Flashback botnet: The end of the Mac’s malware immunity?

mac-flashback-virus

For the better part of two decades, Mac users have believed themselves largely immune to the trojans, worms, and malware that plague the Windows world. However, Macs have never been fundamentally more secure than any other computer, and now the community’s collective complacency may finally be put to the test.

Computer security firm Dr. Web reports that a recent variant on the Flashback malware has successfully exploited a previously unpatched Java vulnerability to infect as many as 600,000 Mac computers around the world. Although other security firms aren’t publishing estimates of infection rates, companies like Sophos, Intego, and F-Secure back up the alarm cry: the Flashback variant is real, and in some cases it can install itself without any user intervention when a user visits a specially crafted Web page. It’s the sort of doomsday scenario Mac users have never really seen before: malware that can infect a Mac just by loading a Web page.

Dr Web Flashback mac botnet infection map April 4 2012

However, it’s not (currently) the end of the world. Not all Macs are vulnerable, a patch is available, and there are simple things users can do to protect themselves and determine if they’re already infected. But if you’re a Mac user, the current Flashback scare merits a few minutes of your attention, at the very least.

Am I Infected?

Users of Intel-based Macs are potentially vulnerable to the Flashback malware. The malware is sophisticated, however, so determining whether a Mac is infected is a tad complicated.

First, launch the Terminal application (in /Applications/Utilities, or just do a Spotlight search for “Terminal” and launch it from there). You’ll see a window with a Unix command line prompt. (It’s OK, it won’t bite.) Copy and paste the following command at the prompt, then press Return.

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

If you see a two-line response and the second line is “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist,” then copy and paste the following command at the prompt and press Return:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

Again, you want to see a two-line response. If the second line ends with “does not exist,” your Mac is not infected. Type “exit” at the prompt and quit the Terminal application.

If you see responses from either of these commands that indicate data was found, your Mac may be infected, and you’ll want to take steps to remove malware from your system. For the technically proficient (it involves more Terminal commands), F-Secure has posted a set of manual removal instructions. Less technically-inclined may wish to download a free removal tool from Sophos or ClamXav or get someone else to perform the removal. Some of the steps below on how to protect your Mac may also help.

How does this version of Flashback work?

Flashback installer (faking Adobe Flash, not Java)Flashback isn’t new: it’s a whole family of malware variants that first appeared back in September 2011. However, the initial versions of the malware appeared as bogus Adobe Flash Player installers. When users loaded a Web page bearing the malware, they’d see something that looked like a Flash error. Clicking it would bring up a prompt to install something that looked like Adobe Flash. (That’s how they name “FlashBack” got attached.) Infection depended on tricking people into downloading, accepting an self-signed certificate purporting to be from Apple, and installing the malware. Trojans that rely on social engineering aren’t anywhere near as common on the Mac as on Windows, but FlashBack wasn’t exactly new under the sun. Unfortunately, Flashback was Mac-savvy: once installed, early versions tried to kill off Apple’s barebones XProtect anti-malware protection system present in Snow Leopard and Lion.

Then, around late February of this year, FlashBack shifted to a new trick, leveraging two vulnerabilities in Java to attempt to install itself without any user intervention at all. Although the threat no longer poses as Adobe Flash, the malware under the hood appears to be the same — and that’s why it’s kept the FlashBack name. The malware installation will prompt for an administrator password, but it doesn’t actually need administrator authorization to infect a Mac — the malware uses a two-pronged approach. The one with the admin password is a bit cleaner; the one without is brute force.

Once on a user’s Mac, if a user gives their admin password, the software checks to see if particular apps (like Apple’s XCode development environment and common antivirus and security tools) are installed; if so, it deletes itself, presumably to avoid detection. Otherwise, the infection connects out to command-and-control servers to download the malware payload: this is the actual FlashBack engine, and the malware operators can change or update it at any time. Current versions of the malware seem focused on collecting passwords for services like Google, PayPal, and banking sites, presumably to get credentials that can be used by cybercriminals to take over email and online accounts or drain bank accounts.

If a user does not give their administrator password, the infection loader tries to insert itself into essentially any app a user might run (with exceptions for Microsoft Word, Office 2008/2011, and Skype, which are apparently incompatible). Once the infection is installed and a user runs an app, it will attempt to connect to the command-and-control servers and download the payload. This infection method is effective, but very crude and likely not compatible with all apps: users might easily notice that some programs start crashing or behaving unpredictably.

Didn’t Apple ditch Java?

Apple Java iconApple shipped Java for Intel-based Macs as part of Mac OS 10.4 (Tiger), 10.5 (Leopard), and 10.6 (Snow Leopard); however, Apple deprecated Java as of Mac OS X 10.6.3, and stopped including Java at all with Mac OS 10.7 (Lion). Lion users will only have Java if they upgraded from a previous system to Mac OS X 10.7, or if they explicitly downloaded and installed Java themselves. If Lion users try to run a Java app, Mac OS X will ask if users want to download and install Java from Apple.

Apple’s Java situation is a little peculiar. Apple originally wanted Mac OS X to be a top-tier Java development and runtime platform. The company intrepidly developed its own Java runtime for Mac OS X and had it certified by Sun, Java’s creator. But that pattern meant Apple’s Java always lagged substantially behind official Java releases, and that lag increased substantially when Oracle acquired Sun in 2009. A year later, Apple basically said it wasn’t going to keep updating Java, and removed it from Mac OS X’s default installation. This put Java into limbo on the Mac.

Oracle patched the key Java vulnerability exploited by Flashback on February 14. Apple, on the other hand, only released an updated version of Java with that patch (and eleven other Java security fixes) on April 3 — a lag of six weeks.

The vulnerability isn’t Mac-exclusive: the same Java hole can be used to attack Linux and Windows systems. Mozilla Firefox took the unusual step of blocking older versions of Java in Windows versions of its Web browser to protect users.

So how can I protect my Mac?

Here are the simplest ways to protect your Mac from the current Flashback malware threat:

If you have Java, update it

Apple has released an updated version of Java that patches the vulnerability exploited by Flashback. If you’re running Mac OS X 10.6 (Snow Leopard) or 10.7 (Lion) and you have Java installed, the update should appear automatically when you run Software Update (Apple menu > Software Update), or you can get it yourself from Apple’s support downloads site (for Snow Leopard or Lion)

If you have an Intel-based Mac and you’re running Mac OX 10.5 or earlier, you can see if you have Java installed using the Terminal. Launch Terminal (in /Applications/Utilities/) and paste in the following command:

java -version

If you see the message “No Java runtime support, requesting install,” you do not have Java installed. If you see a version number less than 1.6.0_31 (and you will, if you have any Java at all), your system is potentially vulnerable. Apple won’t be releasing a patched version of Java for Mac OS X 10.5 or earlier. Use the other steps below to protect yourself.

Disable Java in Web browsers
Java never really took off as a mainstream platform for Web content, so most users don’t need to enable Java in their Web browsers. Disabling Java will block Flashback’s “drive-by” attack, and is the most effective way for earlier users of Mac OS X to protect themselves.
  • Safari—Go to Preferences > Security, and uncheck “Enable Java.” (While you’re in there, go to Preferences > General and make sure “Open ‘Safe’ files after downloading” is unchecked.)
  • Firefox—Choose Tools > Add-ons, select the Plug-ins Tab, and click the “Disable” button next to Java Plug-in.
  • Chrome — Type chrome://plugins in Chrome’s address bar. A list of available plug-ins will appear. Find Java and click the “Disable” link beneath it.

This doesn’t remove Java from your system, it just prevents Web browsers from launching or running Java apps. That’s enough to protect you from the drive-by nature of the Flashback attack. You’ll still be able to run desktop applications that require Java — a common example is things like Citrix’s GoToMeeting — but you may find you need to selectively re-enable Java in a browser to log in to services or download updates. In that case, you can selectively re-enable Java to get an app running, then disable it again when you’re done.

Consider antivirus software
If you’re in a situation where you can’t update Java or can’t disable a vulnerable version of Java, you should consider antivirus software to protect your Mac. ClamXav makes a free antivirus package for Mac users; similarly, Sophos has a Mac antivirus package free for non-commercial use. Commercial antivirus packages are also available for Mac OS X from the likes of Intego and Symantec; F-Secure also has a beta Mac OS X security product.

Does your Mac need antivirus software?

virus attackThe days of the Mac’s immunity from malware appear to be at an end: last year saw the MacDefender scare (and Apple’s brief tit-for-tat battle with its perpetrators), and now there’s a genuine drive-by infection threat to the Mac — even though it doesn’t rely on technology exclusive to Mac OS X. Although the malware situation on Mac OS X is still several orders of magnitude less severe that that for Windows, the writing is on the wall: as the Mac platform gains adherents, it’s going to start attracting sophisticated malware authors.

What about GateKeeper, the new protection technology that’s due to arrive with Mac OS X 10.8 Mountain Lion? Mac user shouldn’t rely on GateKeeper to protect them: the technology will enable users to decide they only want to run applications that come from Apple and/or the Mac App store, and developers who have identified themselves to Apple, or (like now) run any application from any source. GateKeeper will not protect Mac users from vulnerabilities in applications or system components — which means a problem with a Web browser plug-in or a low-level component like Java is out of GateKeeper’s purview — and Mountain Lion users would be just as vulnerable to something like Flashback’s drive-by attack as anyone else.

For the time being, it’s probably too early to recommend all Mac OS X users install and run antivirus software: the best case for running AV software on a Mac is still to clean Windows-based viruses and malware out of files and documents Mac users might be passing along to hapless Windows users. But the day may come — soon — when the Mac malware universe warrants widespread use of high-quality antivirus software.

Lead image on Mac screen via Sebastian Kaulitzki/Shutterstock

Home Theater

Hi-res streaming audio service Qobuz arrives in U.S., threatens Tidal’s monopoly

For several years, Tidal enjoyed a monopoly on hi-res music streaming in the U.S. Now, French company Qobuz is here to offer some competition with a variety of monthly plans starting at $10 a month.
Computing

Why limit yourself to one OS? Try one of these great virtual machine apps

Buying a new computer just because you want to utilize another operating system isn't necessary. Just use the best virtual machine applications to emulate one OS inside another, no matter what your platform or budget is.
Computing

Windows updates shouldn't cause problems, but if they do, here's how to fix them

Windows update not working? It's a more common problem than you might think. Fortunately, there are a few steps you can take to troubleshoot it and in this guide we'll break them down for you step by step.
Computing

A new Mac Pro is supposedly coming in 2019, but what will it be like?

Our Mac Pro 2019 rumor roundup covers all the top news, leaks, and rumors about the new Mac Pro set to be announced sometime in 2019. Here's what Apple has said, what the experts think, and what's likely to show up with the new Mac Pro.
Computing

These 30 useful apps are absolutely essential for Mac lovers

There are literally hundreds of thousands of great software programs compatible with MacOS, but which should you download? Look no further than our list of the best Mac apps you can find.
Mobile

Save space on your iPhone by turning off Live Photos in the camera app

If you want to save storage space on your iPhone or reduce the size of your backup for iCloud, then you should think about turning off Live Photos in the camera app. Find out exactly how to do it with our easy guide.
Mobile

Be careful who you bokeh, jokes Apple’s latest iPhone ad

With iPhone sales under pressure, you'd think there wouldn't be much to laugh about at Apple HQ. But the company has seen fit to inject some humor into its latest handset ad, which highlights the camera's Depth Control feature.
Computing

Don't know what to do with all your old DVDs? Here's how to convert them to MP4

Given today's rapid technological advancements, physical discs are quickly becoming a thing of the past. Check out our guide on how to convert a DVD to MP4, so you can ditch discs for digital files.
Mobile

How to perform a reverse image search in Android or iOS

You can quickly use Google to search, and reverse search, images on a PC or laptop, but did you know it's almost as easy to do in Android and iOS? We explain how to do it here, whether you want to use Chrome or a third-party app.
Mobile

Flip from portrait to landscape as we reveal how to rotate a video on iPhone

If you've accidentally shot a video in portrait orientation and you want to flip to landscape, then this is the guide for you. We'll explain how to use iMovie to rotate a video on your iPhone or iPad for free and suggest alternative apps.
Mobile

The 2019 iPhone could put a charge into your other Apple gadgets

While it's not been long since the last iPhones launched, rumors for the next iPhone are already surfacing. Apple's 2019 flagship could include a variety of upgrades ranging from a new design to enhanced features.
Deals

Amazon cuts prices on the Apple Watch Series 3 for Presidents’ Day

The Apple Watch Series 3 is seeing the same price cut we saw during the Amazon sale just last week. So if you're hoping to pick up an Apple Watch for less than $250, this $50 discount from Amazon can make that happen for you.
Deals

It’s time to check out the best Apple Watch deals for February 2019

The Apple Watch has surged to prominence in recent years. If you're in the market for an iOS wearable, we've sniffed out the best Apple Watch deals available right now for all three models of this great smartwatch.
Deals

Need a new tablet? Here are the best iPad deals for February 2019

In the wide world of tablets, Apple is still the king. If you're on team Apple and just can't live without iOS, we've curated an up-to-date list of all of the best iPad deals currently available for December 2018.