Flashback botnet: The end of the Mac’s malware immunity?

mac-flashback-virus

For the better part of two decades, Mac users have believed themselves largely immune to the trojans, worms, and malware that plague the Windows world. However, Macs have never been fundamentally more secure than any other computer, and now the community’s collective complacency may finally be put to the test.

Computer security firm Dr. Web reports that a recent variant on the Flashback malware has successfully exploited a previously unpatched Java vulnerability to infect as many as 600,000 Mac computers around the world. Although other security firms aren’t publishing estimates of infection rates, companies like Sophos, Intego, and F-Secure back up the alarm cry: the Flashback variant is real, and in some cases it can install itself without any user intervention when a user visits a specially crafted Web page. It’s the sort of doomsday scenario Mac users have never really seen before: malware that can infect a Mac just by loading a Web page.

Dr Web Flashback mac botnet infection map April 4 2012

However, it’s not (currently) the end of the world. Not all Macs are vulnerable, a patch is available, and there are simple things users can do to protect themselves and determine if they’re already infected. But if you’re a Mac user, the current Flashback scare merits a few minutes of your attention, at the very least.

Am I Infected?

Users of Intel-based Macs are potentially vulnerable to the Flashback malware. The malware is sophisticated, however, so determining whether a Mac is infected is a tad complicated.

First, launch the Terminal application (in /Applications/Utilities, or just do a Spotlight search for “Terminal” and launch it from there). You’ll see a window with a Unix command line prompt. (It’s OK, it won’t bite.) Copy and paste the following command at the prompt, then press Return.

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

If you see a two-line response and the second line is “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist,” then copy and paste the following command at the prompt and press Return:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

Again, you want to see a two-line response. If the second line ends with “does not exist,” your Mac is not infected. Type “exit” at the prompt and quit the Terminal application.

If you see responses from either of these commands that indicate data was found, your Mac may be infected, and you’ll want to take steps to remove malware from your system. For the technically proficient (it involves more Terminal commands), F-Secure has posted a set of manual removal instructions. Less technically-inclined may wish to download a free removal tool from Sophos or ClamXav or get someone else to perform the removal. Some of the steps below on how to protect your Mac may also help.

How does this version of Flashback work?

Flashback installer (faking Adobe Flash, not Java)Flashback isn’t new: it’s a whole family of malware variants that first appeared back in September 2011. However, the initial versions of the malware appeared as bogus Adobe Flash Player installers. When users loaded a Web page bearing the malware, they’d see something that looked like a Flash error. Clicking it would bring up a prompt to install something that looked like Adobe Flash. (That’s how they name “FlashBack” got attached.) Infection depended on tricking people into downloading, accepting an self-signed certificate purporting to be from Apple, and installing the malware. Trojans that rely on social engineering aren’t anywhere near as common on the Mac as on Windows, but FlashBack wasn’t exactly new under the sun. Unfortunately, Flashback was Mac-savvy: once installed, early versions tried to kill off Apple’s barebones XProtect anti-malware protection system present in Snow Leopard and Lion.

Then, around late February of this year, FlashBack shifted to a new trick, leveraging two vulnerabilities in Java to attempt to install itself without any user intervention at all. Although the threat no longer poses as Adobe Flash, the malware under the hood appears to be the same — and that’s why it’s kept the FlashBack name. The malware installation will prompt for an administrator password, but it doesn’t actually need administrator authorization to infect a Mac — the malware uses a two-pronged approach. The one with the admin password is a bit cleaner; the one without is brute force.

Once on a user’s Mac, if a user gives their admin password, the software checks to see if particular apps (like Apple’s XCode development environment and common antivirus and security tools) are installed; if so, it deletes itself, presumably to avoid detection. Otherwise, the infection connects out to command-and-control servers to download the malware payload: this is the actual FlashBack engine, and the malware operators can change or update it at any time. Current versions of the malware seem focused on collecting passwords for services like Google, PayPal, and banking sites, presumably to get credentials that can be used by cybercriminals to take over email and online accounts or drain bank accounts.

If a user does not give their administrator password, the infection loader tries to insert itself into essentially any app a user might run (with exceptions for Microsoft Word, Office 2008/2011, and Skype, which are apparently incompatible). Once the infection is installed and a user runs an app, it will attempt to connect to the command-and-control servers and download the payload. This infection method is effective, but very crude and likely not compatible with all apps: users might easily notice that some programs start crashing or behaving unpredictably.

Didn’t Apple ditch Java?

Apple Java iconApple shipped Java for Intel-based Macs as part of Mac OS 10.4 (Tiger), 10.5 (Leopard), and 10.6 (Snow Leopard); however, Apple deprecated Java as of Mac OS X 10.6.3, and stopped including Java at all with Mac OS 10.7 (Lion). Lion users will only have Java if they upgraded from a previous system to Mac OS X 10.7, or if they explicitly downloaded and installed Java themselves. If Lion users try to run a Java app, Mac OS X will ask if users want to download and install Java from Apple.

Apple’s Java situation is a little peculiar. Apple originally wanted Mac OS X to be a top-tier Java development and runtime platform. The company intrepidly developed its own Java runtime for Mac OS X and had it certified by Sun, Java’s creator. But that pattern meant Apple’s Java always lagged substantially behind official Java releases, and that lag increased substantially when Oracle acquired Sun in 2009. A year later, Apple basically said it wasn’t going to keep updating Java, and removed it from Mac OS X’s default installation. This put Java into limbo on the Mac.

Oracle patched the key Java vulnerability exploited by Flashback on February 14. Apple, on the other hand, only released an updated version of Java with that patch (and eleven other Java security fixes) on April 3 — a lag of six weeks.

The vulnerability isn’t Mac-exclusive: the same Java hole can be used to attack Linux and Windows systems. Mozilla Firefox took the unusual step of blocking older versions of Java in Windows versions of its Web browser to protect users.

So how can I protect my Mac?

Here are the simplest ways to protect your Mac from the current Flashback malware threat:

If you have Java, update it

Apple has released an updated version of Java that patches the vulnerability exploited by Flashback. If you’re running Mac OS X 10.6 (Snow Leopard) or 10.7 (Lion) and you have Java installed, the update should appear automatically when you run Software Update (Apple menu > Software Update), or you can get it yourself from Apple’s support downloads site (for Snow Leopard or Lion)

If you have an Intel-based Mac and you’re running Mac OX 10.5 or earlier, you can see if you have Java installed using the Terminal. Launch Terminal (in /Applications/Utilities/) and paste in the following command:

java -version

If you see the message “No Java runtime support, requesting install,” you do not have Java installed. If you see a version number less than 1.6.0_31 (and you will, if you have any Java at all), your system is potentially vulnerable. Apple won’t be releasing a patched version of Java for Mac OS X 10.5 or earlier. Use the other steps below to protect yourself.

Disable Java in Web browsers
Java never really took off as a mainstream platform for Web content, so most users don’t need to enable Java in their Web browsers. Disabling Java will block Flashback’s “drive-by” attack, and is the most effective way for earlier users of Mac OS X to protect themselves.
  • Safari—Go to Preferences > Security, and uncheck “Enable Java.” (While you’re in there, go to Preferences > General and make sure “Open ‘Safe’ files after downloading” is unchecked.)
  • Firefox—Choose Tools > Add-ons, select the Plug-ins Tab, and click the “Disable” button next to Java Plug-in.
  • Chrome — Type chrome://plugins in Chrome’s address bar. A list of available plug-ins will appear. Find Java and click the “Disable” link beneath it.

This doesn’t remove Java from your system, it just prevents Web browsers from launching or running Java apps. That’s enough to protect you from the drive-by nature of the Flashback attack. You’ll still be able to run desktop applications that require Java — a common example is things like Citrix’s GoToMeeting — but you may find you need to selectively re-enable Java in a browser to log in to services or download updates. In that case, you can selectively re-enable Java to get an app running, then disable it again when you’re done.

Consider antivirus software
If you’re in a situation where you can’t update Java or can’t disable a vulnerable version of Java, you should consider antivirus software to protect your Mac. ClamXav makes a free antivirus package for Mac users; similarly, Sophos has a Mac antivirus package free for non-commercial use. Commercial antivirus packages are also available for Mac OS X from the likes of Intego and Symantec; F-Secure also has a beta Mac OS X security product.

Does your Mac need antivirus software?

virus attackThe days of the Mac’s immunity from malware appear to be at an end: last year saw the MacDefender scare (and Apple’s brief tit-for-tat battle with its perpetrators), and now there’s a genuine drive-by infection threat to the Mac — even though it doesn’t rely on technology exclusive to Mac OS X. Although the malware situation on Mac OS X is still several orders of magnitude less severe that that for Windows, the writing is on the wall: as the Mac platform gains adherents, it’s going to start attracting sophisticated malware authors.

What about GateKeeper, the new protection technology that’s due to arrive with Mac OS X 10.8 Mountain Lion? Mac user shouldn’t rely on GateKeeper to protect them: the technology will enable users to decide they only want to run applications that come from Apple and/or the Mac App store, and developers who have identified themselves to Apple, or (like now) run any application from any source. GateKeeper will not protect Mac users from vulnerabilities in applications or system components — which means a problem with a Web browser plug-in or a low-level component like Java is out of GateKeeper’s purview — and Mountain Lion users would be just as vulnerable to something like Flashback’s drive-by attack as anyone else.

For the time being, it’s probably too early to recommend all Mac OS X users install and run antivirus software: the best case for running AV software on a Mac is still to clean Windows-based viruses and malware out of files and documents Mac users might be passing along to hapless Windows users. But the day may come — soon — when the Mac malware universe warrants widespread use of high-quality antivirus software.

Lead image on Mac screen via Sebastian Kaulitzki/Shutterstock

Computing

Potentially malicious WinRAR vulnerability patched after almost 20 years

WinRAR, a piece of Windows software for managing archival formats, has been harboring a vulnerability for nearly two decades, potentially allowing malicious software to insert items into a computer's startup folder without user permission.
Computing

Zipping files on a Chromebook? Follow these four easy steps

Chromebooks support file compression, though they work a little differently than on Windows or Mac. Here's the step-by-step process to zipping files on a Chromebook, and then unzipping them again for extraction.
Computing

Why limit yourself to one OS? Try one of these great virtual machine apps

Buying a new computer just because you want to utilize another operating system isn't necessary. Just use the best virtual machine applications to emulate one OS inside another, no matter what your platform or budget is.
Computing

Windows updates shouldn't cause problems, but if they do, here's how to fix them

Windows update not working? It's a more common problem than you might think. Fortunately, there are a few steps you can take to troubleshoot it and in this guide we'll break them down for you step by step.
Deals

Amazon cuts prices on the Apple Watch Series 3 for Presidents’ Day

The Apple Watch Series 3 is seeing the same price cut we saw during the Amazon sale just last week. So if you're hoping to pick up an Apple Watch for less than $250, this $50 discount from Amazon can make that happen for you.
Deals

It’s time to check out the best Apple Watch deals for February 2019

The Apple Watch has surged to prominence in recent years. If you're in the market for an iOS wearable, we've sniffed out the best Apple Watch deals available right now for all three models of this great smartwatch.
Deals

Apple brings back the iPhone SE with a $100 clearance discount included

Apple is offering the iPhone SE on their online clearance store once again. With discounts of $100, you can get a brand new unlocked iPhone SE for as little as $249. This offer is only available while supplies last.
Deals

Need a new tablet? Here are the best iPad deals for February 2019

In the wide world of tablets, Apple is still the king. If you're on team Apple and just can't live without iOS, we've curated an up-to-date list of all of the best iPad deals currently available for December 2018.
Computing

Chrome is a fantastic browser, but is is still the best among new competitors?

Choosing a web browser for surfing the web can be tough with all the great options available. Here we pit the latest versions of Chrome, Opera, Firefox, Edge, and Vivaldi against one another to find the best browsers for most users.
Deals

Looking to upgrade? These are the best iPhone deals for February 2019

Apple devices can get expensive, but if you just can't live without iOS, don't despair: We've curated an up-to-date list of all of the absolute best iPhone deals available for February 2019.
Deals

From Air to Pro, here are the best MacBook deals for February 2019

If you’re in the market for a new Apple laptop, let us make your work a little easier: We hunted down the best up-to-date MacBook deals available online right now from various retailers.
Mobile

Apple stomps on one FaceTime bug, only to have another one appear

Having fixed a FaceTime bug that let users eavesdrop on calls, another issue with Apple's video chat app appears to have surfaced. It concerns adding people to group calls, though there is a workaround.
Mobile

With Galaxy S10e, Samsung unapologetically rips a page out of Apple’s playbook

Samsung's Galaxy S10e -- a new entry in the Galaxy S-series -- has a few things in common with Apple's lower-cost iPhone XR. From the price tag to the color, we take a look atthe similarities.
Deals

Protect your iPhone or iPad with the IPVanish VPN, on sale through February

One of our favorite virtual private networks for iPhones and iPads, IPVanish, is now offering a huge discount on its two-year subscription as part of its 7th-birthday promotion. Read on to find out more about how this VPN works and how you…