Flashback trojan controls a half million Macs

[nsane.forums]

Variations of the Flashback trojan have reportedly infected more than half a million Macs around the globe, according to Russian antivirus company Dr. Web. The company made an announcement on Wednesday—first in Russian and later in English—about the growing Mac botnet, first claiming 550,000 infected Macs. Later in the day, however, Dr. Web malware analyst Sorokin Ivan posted to Twitter that the count had gone up to 600,000, with 274 bots even checking in from Cupertino, CA, where Apple's headquarters are located.

We have been covering the Mac Flashback trojan since 2011, but the most recent variant from earlier this week targeted an unpatched Java vulnerability within Mac OS X. That is, it was unpatched (at the time) by Apple—Oracle had released a fix for the vulnerability in February of this year, but Apple didn't send out a fix until earlier this week, after news began to spread about the latest Flashback variant.

According to Dr. Web, the 57 percent of the infected Macs are located in the US and 20 percent are in Canada. Like older versions of the malware, the latest Flashback variant searches an infected Mac for a number of antivirus applications before generating a list of botnet control servers and beginning the process of checking in with them. Now that the fix for the Java vulnerability is out, however, there's no excuse not to update—the malware installs itself after you visit a compromised or malicious webpage, so if you're on the Internet, you're potentially at risk.

If you think one of your machines may be infected, F-Secure has instructions on how to use the Terminal to find out.

View: Original Article

[anuseems]

More than 600,000 Macs infected with Flashback Trojan downloader

Investigations by Russian antivirus firm Dr. Web have concluded that more than 600,000 Mac computers are currently infected by the new strain of Flashback Trojan, with a massive 56.6% of the total infected machines believed to be in the US alone. Apple released an update earlier this week to patch vulnerabilities in Java that could be exploited to run malicious code in a victim's computer, including the newest strain written of the Trojan in question, but this will only protect those that are not already compromised by the malware.

Dr. Web revealed on their website yesterday morning that the Flashback botnet was some 550,000 strong. Later that day, malware analyst Sorokin Ivan revised that figure to more than 600,000 on Twitter.

According to Dr. Web, the US has the most infections with 56.6% of the total infected with the BackDoor.Flashback.39 malware. Of the 300,000 plus infected machines, the Russian antivirus firm also revealed 274 were from Cupertino. Canada had the second highest infection rate with 19.8%, the UK has 12.8% and in fourth place with 6.1% of the total number of infected machines in Australia.

Internet security firm F-Secure has published detailed instructions on how to verify and remove the Trojan should your Mac computer already be infected. Interestingly, they state that the malware can infect a computer even without administrative permissions. "Whether or not the user inputs the administrator password, the malware will attempt to infect the system, though entering the password will affect how the infection is done."

The initial route to infection follows the same path. First the user visits a website which has been infected with the Flashback malware. Upon loading the infected webpage the script is executed, and it then immediately checks for the presence of several antivirus products. Should the presence of any be detected, the script then deletes itself and takes no further action.

If it doesn't find anything, the malware then connects to a specified URL and downloads the payload. It then proceeds to install this payload, and infects the Mac computer. It appears to do this in one of two separate ways, dependent on whether you give administrative permissions.

.

For those that refuse to grant them, the malware searches for Microsoft Office 2008, 2011 and Word applications, as well as for Skype. If it fails to find these it then creates several files in the userspace area and creates a launch point in the "~/.MacOSX/environment.plist" location of the Mac user's home folder.

Those that grant administrative permission will find the infection follows another pathway, creating several files inside Safari's "/Applications/Safari.app/Contents/Resources" folder, and the creation of a launch point in "/Applications/Safari.app/Contents/Info.plist" to start the malware when Safari is run.

Another note of particular interest is the way the code has been written. It appears to take complete advantage of the average Mac users' notion that their computer can't get infected and therefore doesn't need an antivirus product installed. Those using certain internet security products will therefore not have been infected but it appears to have been written to specifically target those that don't have any installed.

It's also important to note that the installation of the latest security patches from Apple is not enough to resolve the issue for those already infected. Many are now questioning whether Apple could have done more to prevent infections on such a massive scale, especially since Oracle had patches available back in February, but Apple took almost two months longer to release them on their platform.

via http://www.techspot....downloader.html

[jonnyj]

Already posted further down page ^_^

[DKT27]

Threads merged.

[visualbuffs]

Doctor Web exposes Macintosh botnet

Russian-based Doctor Web has exposed a large-scale botnet operating on Apple's Macintosh computers, which could be a move towards anti-virus being necessary on Mac OS X machines. In fact, the scale of the actual botnet could be large enough to comprise half a million Macintosh computers, with analysts being unable to predict the full scale.

Malware for OS X, called "Backdoor.Flashback", is running on up to 550,000 different machines mostly located in the United States and Canada. Dr.Web's report is extremely detailed, including an infographic of infections by countries. The botnet stems from machines being redirected to bogus websites, or other traffic distribution systems. Sites used for this are presumably of Russian origin, but the number of sites is currently unknown.

JavaScript code is used to load to a Java-applet containing the actual exploit. At the end of March, a Google search found around four million different page which could be spreading the malware. Some posts on Apple's own user forums describe being infected with the malware when visiting DLink.com; DLink produce routers and similar devices.

Exploits are being distributed over three main weaknesses:

• CVE-2011-3544
• CVE-2008-5353
• CVE-2012-0507

Vulnerabilities and exploits were being distributed from around February 2012, though the third of the vulnerabilities listed was only used from March 2012 onwards. On March 3rd, Apple fixed the vulnerability.

While you might not be caught in a botnet now, it is still worth remembering that the botnets might still be in effect with machines that were infected. It can only help to check your machine in case you have an infection. If you do it should be easily removed.

Source

[marshall39]

Users must do something wrong :lol:

[kunjar]

LOL @ Apple fanboys thinking that their metallic casing/shell protects them from malware also.

[DKT27]

Threads merged.

Guys, please search.