Mac Flashback trojan

Oceans12

Mac Virus Strikes 600,000 Apple Laptops

If you thought your Mac was safe from harmful computer viruses, think again.

Ars Technica reported on April 4 that the "Mac Flashback trojan" has returned with a vengeance in recent weeks, now affecting hundreds of thousands of Apple laptops.

Ars first reported about the issue on April 2, explaining that anti-virus and computer security firm F-Secure had spotted the virus in action.

Later, on April 4, the site pointed out that it was Russian IT-security solutions vendor Dr. Web that revealed how widespread the problem has become in a post published on the Dr. Web blog earlier on the same day.

Dr. Web explained that a system gets infected with the Mac Flashback trojan "after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system." A specific JavaScript code on the site that contains the virus is then used to load a Java applet, which is how the malware makes its way onto a user's computer.

In response to the problem, Apple released an update on April 3 to patch up the security holes that exist in Java. While all Mac-owners should make sure to update their devices, you can always check to see if your Mac has been infected using your device's Terminal. Directions for this process, as well as for how you can manually disinfect your Mac, have been provided by F-Secure. (You can access the patches via Apple Support, here or here.)

As of April 4, Dr. Web found that more than half of the 555,000 infected computers were in the United States, nearly 20 percent were in Canada and nearly 13 percent were in the United Kingdom.

Malware analyst Sorokin Ivan has since shared that the virus has now reached 600,000 devices, tweeting the following, later on in the day on April 4:

Source: Huffington Post

Rulmeq

Not a virus, it's a trojan

Sad Professor

How to check if your Mac is affected:

Open Terminal and run the following command:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

You will hopefully get this error message: "The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist".

Then run the following command:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

You will hopefully get this error message: "The domain/default pair of (/Users/YOURUSER/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist".

If you received those two error messages, then you are unaffected. Otherwise, go here to find out how to remove it. If you aren't comfortable using Terminal, then leave it alone.

Apple have also released a Java update to close this vulnerability. Check your Software Update.

Oceans12

had posted the first post from ipad, just checked the macbook with the above command, and shows all clear, according to reports some users in Ireland are affected, when was the java update released? i remember seeing a safari update round 30th march but nothing since,

Sad Professor

There was two Java updates. One a few days ago and another yesterday. Although afaik the one yesterday was for something unrelated.

Liameter

Mac trojan ALLEGEDLY Strikes 600,000 Apple Laptops. (No proof.)

Note that this trojan affects only Intel processor Macs. G5 and earlier can't be affected. Also, although the trojan theoretically has the ability to collect your data and send it somewhere, the original creators of the trojan are in prison!

Simplest defence is set set Java to "off" in your browser preferences.

Sad Professor

I just realised I never even installed Java on my MBA. I didn't miss it once. Going to disable it on my MBP now as well.

bertie4evr

Sad Professor wrote: »

I just realised I never even installed Java on my MBA. I didn't miss it once. Going to disable it on my MBP now as well.

Doesn't OS X have its own built in version of Java?

Sad Professor

Yeah, it did, but Apple have abandoned future development of it and stopped preinstalling it since Lion.

Sad Professor

Another Terminal command check for Firefox users:

defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

Once again if you get an error that domain/default pair etc doesn't exist that means you are in the clear.

Rulmeq

Macworld have good coverage on it.
http://www.macworld.com/article/1166254/what_you_need_to_know_about_the_flashback_trojan.html

I was wrong earlier, apparently even if you don't enter your password it can still install itself, so this appears to be the first genuine OS X virus:
"The significant thing is that, unlike almost all other Mac malware we’ve seen, Flashback can insinuate itself into your system if you merely visit an infected webpage and are using vulnerable software. You do not need to enter your administrative password or to manually install anything."

Sad Professor

No, technically it's still not a virus. A virus can replicate and spread itself. This can't do that. It's what's called a drive-by download attack. It's malware, possibly a trojan.

Semantics aside, it's a pretty serious security breach. But it needs to be put in context. Apple announced their intention to ditch Java almost 2 years ago. The main reason they did so was because they couldn't keep up with all the updates. Like the ones patching exploits like this.

Rulmeq

Sad Professor wrote: »

No, technically it's still not a virus. A virus can replicate and spread itself. This can't do that. It's what's called a drive-by download attack. It's malware, possibly a trojan.

Semantics aside, it's a pretty serious security breach. But it needs to be put in context. Apple announced their intention to ditch Java almost 2 years ago. The main reason they did so was because they couldn't keep up with all the updates. Like the ones patching exploits like this.

I'd consider that a worm (self replicating). A virus can install itself without human interaction. This comes very close, although it would appear that it has to re-install itself at every restart, so it's not a permanent install, and apparently if you are infected and install the Java update then you will have resolved the issue.

I'm hoping this is a wakeup call to Apple though, they can't ignore patches to the open source components they are using. There was an unpatched version of apache and their DNS last year which could have been exploited in a similar manner.

Sad Professor

No, it's definitely not a virus. A virus is self-replicating and can spread to other files. A worm is a type of virus. The main difference between them is that a worm can copy itself to other computers over the network without the user doing anything.

And ignoring Java patches won't be an issue for Apple from Mountain Lion onward as that responsibility will pass to Oracle. If anything this incident has proved that Apple was correct to drop support for Java.

conor.hogan.2

Even if the Vulnerability is in Java, it still falls on Apple to fix it they simply can not ignore it and say "not our issue".

Apple were working on this then dropped support, that is not good enough.

Sad Professor

They did fix it. They were just late doing so.

Apple are responsible in this instance. But in future they won't be. It'll be Oracle's problem.

conor.hogan.2

Sad Professor wrote: »

But in future they won't be. It'll be Oracle's problem.

A flaw in OSX is a flaw in OSX whether it is ultimately Oracles fault that will not be how users see it.

A lot of Windows flaws are not in MS software but that is how it is perceived by the users, Apple should not just bury their head and take the moral highground and leave potential holes open.

Sad Professor

It's not a flaw in OS X. It's a Java exploit. Java is developed by Oracle; Apple do the OS X port. You are right that users will hold Apple responsible for it. That's precisely why Apple are dropping support for it. Because they don't want to be responsible for it anymore. And who can blame them? Java is an incredibly insecure platform. But as 10.7, it doesn't come preinstalled anymore. So if a user chooses to install it they do so at their own risk. Same as if they choose to install Flash.

Apple haven't taken any moral high ground here. In fact, they haven't commented on this at all. They had already issued a fix for this exploit before most people even knew about it.

Has anyone here actually found this trojan on their system?

Narcissus

Sad Professor wrote: »

It's not a flaw in OS X. It's a Java exploit. Java is developed by Oracle; Apple do the OS X port. You are right that users will hold Apple responsible for it. That's precisely why Apple are dropping support for it. Because they don't want to be responsible for it anymore. And who can blame them? Java is an incredibly insecure platform. But as 10.7, it doesn't come preinstalled anymore. So if a user chooses to install it they do so at their own risk. Same as if they choose to install Flash.

Apple haven't taken any moral high ground here. In fact, they haven't commented on this at all. They had already issued a fix for this exploit before most people even knew about it.

Has anyone here actually found this trojan on their system?

All ok on mine.

Is it even necessary to have Java installed? What is it used for? only certain web apps?
I think I installed it to try that gaikai website (which didn't even work when I tried). How do you remove it?

Sad Professor

I don't know how to uninstall it actually. I think you might have to delete the files manually. Prior to Lion it was basically built-in, so I guess Apple didn't think to include an uninstaller.

But you can disable the plugin in Safari in Preferences > Security.

Colonel Panic

I didn't even realise it wasn't installed with Lion until this trojan drama.

conor.hogan.2

600,000 affected and the first real vulnerability for macs should not be brushed aside on a technicality.

Apple stopped using Oracles Java release and then stopped making their own release, the blame for this rests solely on them.

Lion is a great step security wise though.

Sad Professor

Conor, Apple haven't stopped supporting Java. They are still supporting it, hence the reason they issued an update for this. They are simply handing future development over to Oracle because they have difficulty keeping up with all the releases. Their delay in repairing this particular exploit would suggest they were right to do so. Apple can't support a platform as insecure as Java if they are constantly running a release behind.

I'm not brushing aside the seriousness of this security breach, nor am I apologising for Apple, but this is not as simple as you're trying to make out. Macs are not immune to malware or viruses or Java exploits and never were. This was going to happen sooner or later, it was just a matter of time. However, the fact remains that by handing over development to Oracle and by no longer preinstalling Java, Apple had already taken action some time ago to try and prevent this.

Do you use Java? Do you have it enabled?

conor.hogan.2

Semantics.
Apple were responsible for updating Java on OSX, this exploit was patched in Oracles version a while back. That is the issue.

If Apple worked better with Oracle then this exploit would have been patched along with Windows and Linux (and other platforms) 6 weeks before Apple finally got around to it.

I use Java yes, I have several versions installed.

Next time hackers will be quicker to exploit these holes and while it may be that less people have Java installed it is still a big potential hole and one Apple (you know the company who has ridiculous amounts of money to burn) should not just turn away from.

Sad Professor

What should they do then? On one hand you're saying that this is all Apple's fault because they were slow to patch a vulnerability that Oracle patched a couple of months ago, and on other hand you are saying that shouldn't turn away from it. Surely if you are concerned about security then it's for the best that Oracle handle the Mac version rather than Apple?

At the time, I guess it was in Apple's interest to control their own version of Java. Hell, they didn't have a choice. It's not like Sun was going to do it for them. Things have changed since then though. The Mac's marketshare is much larger and Apple don't really need Java anymore.

conor.hogan.2

http://www.pcworld.com/businesscenter/article/253299/is_apple_to_blame_for_size_of_mac_botnet.html

"head in the sand" - This is a company with money to burn, they could have patched this earlier.

Half supporting Java and half not is not good enough.

Sad Professor

Apple have seen fit to publish a support document about this:

A recent version of malicious software called Flashback exploits a security flaw in Java in order to install itself on Macs.

Apple released a Java update on April 3, 2012 that fixes the Java security flaw for systems running OS X v10.7 and Mac OS X v10.6. By default, your Mac automatically checks for software updates every week, but you can change that setting in Software Update preferences. You can also run Software Update at any time to manually check for the latest updates.

Apple is developing software that will detect and remove the Flashback malware.

In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions. Apple is working with ISPs worldwide to disable this command and control network.

http://support.apple.com/kb/HT5244

conor.hogan.2

http://www.forbes.com/sites/adriankingsleyhughes/2012/04/09/how-apple-is-to-blame-for-the-flashback-malware-outbreak/

I wish they "saw fit" to fix it earlier, it is not as if they do not have the resources to do so.

Talisman

Back in the infancy of OS X, Steve Jobs proclaimed that it was Apple's goal to make OS X the premiere Java development platform and for a time it was. OS X was the first OS to have Java 1.3.1 available as Sun had worked closely with Apple. On Apple's part it was clearly a marketing ploy as it gave their fledgling OS X platform an audience that OS9 never had - Java support on OS9 was virtually non-existent and OS X needed developers. Once the platform was established Java was no longer a priority. When Apple started to fall behind on the updates to Java on the platform, Sun offered to step in and do the work - Apple refused because it would have meant that Sun engineers would have had input into the OS X code base. Apple only decided to pull Java from their install platform after Oracle's take over of Sun Microsystems was completed in 2010.

The "Java has more security holes than Flash" argument is simply a cover for the arrogance of Apple - they have consistently been negligent when it comes to patching their software. They have only acted now because they were caught with their pants down - similar to the FinFisher exploit in iTunes which was patched late last year even though it was known about for almost four years. FinFisher was revealed to have been used by the Egyptian government to monitor the activities of dissident groups and Apple acted immediately to issue a patch.

Surveillance Company Says It Sent Fake iTunes, Flash Updates (November 2011)
Security Notice (December 2007) - Apple patched OS X but not iTunes.

As the Apple platform becomes more popular these incidents are only going to increase and Apple need to step up to the challenge.

0-Day Patch - Exposing Vendors (In)security Performance - An article from 2008 which highlighted the difference between Microsoft and Apple dealing with exploits. At the end of the article there is a graph depicting the number of unpatched vulnerabilities in the period of 2002-2007. Microsoft consistently kept the figure around 20 or less, since 2004 Apple were rarely below 20 and the unpatched vulnerabilities increased massively when the company became focused on the iPhone.

Sad Professor

This is a wake-up call for Apple, no doubt about it. To date they've been able to get away with being somewhat lax about releasing security patches because the Mac hasn't been a target. While I don't think this trojan is the harbinger of the Mac Virus Apocalypse that PC bloggers and AV developers are making it out to be, it certainly suggests that Apple won't be able to get away with putting security issues on the back-burner much longer.

However, it's also a wake-up call for Mac users who need to be more wary about what they have installed. The fact is Java is a security nightmare. It's cross-platform popularity means it's a target for everything. At the moment it's probably the most exploited software in the world, even surpassing Flash. Security experts have been recommending for a few years now that people disable/uninstall it if they don't need it. If you're going to have Java installed then you need to make sure you update often because otherwise you are putting yourself at risk. This problem isn't going to go away when Oracle take over the OS X implementation, but at least Apple's discontinuation of Java means less people will have it installed.

While GateKeeper in Mountain Lion won't protect Macs from vulnerabilities like this, at least it shows that Apple are thinking about security.

conor.hogan.2

The fact is this was patched long before on other platforms and that meant that 600,000 people were infected by it on OSX.

If older versions of Safari, Chrome, Firefox, Flash or nearly any other software then there would be a major security flaw too.

Especially if these flaws were fixed and published months previous giving hackers time to analyze the fix and attack it on OSX.

The same happens on Windows after Patch tuesday except with Apple all the blame lands on them because they were slow to patch this whereas attack wednesday is not MS fault because it targets systems which have not updated software yet.

opinion guy

According to macrumours Apple just relased a Java update to remove the trojan

http://www.macrumors.com/2012/04/12/apple-releases-java-update-to-remove-flashback-malware/

opinion guy

This might seems stupid question - but how do I know if I need Java or not ?

aidan_walsh

If you don't have it installed and something you run needs it, you'll get a prompt to install it. You might need it for certain web applications - CRO, some commercial online banking - or some older or cross platform applications or games, like Minecraft.

aidan_walsh

Downloaded the update there, 66MB. Will disable the automatic execution of applets unless the user overrides the setting, and re-enables the setting if an applet hasn't been run in "a while".

opinion guy

aidan_walsh wrote: »

If you don't have it installed and something you run needs it, you'll get a prompt to install it. You might need it for certain web applications - CRO, some commercial online banking - or some older or cross platform applications or games, like Minecraft.

Ms Office 2011 ?

Sad Professor

No, Office is ported to the Mac. It's written in Carbon and Cocoa. You'll generally know a Java app when you see one. They are ugly and they tend to like RAM.

In fact, it seems this trojan automatically deletes itself if it detects Office on your system. I guess it figures you have enough problems.

Colonel Panic

Online meeting/screen sharing tools tend to use Java too. Although I used my Windows development VM with Java installed instead.

opinion guy

Sad Professor wrote: »

In fact, it seems this trojan automatically deletes itself if it detects Office on your system. I guess it figures you have enough problems.

Hahaha. The 2011 version seems good actually though I haven't used it much yet.

So I don't think I ahve any reason to have it but I spolighted java and I have java preferences and java vm in my applciations folder. I don't recall installing it and its a new machine

conor.hogan.2

Apple have released a patch, late very late though after 600,000+ infections and nearly 2 months later than Oracle patched it.

This is a major major screw up is 100% Apples fault.

Open and libre office are probably the 2 most used apps on OSX that need Java to run.

Sad Professor

You can use all those Java apps and still have the browser plugin disabled.

conor.hogan.2

Yep. Other people have mentioned browser related things that need Java.

I am mentioning some of the bigger desktop apps (because that is what I use), that a opinion_guy asked for.

(also several programming related programs but I left them out because if you need them you already know about them)

The Black Oil

aidan_walsh wrote: »

Downloaded the update there, 66MB. Will disable the automatic execution of applets unless the user overrides the setting, and re-enables the setting if an applet hasn't been run in "a while".

Downloaded an 80MB update for Java there now. How do disabled applets, if needs be?

As of yesterday, PDFs no longer display in Safari or Firefox. Seem to work in Chrome. I cleared the cache in all 3.

I ran SP's instructions re Terminal on the day he posted them and also yesterday. Nothing was found.