Mac Virus in the Wild

ExpoMike

Well-known member
Just a heads up for the Mac users out there. Our security team just released this info and I thought others might want to know about this.


Current versions of the Flashback Trojan are leveraging vulnerabilities in Apple Java and do not require any user interaction or elevated privileges. While Apple released an update on April 3rd, many systems were infected prior to the update or remain vulnerable as the update hasn't been applied.

Apple is only providing Java updates for OS X Lion and Snow Leopard. If you are running anything older than Snow Leopard, you very likely are vulnerable and are strongly recommended to update to OS X Snow Leopard or LION or to disable Java. To verify your Java version, open a terminal window and type:

java -version

If you see any version number other than 1.6.0_31, you are vulnerable.

To disable Java, run the Java Preferences utility (in the Utilities folder) and uncheck all versions of Java that appear before closing the window. You can also disable Java within your browser to offer additional protection. See:

http://support.apple.com/kb/HT5241

Antivirus products can also provide some protection, but there have been reports that AV vendors have been slow to update signatures as Flashback variants mutate.

Apple has indicated that they will be releasing tools to detect and remove Flashback, but has not yet done so:

http://support.apple.com/kb/HT5244

Other detection/removal sites are referenced below, but there have been some reports that these tools may not detect all variants.

>From OSXDaily, "How to Check for the Flashback Trojan in Mac OS X":

http://osxdaily.com/2012/04/05/how-to-check-for-the-flashback-trojan-in-mac-os-x/

Kaspersky Labs has released a tool that will check your hardware UUID against known infected systems:

http://flashbackcheck.com/

They also have a removal tool:

http://support.kaspersky.com/downloads/utils/flashfake_removal_tool.zip

>From MacUpdate:

http://www.macupdate.com/app/mac/42571/anti-flashback-trojan

Another removal tool:

http://etresoft.org/freeware/MalwareChecker.zip
 

DiploStrat

Expedition Leader
Let us be a bit pedantic and note that this is NOT a virus, but rather a Trojan. Scholars differ on whether it can install itself without your providing the root password, but it does seem clear that you will not get this Trojan unless you visit certain Russian websites.
 

dwh

Tail-End Charlie
We could be even more pedantic and argue over whether it actually "mutates". :D
 

DiploStrat

Expedition Leader
The normal definition of a virus requires that it can install itself and migrate. This Trojan cannot, although there are some reports that it can install and run, at least within the Java universe, without your providing the root password. If that is true, then this is a lot closer to being the first real Mac virus.
 

ExpoMike

Well-known member
Virus/Trojan, kind of semantics when you get down to it.

I guess if you believe stories of it only affecting 1%, I'll let the 400 Mac users that got infected at work, know they are part of that 1%. Heck, the Macbook Air I am on right now shows it is vulnerable until I disabled the Java per the info above.

BTW, here is the release from our security team today. Looks like Apple has released an update for this. BTW, it looks like this update only applies to Snow Leopard and Lion. It has been sounding like Apple is not going to release any update for previous OS versions, which are still vulnerable. YMMV.

Apple has released a Java update via software update (2012-003) that supposedly removes the most common Flashback variants. It also configures the Java web plugin to disable automatic execution of applets, but this can be re-enabled as needed through Java preferences. (Note that this update only seems to be for Snow Leopard and Lion, so older systems are on your own.)

http://support.apple.com/kb/HT5242

In other news, noted yesterday, the Kaspersky removal tool caused some problems on some systems as it was a little too aggressive when removing files. Kaspersky has now pulled the tool from their Flashback web page (although the direct link still works) and is now offering a trial copy of the AV product.

http://www.forbes.com/sites/andygre...-flashback-mac-malware-deletes-user-settings/

There is also some feedback that the F-Secure tool is not as effective as the Kaspersky tool.
 

DiploStrat

Expedition Leader
Do you actually know anyone who has seen this beast? Granted that it is far from a scientific sample, but I have not found anyone at any of the Mac fora that I haunt who has actually found the Flashback Trojan.

Again, as far as I understand, you can only get this thing by navigating to certain Russian web sites and accepting the purported "Flash Upgrade." That is malware/social engineering, NOT a virus. (Now, if you want to argue that many Mac users are less wary than PC users and thus more likely to click on anything because my-Mac-can't-get-viruses, then I might agree.)

There has been Mac malware for some time - there almost has to be because you have to be able to install software on your computer. You just have to be a bit wary about what you install.

In any case, the good news is that the latest update from Apple is said to not only block, but remove this Trojan.

For those who worry about such things, Little Snitch enjoys a great reputation. http://www.obdev.at/products/littlesnitch/index.html
 

ExpoMike

Well-known member
So I guess you didn't read my last post closely. You would have answered your first question. Our network security team blocked 80 Macs the day I posted this info. More have been found since. I guess they are not posting to the Mac fora you haunt...

Since Macs are perfect, I'll keep my pie hole shut in the future. Just trying to help others out, by passing on some useful info. I do trust our security team much more than ANY online user...
 

nwoods

Expedition Leader
I'll keep my pie hole shut in the future. Just trying to help others out, by passing on some useful info. I do trust our security team much more than ANY online user...

ExpoMike, PLEASE do continue to share your info with us. I know DiploStrat's post sounded a little...well, like you appearantly took it. But please don't think he nor anyone else was blowing you off. More knowledge is always welcome. Its interesting that such a high number of your companies users had this problem. Might be time to look into their web browsing habits :)

As for corporate security teams, i have never met one that was not way way WAY overly conservative for my own tastes. Yes, there are a lot of stupid users out there, and their attitude is a learned one, not inherited, but surely it doesn't apply to me. After all, I use a Mac :)
 

DiploStrat

Expedition Leader
Let me start by apologizing if I came across as snippy; was not my intent. Don't stop; Macs are not perfect. Believe me, I ran all of the various command lines on my Macs at home! (And you had a better selection of news articles than any other post I have seen.)

I was not sure if you were speaking from personal experience. I am actually surprised to find a company that has that many Mac users, so many companies don't allow them. 400 Macs in one company is a lot. How did your users pick up the Flashback? Did they all visit the same site or a variety of sites?

Having been responsible for various systems at various times, I tend to try to be very precise on that which is a virus; that is, it can get you, no matter what you do, and malware, that is, it must force you to take an otherwise legitimate action. The former is more insidious, the latter more difficult.
 
Last edited:

ExpoMike

Well-known member
I am not going to post where I work but my department is almost 250 users, about 30% Mac users. No one in our department was hit. As for where I work, we have over 17,000 people so 400 is a small percentage.

Yes, virus, malware, spyware, Trojans, etc. are all different in their respective nature of what they do and how they do it. As the primary antivirus support person in our department, I can tell you, at least in the Windows world, malware/spyware/Trojans that have infected machines, have mostly come from no user input out of the norm. Much of these issues have come from 3rd party Ads on sites you would trust. These 3rd party ads are not hosted on the primary website and hence, don't have the same level of AV scanning from the hosting site. I can't tell you how many times a user would just go to CNN or MSNBC and bam, they get hit with malware. One of the most frequent infections are the "Fake Antivirus" malware. In every case I have worked on, they have come from a 3rd party ad linked on the site. The end user never clicked on anything. They open their web browser (which launches to our department site) and type in www.cnn.com and went to the site. In the end, it was scripting/Java that so many sites need to use, to display their content correctly, that allows these infected 3rd party links to infect the client machine.

The days of someone 'having' to click on something is long over. I can and does happen without user intervention. Yes, Apple has kept tight control on thier OS which greatly helps but I can tell you, we have seen a couple come through over the years. I have been doing this, in the same department for 15 years, so yes, I have seen a lot of weird stuff come through.
 

HumphreyBear

Adventurer
I've administered and latterly designed policies for SME and Enterprise clients around end user computing, including security. This is for Windows, Linux and Mac (and mixed) environments. Mike is quite correct, but if you look closely at what he said he nailed it - it is commonly add-ons using JavaScript that cause problems. Java and JavaScript (same-same but different I know) have been among of the greatest security flaws in Windows for years, on and off, but Java (and JavaScipt) is, by design, cross-platform.

Mac users have historically not had viral issues (semantic distinctions are not of interest to me, I use the term generically, malware if you really prefer) because of the incredibly low prevalence (don't get upset, I am talking % market penetration). The main reason I see for the increased usage in corporate environments relates to BYOPC initiatives which allow functional corporate applications (90% on Windows, 5-8% on mid-range or mainframe, the rest 'other') to be delivered to any end user device. This also introduces a massive hole in securing the BYOPCs that many organisations have been unable to parse fully.

Now that Macs are becoming slightly more prevalent in corporations, and as Apple is more and more perceived as selling out its early philosophy in pursuit of the almighty $$, then these Mac attacks will become more frequent. Mac OS's are more secure by nature than Windows, but they are not impervious or without sin in this regard. Apple were largely ignored because the phanboi masses in university computer labs and dingy basements where a large percentage of viruses are written and mutated always held Apple (and Linux) as platforms that should be revered and not targeted - that is changing. (this is excluding the small % of targeted viruses and the large % of harmless viruses that 'rumour and legend' of the tinfoil hat brigade has the anti-virus companies producing/sponsoring to keep their sales volume high). Apple has joined Microsoft and Oracle in the League of Evil Empires and disappointed or disgruntled many phans along the way. As a result you will see more and more exploits coming to light over the next few years.

Humphrey
 
Last edited:

HumphreyBear

Adventurer
Might be time to look into their web browsing habits :)
The Flashback reports from reputable sources (e.g. not MacPhanBoi23's blog) that I have seen have not linked the virus to Russian web sites of an exotic and specific nature. I am not disputing the fact per se but can someone send me a (reputable) link which definitively shows this? Everything I've read is in agreement with Mike's post.

As for corporate security teams, i have never met one that was not way way WAY overly conservative for my own tastes.
An anecdote if I may. When working in Canberra for a systems integrator/outsourcer I was in a meeting with the CIO, CTO and Director General of a medium-to-large government department who were excoriating us because as their outsourcer we wouldn't support 'corporate iPhones' (I believe it was iPhone 3 at the time) for security reasons. The Minister wanted an iPhone cos, well, he wanted to look cool and had read they were the bee's knees. The CTO pulled out his personal usage iPhone and was waxing lyrical about security, data integrity, ease of use etc. etc. and was thumping his fist on the table in accompaniment to an endless bloviating diatribe. Our security team lead, who is a Defence/Intelligence forensic and security specialist, politely interrupted him and begged his permission for an experiment. He then opened his laptop and within about 45 seconds began reading select text messages, emails and web browser history from the CTO's phone. It also contained his password for Internet banking which he used on the phone. He then tried it against the CTO's approved Android phone and was unable to do so.

There is a reason behind why security teams operate the way they do, and even though I often find them curmudgeoningly and annoying there is a valid reason why they are final or penultimate arbiters in most IT decision making trees. A bland grey-man might be seen as a party-pooper stomping on emotionally driven 'requirements' but they generally look at these things without emotional and with a a scientific rationale. They are also annoyingly cryptic and close with their reasoning a lot of the time but that shouldn't be interpreted as meaning there is no reason.
 
Last edited:

benedmonson

Disabled Adventurer
Thanks for the insight, I'm going to do the upgrade on all of our Mac's now!


Benjie Edmonson
Dir. Of Marketing
Equipt Expedition Outfitters
www.equipt1.com

Sent from my iPad using Tapatalk HD
 

Forum statistics

Threads
185,539
Messages
2,875,661
Members
224,922
Latest member
Randy Towles
Top