Flashback Trojan Malware – Biggest Threat to Apple Mac OS-X


        On April 4, Russian antivirus vendor Dr. Web published strong evidence that more than 500,000 Macs have been infected by the latest variant of the Flashback trojan a.k.a BackDoor.Flashback.39.

As Mikko Hypponen, Chief Researcher at F-Secure pointed out via Twitter, if there are roughly 45 million Macs out there, Flashback would now have infected more than 1 percent of them, making Flashback roughly as common for Mac as Conficker was for Windows.

The more popular Macs become, the more they are the focus of malware authors.
Photo Credit: Sophos D/A/CH Presseinfo's photostream


Flashback appears to be the most widespread Mac malware we've seen since the days when viruses were spread on infected floppy disks; it could be the single most significant malware infection to ever hit the Mac community. Here's what you need to know about Flashback, what you can do about it, and what it means for the future of Mac security.

What is Flashback trojan?
Flashback is the name for a malicious software program discovered in September 2011 that tried to trick users into installing it by masquerading as an installer for Adobe Flash. (Antivirus vendor Intego believes Flashback was created by the same people behind the MacDefender attack that hit last year.) While the original version of Flashback and its initial variants relied on users to install them, this new form is what's called in the security business a drive-by download: Rather than needing a user to install it, Flashback uses an unpatched Java vulnerability to install itself.


Flashback uses an unpatched Java vulnerability to install itself.


If you visit a malicious (or unwillingly infected) website hosting Flashback, the program attempts to display a specially crafted Java applet. (We don't yet know how many websites host Flashback.) If you have a vulnerable version of Java installed and enabled in your Web browser, the malicious code will infect your system and then install a series of components. Since Apple did not release an update for that vulnerable version of Java until April 3rd, many users were and are still susceptible.

After initial infection, Flashback pops open a Software Update window to try and obtain your administrative password, but it does so only to embed itself more deeply into your Mac. Even if you aren't fooled at this point, you are still infected. Once it succeeds in infecting your Mac, Flashback inserts itself into Safari and (according to F-Secure) appears to harvest information from your Web browsing activities, including usernames and passwords. It then sends this information to command-and-control servers on the Internet.


The significant thing is that, unlike almost all other Mac malware we've seen, Flashback can insinuate itself into your system if you merely visit an infected webpage and are using vulnerable software. You do not need to enter your administrative password or to manually install anything.


Am I at risk?
You are at risk if you meet four criteria::

1. You have Java installed on your Mac. One way to find out: Open Terminal and type java -version at the prompt. If you do have Java installed, you'll get a version number. It is installed by default on OS X 10.6 Snow Leopard, but not by OS X 10.7 Lion. (But is installed the first time you need to run it, which means most Macs likely have it).

You do not have the Java for OS X Lion 2012-001 (if you're running OS X Lion) or Java for Mac OS X 10.6 Update 7 installed (if you're running Snow Leopard) or you were infected before either of them was installed. Both of those updates install Java version 1.6.0_31; running that java -version command above will tell you if that's what you've got.


Safari web browser version 5.1.2

3. You allow Java applets to display in your browser. In Safari, go to Preferences > Security > Web Content and see if the Enable Java option is checked. You can turn that option off by unchecking it.

4. You do not have certain security tools installed on your Mac that Flashback checks for, including Little Snitch, Xcode, and a few anti-malware tools. Antivirus vendors do not appear to have detected this particular version of Flashback for a few days after it appeared in the wild, though some vendors—including Intego—protected users with updates in late March. Malware often shares bits of code from earlier versions that may be detectable by antivirus products before those products have been specifically updated to catch newer versions, but such protection is hit-or-miss.

How can I protect myself?
The first thing to do is run Software Update and make sure you have the latest patches. This will prevent any infections that exploit the current vulnerability; there aren't any other known infection vectors (other than tricking you into installing it, which won't go away anytime soon and doesn't rely on Java). There are a few other things I'd recommend you do to reduce the chances of future drive-by malware infections:

1. Disable Java in Safari and other Web browsers. Unlike Flash, you rarely need it these days. Again, in Safari, go to Preferences -> Security -> Web Content and uncheck Enable Java. The folks at TidBITS posted instructions and screenshots for doing the same in Chrome and Firefox.

2. Uninstall Flash and use Google Chrome as your browser. Google Chrome includes an embedded, sandboxed version of Flash that reduces the chances an attacker can infect your system. Download the Flash uninstaller, then install Google Chrome.

3. If you don't need Java at all, disable it.. The Java Preferences utility is in /Applications/Utilities; uncheck the boxes next to the versions listed in the General tab. Be careful, though: Some programs such as CrashPlan (which I use) require it. But there aren't many apps like that on the Mac market anymore.

I still use Safari, but when I need Flash I switch to Google Chrome. I haven't allowed Java to run in my browser for some years now, due to my fear of this kind of attack. Mac antivirus tools may help, but they still don't catch everything. That said, the current programs are far less intrusive and performance-impairing than they used to be; some of them (including Sophos and ClamXav) offer free versions. Remember, antivirus tools aren't perfect, and you can still be infected by new malware if those tools don't specifically protect against it. Many Windows users learn this lesson the hard way on a daily basis.


Are there really more than half a million infected Macs?
Yes, it really looks that way.

While we don't have independent validation, the techniques described by Dr. Web to measure the infection are plausible: Using one called sinkholing, Dr. Web redirected command-and-control traffic to its own analysis server. Since each infected Mac provides its unique device ID when connecting to the server, this allows Dr. Web to count infections on a per-machine basis; that's more accurate than counting connections based on IP addresses (which might be shared by multiple Macs).


Free Flashback malware removal tool

April 2012, F-Secure has released a free automated removal tool for the Flashback Trojan that has infected so many Mac OS X systems. The removal tool, available here - Flashback malware removal tool, is in a zip file. Once you download and unzip it, follow the instructions to find the virus on your system. If the removal tool finds the Trojan on your system, it will isolate it in a password protected file in your "Home" file. The password to this file is "infected." The removal tool will also save a log file of all its activities on your computer and give instructions for how to clean your system up.

Kredit: Macworld.com

Read in Bahasa Melayu

Add comment

Security code


Monthly Visit by Country

Germany flag Germany (2)
Israel flag Israel (1)
Malaysia flag Malaysia (1)
Poland flag Poland (1)
Seychelles flag Seychelles (1)


free counter statistics