We don’t normally report on security issues, especially not when they occur on Mac OS X. So far, the security issues on the Mac can barely be labelled as such, and really don’t deserve a lot of attention. Now, however, it would appear we’re looking at the first successful widespread malware infection on Mac OS X. Not a bad track record for an eleven year old operating system, by the way.
There’s a trojan called Flashback rummaging around the web, which can infect a Mac without the need for a root password. Earlier this week, a Russian antivirus company (little red flag going up) claimed over half a million Macs were infected by the Trojan, creating a pretty sizeable botnet. Some perspective: relatively speaking, this botnet is similar in size to Conficker (both infecting about 1% of the installed base).
Just a single antivirus company making such claims is not something that piques my interest. Antivirus companies tend to be pretty sleazy, and they like nothing more than making a threat look bigger than it really is because, hey, what do you know, their antivirus product stops this particular super-dangerous cat-killing virustrojanmalwarething.
We now have a second source corroborating the figures. Kaspersky Labs (yup, another antivirus company) confirmed the figures in their own independent investigation into the matter.
“We reverse engineered the first domain generation algorithm and used the current date, 06.04.2012, to generate and register a domain name, ‘krymbrjasnof.com’. After domain registration, we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots,” Kaspersky’s Igor Soumenkov writes, “Our logs indicate that a total of 600000+ unique bots connected to our server in less than 24 hours. They used a total of 620000+ external IP addresses. More than 50% of the bots connected from the United States.”
In fact, according to the earlier investigation, 274 unique IP addresses came from… Cupertino.
The trojan uses a security hole in Java, which Oracle patched in February 2012; Apple didn’t send out a patch until a few days ago. Get this patch and install it, because if the investigations are correct, Mac users are actually running a risk this time. If you’re afraid you might be one of those ~600000, Ars has a detailed guide on how to check your machine, and if necessary, how to remove it.
Since Apple does not ship Java by default any more, I’m guessing these are mostly older machines and machines that haven’t been updated to the latest release (and Minecraft players). So, especially if you belong in either of those groups, it might not hurt to give your machine a check-up.
Now, we’re looking at data from security firms, so I’m still a little bit sceptical. However, I’m risking the “You’re anti-Apple!!1!!!”-crap because it’s looking more and more like this is an actual serious issue. Do with it as you please.
As a Windows user, having listened to Mac users tell me for years how much better the Mac was because Macs never got infected with viruses and stuff, I always knew it was only a matter of time until the day came when they would get theirs as well, despite being told by some that it would never happen. And now that it has, there is no joy in this for me. To all of my Mac-using brethren out there who get infected by this (and other things), I extend my condolences. You guys now get to share the love
They didn’t get infected because there were no viruses to infect them. I get the impression some people think it’s impossible to get them – but this has never been true.
Well, what do you expect, the corporate slogan is “Think Different”, not “Be Different”.
But seriously, why is it that every time new mac malware surfaces it’s always treated as though it’s never happened before? I don’t get it?
I wish it was possible to search the web excluding the last couple days since this last incident is overloading the search results. This article published in ’06 has a list.
http://www.sophos.com/en-us/press-office/press-releases/2006/02/mac…
Edited 2012-04-08 03:34 UTC
IRIC, the other ones were mostly spread via pirated software and such, so weren’t very widespread I think this is the first one to infect hundreds of thousands of users.
Edited 2012-04-08 07:54 UTC
Isn’t this a bit like saying that you are NEVER been hit by a car, therefore you will NEVER be hit by one?
Okay, then! I mean, who could possibly argue with reasoning of such caliber?
RT.
I did laugh when I read about it :>
Now we just need to wait 50 years to see a widespread infection on linux machines and we’ll be covered
..I don’t expect we’ll get any numbers from Apple, do you?
It simply means Apple’s new prominence has brought them unwanted attention and they will have to up their security.
Perhaps we will now see if the user privileges model that is so beloved of Apple’s fans actually is as solid a defence as they claim.
I as a mac user never claimed there will never be a serious security threat. Although most user does. Pretty serious thing considering it just needs to access a website to get infected. What happened to Java sandboxing?
Nobody is perfect, this is a bug in the VM.
Well besides the funny of Macs getting a major blast here, even though it’s happened plenty of times in the past..
Firstly, they prove more than anything that their security ideas have always been that no one will hit us ’cause we’re a minority. Some of the security vulnerabilities that have hit Mac OS are seriously laughable.
But this particular case is because of Java, which is a security crapfest in itself, even more so since Apple rolls their own.
leech,
“But this particular case is because of Java, which is a security crapfest in itself, even more so since Apple rolls their own.”
You are correct, and some of the vulnerabilities against macs do seem to be third party related. Note though that apple was always eager in it’s advertising to group together all malware under the “windows” umbrella regardless of whether microsoft windows was at fault or not.
Now, that view has some merit. We can recognize that the windows experience can be worse for end-users regardless of who is responsible for vulnerabilities. However in order to not be hypocrites, apple would have to admit that mac users are in fact affected by malware.
To be honest though, apple’s portrayal of being impervious to malware is far more appalling (to me) than their security track record, which is still respectable in context. On the other hand, the fact that they deny any security risks is a disservice to the mac community who are ill prepared to cope when things like this inevitably happen.
That’s a good point.
Apple can’t have it both ways, but Jobs knows they’ll try.
Yeah that was kind of my point, in that even though it technically was “Java’s fault” which some Apple fans (of which I am the exact opposite, I hate Apple, and their products), it was inevitably Apple’s fault anyhow ’cause they’re not even using Oracle’s Java.
It’s like a double whammy for ’em. And for their users.
Reminds me of the one I read about where a Mac could act as the Mac authentication server and grab all of the login names and passwords on a network. I can’t recall the exact specifics of that, but I was talking to my older brother (he’s a jerk with a Mac) and he was saying “at least it’s not Stuxnet.” Yeah, Stuxnet affected a particular hardware platform, not just Windows (if I’m recalling correctly) but that’s the gist of how Apple fans think.
‘Oh, well aren’t our faces red… but LOOK how much worse it is for Windows!!!’ ‘Yeah, but uhm, I’ve been asking you for years why you don’t use Linux, especially since you work for a security firm?’ ‘Uhm, well my Mac will do all that and is secure…’
Well, this is the same guy (yeah my older brother…) that replied a long time ago when I asked him why he didn’t use Linux, and he said he couldn’t get his printer working… of course I had to ask which model..
It was an HP! They have probably the best Linux support out there… I just shook my head and walked away.
I’m not sure why java should be the root of the problem. Sure, java like any software sometimes containes bugs that might be malignant, but unlike most other software Java is designed to keep close control over what java code is allowed to do. So running java is not worse than running any other program.
The real root of the problem here is not java, but that people download unknown software over the net, in combination with insecure operating systems that forbids certain things that can be dangerous, instead of allowing things that are not dangerous (making anything not explicitly allowed forbidden).
It doesn’t matter if it is java, flash, or even your webbrowser that does it, this behaviour will always be associated with a risc, even though I agree with you that Apple rolling their own version of java is a bad thing as fewer people will test it, and bugs fixed by Oracle doesn’t directly end up in the Apple version.
Okay, you’ve read the official version, now here is the real deal.
As you all know, Apple hate interpreters. These nasty program are a way out of the “App Store” ecosystem that they cannot control or apply pressure on. As such, as is shown by the large number of infected IP addresses from Cupertino, they deliberately engineered malware targeting the Java runtime environment so as to reduce public faith in it and reduce criticism towards their latest decision to remove it from Mac OS X and making it increasingly harder to get it back as time passes.
It goes further than that, though. Following a secret plot that has been devised by Steve Jobs himself as a last will, Apple is currently examining ways to completely remove web browser functionality from their operating systems, as these represent an unacceptable source of free speech.
The first part of the plan, getting rid of every technology that could put web applications on par with native code (by slowly phasing out plugins and messing up every part of the HTML5 standard that represents a threat as badly as a polar bear raping a baby seal) is now completed. Now, the next step is to slowly inject security flaws in the Webkit codebase and design malware for it, so as to publicly make fun of Google Chrome and simultaneously announce with puppy eyes an increase in “techno-terrorist” attacks targeting the Safari web browsers. Finally, Apple will be able to introduce a “curated, secure, and family-friendly” alternative to the Web, called the iNetwork, which will gradually be the only thing that shows up when you click the Safari icon on an Apple device.
And after that, they will replace the iMac line with giant iPads with maniacal laughters.
(Joking aside, it wouldn’t surprise me that Apple would use this as a way to justify their phasing out of Java ^^)
Edited 2012-04-08 06:37 UTC
Neolander,
You’d be a certifiable conspiracy nut to believe in that plan, but I also have to admit there are elements of genius in it. Discredit technology controlled by others by attacking one’s self.
iNetwork, which will gradually be the only thing that shows up when you click the Safari icon on an Apple device.
http://www.youtube.com/watch?feature=player_detailpage&v=GnO7D5UaDi…
Edited 2012-04-08 18:17 UTC
Cool ! Ancient roots of the conspiracy unveiled ! \o/
Now I have to write a website for it in pure HTML4. No Javascript, no CSS, no PHP. Maybe a frameset for the menu if I want to get fancy, but that’s it. And host it on my laptop too. Because that is what all people who know the truth do.
Edited 2012-04-09 07:34 UTC
As an ex-OSX user (Jaguar to Leopard), I am really surprised that this hasn’t happened before.
The default configuration for OSX From Jaguar to Snow Leopard was with the Firewall OFF.
As usual – people are drawing conclusions about everything from a single event.
This infection looks serious, but the truth is that Java is the one to be blamed [or Apple as a maintainer].
But – to be honest – Java was not written by Apple. It’s not their faulty, bad code.
In other ways: you [I’m talking to you, young man] have no reasons to bash Apple in this case for its code.
All we know is that Apple acts like a moron releasing the patch so long aftern an actual disclosure, but they might have had a reason for that, which we – obviously – don’t know.
So stay calm and drop your weapons. There’s no real reason to get excited.
Might I also say Java problem corresponds to most platform containing Java …
Now, I am no way an Apple or Microsoft “fan”. I avoid walled gardens. I usually use GNU/Linux, *BSDs and other stuff.
marcp,
As far as I know apple’s own code is pretty good but the reason they particularly deserve criticism is because they continually advertise that security is a non-issue on the mac. They even continued their misleading ads after security researchers exploited mac vulnerabilities twice at pwn 2 own contests. These were real zero-day exploits that happened to be in the “right” hands.
http://www.engadget.com/2008/03/27/pwn-2-own-over-macbook-air-gets-…
Security vulnerabilities happen to the best of us, it’s just a shame that companies are too arrogant to admit it.
And they will continue the denial until (if) the problem becomes too blatant to deny it anymore. It helps them sell Macs, you know. And the buyers, they want to believe they don’t have to worry about security issues anymore.
Edited 2012-04-08 08:58 UTC
MacOSX has always had the firewall disabled (well when I used it Jaguar to Leopard), because it basically stops any problems with network enabled programs.
Apple don’t give a f–k about security. They only care about the pretence of it.
Edited 2012-04-08 13:40 UTC
Well, of course, you’re right. I just think we should not believe in anything they say [unless it’s proven to be right]. We should – instead – take it with grain of salt.
Just as we don’t believe in ads, commercials, I don’t think we should take such things seriously.
OSX has been historically a safer neighborhood, compared to Windows. However, this situation…a drive-by that installs without user authentication, is something to pay attention to. For Mac users, the choices include not enabling Java (Safari, Firefox), installing network sniffing apps like Little Snitch (Flashback won’t install if it detects Little Snitch) or using Intego VirusBarrier (same reaction by FlashBack).
I don’t recall reading or hearing from Apple that Mac OSX is impervious to malware…just not susceptible to crap that infects Windows. There is no room for Windows fanbois to laugh about the situation…you need to make sure that MSE is running and up to date to clean up the turds in your own neighborhood.
All easy things that any normal user will be able to do…
I thought the other press headlines was a bit sensasionalist and confusing.
550,000-strong army of Mac zombies spreads across world
http://forums.theregister.co.uk/forum/2/2012/04/05/flashback_trojan…
Confusing because they where actually referring to the machines.
Edited 2012-04-08 14:13 UTC
I go to the dirtiest sites on the net and so far have come (ohh, you know I wanted too out clean. This is quite alarming though. Right after I read this I did check to see if I was infected. Nope, still clean. I will be paying closer attention to security though. Not that I was particularly lacking in it before though.
“Earlier this week, a Russian antivirus company (little red flag going up) ”
What’s that supposed to mean? Just because its Russian, you don’t trust it?
No, it’s because it’s an antivirus company.
Not the first time it’s happened, and won’t be the last. Isn’t even that interesting of a news tidbit imo.
App Launcher seems to be a thin veneer over some unix tools, one of which requires a specific Environment variable for Java 1.5. The recent Java update which fixes the vuln kills that Environment Variable. This cost me quite a bit of time on wednesday….
http://stackoverflow.com/questions/5783481/an-error-occurred-upload…
Has the fix there.
Look for the new iKill product at an Apple store near you for a nominal fee of course.