has been the virtual nonexistence of Mac malware. Computerworld reported the existence of a million different computer viruses at the end of 2008 – but that’s been almost entirely an issue for Windows users.

Now and again, a virus or other malware that could affect Mac users was reported, but these were easily avoided, and none became widespread. Many (probably most) Mac users haven’t bothered with antivirus or other security software and have tended to assume that their chosen platform was invulnerable – an attitude Apple has been happy to encourage.

Distribution of Flashback on Macs around the world

Over half of infected Macs are in the US, followed by Canada and the UK.

However, on April 4, Russian security firm Dr. Web reported that some 600,000 Macs – an estimated 1% of all Macs currently in use – had been infected over the past two months with the BackDoor.Flashback.39 Trojan, malware taking advantage of a known flaw in the Java Web application language.

Because Java is a cross-platform language, Flashback can infect Windows or Linux computers as well as Macs, but the vast majority of infected systems have been running one or another version of Mac OS X.

Mac distribution around the world

Mac popularity worldwide in 2011. Orange is highest concentration, green is lowest.1

Early versions of Flashback disguised themselves as browser plugins, such as a faux-update to Adobe Flash and required users to actively install them; more recent versions can install themselves when a user simply visits a malicious or infected website, a so-called drive-by download with no permission needed. Users may not be aware they are now infected while Flashback collects passwords and other personal information and sends it to a remote server.

Apple released a patch for Mac versions of Java last week, but only for Mac users running OS X 10.7 Lion and 10.6 Snow Leopard. Installing this patch will prevent your Mac from getting infected, and the most recent patch will also clean Flashback off infected Lion systems.

Securing Earlier Versions of OS X

No patch is available for Macs running older versions of OS X – users of older OS X versions should consider disabling Java entirely using the Java Preferences application in their Utilities folder (OS X 10.5 Leopard and later).

Disable Java

You can disable Java in the Security tab in Safari’s preferences.

Worth doing (if you’re a Mac user using OS X 10.5 or newer): Browse to github and download the free Flashback Checker app. If it finds your system is infected, it provides a link to instructions to remove Flashback. If your system has been infected, it’s probably worth changing passwords at financial and other services that may have been compromised.

Security company Kaspersky’s Flashback Checker should also work with OS X 10.5 and newer.

Still running OS X 10.4 or older? Ars Technica details a set of steps using the Terminal utility to check whether you’re infected and to remove Flashback if need be.

Prevention Against Future Malware

Also worthwhile: Install antivirus software on your Mac and keep it up to date. Home users may want to check out Sophos Free AntiVirus for Mac. Another free antivirus option is ClamXav, which is based on the open source ClamAV.

OpenDNS, a free alternative to your ISP’s Domain Name Service (DNS), is designed to protect Macs, PCs, Linux boxes, Android devices, etc. from Flashback and other known malware. (Publisher’s note: At Low End Mac headquarters, we have installed Sophos on all of our OS X 10.4 Tiger and newer Macs and also use OpenDNS. This is the first time we have ever installed antivirus software on OS X Macs except for testing purposes.)

Mac (and Windows) users should take updates seriously; in March, malware targeting Tibetan activists was reported that took advantage of a flaw in the Mac version of Microsoft Office that had been patched two-and-a-half years earlier. Apparently enough users had failed to update their software to make this attack worthwhile.

And Mac users, like Windows users, need to think before they click. Last year, Macs were targeted by fake security products, the same sort of “scareware” that has been targeting Windows users for several years.

Apple Deserves Some of the Blame

Apple bears a share of the blame for the extent to which Flashback spread. The Java language is owned by Oracle, which releases updates to it for Windows and Linux. Apple, however, updates the Mac version of Java. Oracle patched the vulnerability targeted by Flashback in February, but Apple didn’t get around to doing the same until April (after the Flashback infections began) – and then only for users of the most recent Mac OS X versions This gap may explain why a large majority of Flashback infections have been on Macs.

As well, Apple shares in promoting the idea that Macs are inherently secure. The company is slow to release patches for known security holes, releasing Java patches, for example, an average of six months after they’ve been released for other platforms. Prior to releasing a patch, Apple is mum on the potential for infection and fails to inform its customers of steps they might take to protect themselves.

By April 12, security company Symantec reported that the number of affected systems had shrunk by about half to 270,000, perhaps a result of users taking steps to remove the infection and because security companies have been able to neutralize some of the servers that were spreading the malware. I would not be surprised, however, if the malware creators distributed modified versions of Flashback in the future. (A different infestation, called Backdoor.OSX.SabPub.a by Kaspersky and SX/Sabpab-A by Sophos, has already been reported, which takes advantage of the same Java vulnerability; that means that the same Java patches already released will defend against it.)

Macs sales have outpaced Windows PC sales growth for the past 23 consecutive quarters. Apparently the number of Macs has now reached the point where it is worthwhile for malware to be created to attack them. You can expect more – and increasingly sophisticated – Mac-targeting malware.

It’s time for Mac users and Apple to take these threats more seriously.

Follow Alan Zisman on Twitter.

A shorter version of this article appeared originally in Business in Vancouver, April 16, 2012

Keywords: #flashbacktrojan #osxsecurity #macsecurity

Short link: http://goo.gl/fjssQe

searchword: flashbacktrojan