Home > Apple > Flashback botnet: The end of the Mac’s…

Flashback botnet: The end of the Mac’s malware immunity?

mac-flashback-virus

For the better part of two decades, Mac users have believed themselves largely immune to the trojans, worms, and malware that plague the Windows world. However, Macs have never been fundamentally more secure than any other computer, and now the community’s collective complacency may finally be put to the test.

Computer security firm Dr. Web reports that a recent variant on the Flashback malware has successfully exploited a previously unpatched Java vulnerability to infect as many as 600,000 Mac computers around the world. Although other security firms aren’t publishing estimates of infection rates, companies like Sophos, Intego, and F-Secure back up the alarm cry: the Flashback variant is real, and in some cases it can install itself without any user intervention when a user visits a specially crafted Web page. It’s the sort of doomsday scenario Mac users have never really seen before: malware that can infect a Mac just by loading a Web page.

Dr Web Flashback mac botnet infection map April 4 2012

However, it’s not (currently) the end of the world. Not all Macs are vulnerable, a patch is available, and there are simple things users can do to protect themselves and determine if they’re already infected. But if you’re a Mac user, the current Flashback scare merits a few minutes of your attention, at the very least.

Am I Infected?

Users of Intel-based Macs are potentially vulnerable to the Flashback malware. The malware is sophisticated, however, so determining whether a Mac is infected is a tad complicated.

First, launch the Terminal application (in /Applications/Utilities, or just do a Spotlight search for “Terminal” and launch it from there). You’ll see a window with a Unix command line prompt. (It’s OK, it won’t bite.) Copy and paste the following command at the prompt, then press Return.

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

If you see a two-line response and the second line is “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist,” then copy and paste the following command at the prompt and press Return:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

Again, you want to see a two-line response. If the second line ends with “does not exist,” your Mac is not infected. Type “exit” at the prompt and quit the Terminal application.

If you see responses from either of these commands that indicate data was found, your Mac may be infected, and you’ll want to take steps to remove malware from your system. For the technically proficient (it involves more Terminal commands), F-Secure has posted a set of manual removal instructions. Less technically-inclined may wish to download a free removal tool from Sophos or ClamXav or get someone else to perform the removal. Some of the steps below on how to protect your Mac may also help.

How does this version of Flashback work?

Flashback installer (faking Adobe Flash, not Java)Flashback isn’t new: it’s a whole family of malware variants that first appeared back in September 2011. However, the initial versions of the malware appeared as bogus Adobe Flash Player installers. When users loaded a Web page bearing the malware, they’d see something that looked like a Flash error. Clicking it would bring up a prompt to install something that looked like Adobe Flash. (That’s how they name “FlashBack” got attached.) Infection depended on tricking people into downloading, accepting an self-signed certificate purporting to be from Apple, and installing the malware. Trojans that rely on social engineering aren’t anywhere near as common on the Mac as on Windows, but FlashBack wasn’t exactly new under the sun. Unfortunately, Flashback was Mac-savvy: once installed, early versions tried to kill off Apple’s barebones XProtect anti-malware protection system present in Snow Leopard and Lion.

Then, around late February of this year, FlashBack shifted to a new trick, leveraging two vulnerabilities in Java to attempt to install itself without any user intervention at all. Although the threat no longer poses as Adobe Flash, the malware under the hood appears to be the same — and that’s why it’s kept the FlashBack name. The malware installation will prompt for an administrator password, but it doesn’t actually need administrator authorization to infect a Mac — the malware uses a two-pronged approach. The one with the admin password is a bit cleaner; the one without is brute force.

Once on a user’s Mac, if a user gives their admin password, the software checks to see if particular apps (like Apple’s XCode development environment and common antivirus and security tools) are installed; if so, it deletes itself, presumably to avoid detection. Otherwise, the infection connects out to command-and-control servers to download the malware payload: this is the actual FlashBack engine, and the malware operators can change or update it at any time. Current versions of the malware seem focused on collecting passwords for services like Google, PayPal, and banking sites, presumably to get credentials that can be used by cybercriminals to take over email and online accounts or drain bank accounts.

If a user does not give their administrator password, the infection loader tries to insert itself into essentially any app a user might run (with exceptions for Microsoft Word, Office 2008/2011, and Skype, which are apparently incompatible). Once the infection is installed and a user runs an app, it will attempt to connect to the command-and-control servers and download the payload. This infection method is effective, but very crude and likely not compatible with all apps: users might easily notice that some programs start crashing or behaving unpredictably.

Didn’t Apple ditch Java?

Apple Java iconApple shipped Java for Intel-based Macs as part of Mac OS 10.4 (Tiger), 10.5 (Leopard), and 10.6 (Snow Leopard); however, Apple deprecated Java as of Mac OS X 10.6.3, and stopped including Java at all with Mac OS 10.7 (Lion). Lion users will only have Java if they upgraded from a previous system to Mac OS X 10.7, or if they explicitly downloaded and installed Java themselves. If Lion users try to run a Java app, Mac OS X will ask if users want to download and install Java from Apple.

Apple’s Java situation is a little peculiar. Apple originally wanted Mac OS X to be a top-tier Java development and runtime platform. The company intrepidly developed its own Java runtime for Mac OS X and had it certified by Sun, Java’s creator. But that pattern meant Apple’s Java always lagged substantially behind official Java releases, and that lag increased substantially when Oracle acquired Sun in 2009. A year later, Apple basically said it wasn’t going to keep updating Java, and removed it from Mac OS X’s default installation. This put Java into limbo on the Mac.

Oracle patched the key Java vulnerability exploited by Flashback on February 14. Apple, on the other hand, only released an updated version of Java with that patch (and eleven other Java security fixes) on April 3 — a lag of six weeks.

The vulnerability isn’t Mac-exclusive: the same Java hole can be used to attack Linux and Windows systems. Mozilla Firefox took the unusual step of blocking older versions of Java in Windows versions of its Web browser to protect users.

So how can I protect my Mac?

Here are the simplest ways to protect your Mac from the current Flashback malware threat:

If you have Java, update it

Apple has released an updated version of Java that patches the vulnerability exploited by Flashback. If you’re running Mac OS X 10.6 (Snow Leopard) or 10.7 (Lion) and you have Java installed, the update should appear automatically when you run Software Update (Apple menu > Software Update), or you can get it yourself from Apple’s support downloads site (for Snow Leopard or Lion)

If you have an Intel-based Mac and you’re running Mac OX 10.5 or earlier, you can see if you have Java installed using the Terminal. Launch Terminal (in /Applications/Utilities/) and paste in the following command:

java -version

If you see the message “No Java runtime support, requesting install,” you do not have Java installed. If you see a version number less than 1.6.0_31 (and you will, if you have any Java at all), your system is potentially vulnerable. Apple won’t be releasing a patched version of Java for Mac OS X 10.5 or earlier. Use the other steps below to protect yourself.

Disable Java in Web browsers
Java never really took off as a mainstream platform for Web content, so most users don’t need to enable Java in their Web browsers. Disabling Java will block Flashback’s “drive-by” attack, and is the most effective way for earlier users of Mac OS X to protect themselves.
  • Safari—Go to Preferences > Security, and uncheck “Enable Java.” (While you’re in there, go to Preferences > General and make sure “Open ‘Safe’ files after downloading” is unchecked.)
  • Firefox—Choose Tools > Add-ons, select the Plug-ins Tab, and click the “Disable” button next to Java Plug-in.
  • Chrome — Type chrome://plugins in Chrome’s address bar. A list of available plug-ins will appear. Find Java and click the “Disable” link beneath it.

This doesn’t remove Java from your system, it just prevents Web browsers from launching or running Java apps. That’s enough to protect you from the drive-by nature of the Flashback attack. You’ll still be able to run desktop applications that require Java — a common example is things like Citrix’s GoToMeeting — but you may find you need to selectively re-enable Java in a browser to log in to services or download updates. In that case, you can selectively re-enable Java to get an app running, then disable it again when you’re done.

Consider antivirus software
If you’re in a situation where you can’t update Java or can’t disable a vulnerable version of Java, you should consider antivirus software to protect your Mac. ClamXav makes a free antivirus package for Mac users; similarly, Sophos has a Mac antivirus package free for non-commercial use. Commercial antivirus packages are also available for Mac OS X from the likes of Intego and Symantec; F-Secure also has a beta Mac OS X security product.

Does your Mac need antivirus software?

virus attackThe days of the Mac’s immunity from malware appear to be at an end: last year saw the MacDefender scare (and Apple’s brief tit-for-tat battle with its perpetrators), and now there’s a genuine drive-by infection threat to the Mac — even though it doesn’t rely on technology exclusive to Mac OS X. Although the malware situation on Mac OS X is still several orders of magnitude less severe that that for Windows, the writing is on the wall: as the Mac platform gains adherents, it’s going to start attracting sophisticated malware authors.

What about GateKeeper, the new protection technology that’s due to arrive with Mac OS X 10.8 Mountain Lion? Mac user shouldn’t rely on GateKeeper to protect them: the technology will enable users to decide they only want to run applications that come from Apple and/or the Mac App store, and developers who have identified themselves to Apple, or (like now) run any application from any source. GateKeeper will not protect Mac users from vulnerabilities in applications or system components — which means a problem with a Web browser plug-in or a low-level component like Java is out of GateKeeper’s purview — and Mountain Lion users would be just as vulnerable to something like Flashback’s drive-by attack as anyone else.

For the time being, it’s probably too early to recommend all Mac OS X users install and run antivirus software: the best case for running AV software on a Mac is still to clean Windows-based viruses and malware out of files and documents Mac users might be passing along to hapless Windows users. But the day may come — soon — when the Mac malware universe warrants widespread use of high-quality antivirus software.

Lead image on Mac screen via Sebastian Kaulitzki/Shutterstock