- Topics Mentioned
- Operating System(s):
A lot of you may be Windows PC users and are used to running various anti-virus and anti-spyware programs on your systems. This is the byproduct of the Windows environment of today where malware attacks and security concerns are something we all must deal with. Windows has traditionally been the central operating system that hackers and virus creators target. However, with the continual growing Mac popularity, the platform too is becoming a hotspot for such attacks. One recent attack infected so many users and caught Apple unaware that it has generated headlines all over the tech world. This particular virus goes by the name “Flashback.”
Mac Virus Infects Over 500,000 Users
The way Flashback works is it exploits a vulnerability in Java for Mac OS X operating systems. According to Ars Technica, “Flashback.K, as the latest variant is called, is able to hijack Macs even when users don’t enter an administrative password. Instead, it does this by exploiting a critical Java vulnerability classified as CVE-2012-0507.” Oracle has actually patched this exploit, however Apple didn’t release this patch as part of Mac OS X until recently. Java was originally developed by Sun Microsystems, which is now part of Oracle.
The trojan sometimes goes by the codename “BackDoor.Flashback.” Users often get infected by visiting certain websites, where the trojan inserts itself through the Java exploit. Then, the trojan saves an executable file on the Mac hard drive where it can download other malicious code from a remote server. However, unless new software was added through the remote server recently, the trojan hasn’t been used for anything other than a pay-per-click and pa-per-impression monetary fraud yet, according to early April report from Forbes.
The aspect of this exploit that may scare Apple and Mac users is how easily one could get it. You don’t have to interact with the malware by clicking on it, or actually even download it yourself. You can get your Mac infected just by visiting certain websites.
Windows PCs have been secure from this exploit since February of this year when Oracle and Adobe released patches to their products and software. According to NakedSecurity, Java actually presents a window of opportunity, like Flash, for such exploits. This may be the reason why iOS has been so virus-proof and secure, even in the midst of this Mac attack.
Apple actually rejected Java for iOS, when Oracle intended to release a form of Java called JavaFX for the platform. JavaFX would be a method of apps to be created and released that would bypass Apple’s App Store. Java can also be used for a wide range of uses including Web browser support. Apple also doesn’t allow Flash applications to run on iOS, which is another reason the platform is so secure from such threats. However, with the Mac being an open platform, at least when compared to iOS devices, things like Flash and Java exploits are to be expected. It is actually surprising Apple has had so few malware attacks — and no major ones I can think of — up until this point.
Note: In case you are wondering about Flash exploits, you can look up “zero-day exploit” and read about an example. Also, if you jailbreak your iOS device, you can run a form of Java on your device, called Java VM.
Find our if your Mac Infected with Flashback
To detect if your Mac is infected or not, you will need to use the Terminal application. In the terminal, press the following commands (as outlined here):
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES defaults read /Applications/Safari.app/Contents/Info LSEnvironment defaults read /Applications/Firefox.app/Contents/Info LSEnvironment
If the results indicate that no files exist by noting “no such file or directory,” then your Mac isn’t infected — although I would still update the Java just in case because it didn’t detect it for me, but I got it anyway a couple days after checking. You will also need to run the three commands mentioned above each time to see if the results are the same for all.
How to Remove the Flashback Virus
Apple has recently released updates to Java that should automatically remove the malware for end users. The company also released a removal tool for the trojan for users who do not have Java installed yet and are running Lion OS X. You can find it here. If you are a Mac OS X user, then Apple’s Java updates should solve the problem. There is also another way to manually get rid of Flashback — this is the method users had to use before Apple released the updates. You can read F-Secure’s instructions here.
Over Half a Million Users Infected
The information about this exploit originally came from a Russian anti-virus company called DoctorWeb that estimated the amount of infected Mac users to be over 500,000. Another Russian antivirus company, called Kasperky, also confirmed the figures to be in the hundreds of thousands of infected users, as reported by Forbes.
Both anti-virus companies produced breakdowns of how many users were infected in each region. Kaspersky actually reverse engineered the trojan. After reverse engineering the trojan, researchers at Kasperky created a fake command and control server for collecting data from hijacked Macs and PCs. According to a blog post written by Igor Soumenkov, a Kaspersky lab expert, the company was unable to differentiate between the Mac and PC users when it connected remotely to infected users. However, they were able to give a rough estimate of the percentage of infected users by each platform. Here is how he explained it:
“We cannot confirm nor deny that all of the bots that connected to our server were running Mac OS X. The bots can be only identified by a unique variable in their User-Agent HTTP header named “id”, the rest of the User-Agent is statically controlled by the Trojan. We have used passive OS fingerprinting techniques to get a rough estimation. More than 98% of incoming network packets were most likely sent from Mac OS X hosts.”
The company estimated that there were over 300,000 infected users in the U.S alone at one point. Apple also requested for Dr. Web — the Russian anti-virus company that originally revealed the Mac user statistics and exploit on Macs — to shut down a monitoring server. The domain that Apple requested to be shut down is Reggi.ru. The reason for this request is suggested that Apple mat see this domain as a command and control server rather than just a monitoring servers that infect end users.
Is iOS Next?
It is unlikely that iOS will be targeted by this platform, for the reasons stated above. This is a Java exploit and Apple does not allow for Java apps or software to be run on iOS. Similar platforms, like Adobe Flash, also do not run on iOS. Apple has been very strict in what can and cannot run on its mobile operating system and the type of applications that are allowed. This means that it is much tougher for an exploit to be presented and for an attack to make its way to users devices. However, this does not mean that there isn’t an exploit out there on iOS somewhere that someone hasn’t figured out yet. Keep in mind that some apps allowing root access to iOS have slipped through Apple’s approval process, like the DOS emulator, called iDOS.
Current Infection Circulation Figures
With Apple offering automatic removal right now with a software update, there is a lot less infected users. However, many Mac users still have not bothered to update software or remove it themselves. According to Ars Technica, Kaspersky Lab predicts that right now there are 30,000 infected users left. This is a huge figure from the over half a million users that were infected just a few weeks ago. However, another anti-virus and anti-spyware company, Symantec, estimates that there are 140,000 users still infected. Despite this, anti-virus companies such as these are starting to urge Mac users to purchase and maintain anti-virus software from now on and to expect more similar attacks in the future. They attribute the lack of viruses on the Mac platform not to Apple’s ecosystem, but simply due to the fact the platform has never been as popular as it is today.
One of the biggest reasons users choose Macs over Windows PCs is the fact they are less prone to get viruses, malware, and other unwanted solicitations. However, Flashback proved that Apple may be just as vulnerable as Windows if the right hacker or virus creator targets the platform. There are many different ways that they can target the platform — whether it is Java, Flash, or software downloads from the Web. The Mac operating system is not iOS. It isn’t as closed of an environment and there are many more potential exploits to be found. It will be interesting to see what transpires in the future in terms of whether more such attacks will occur or if this was a one-time exploit that just caught Apple off-guard. It will also be interesting to see if more anti-virus software from third parties start being purchased en masse for the platform.