Flashback Trojan Hits 600,000 Macs and Counting

← Back to Stories (view on slashdot.org)

Flashback Trojan Hits 600,000 Macs and Counting

Posted by timothy on Thursday April 5, 2012 @01:23AM from the first-they-came-for-the-windows-machines dept.

twoheadedboy writes "A Flashback variant dubbed Backdoor.Flashback.39 has infected over 600,000 Macs, according to Russian security firm Dr Web. The virulent Flashback trojan infecting Apple machines sparked interest earlier this week after it was seen exploiting a Java vulnerability, although it was actually first discovered back in September last year. The Trojan has a global reach after Dr Web found infected Macs in most countries. More than half of the Macs infected are in the US (56.6 percent), while another 19.8 percent are in Canada. The UK has 12.8 percent of infected Macs."

93 of 429 comments (clear)

Macs don't get hacked by Dunbal · 2012-04-05 01:25 · Score: 5, Funny

Is it just wrong if I laugh a little?

--
Seven puppies were harmed during the making of this post.
1. Re:Macs don't get hacked by ifrag · 2012-04-05 01:29 · Score: 5, Funny
  
  Is it just wrong if I laugh a little?
  Try to keep it to a low chuckle. The reality distortion field might break under greater strain.
  
  --
  Fear is the mind killer.
2. Re:Macs don't get hacked by alphatel · 2012-04-05 01:34 · Score: 4, Funny
  
  Is it just wrong if I laugh a little?
  Try to keep it to a low chuckle. The reality distortion field might break under greater strain.
  It just works!
  
  --
  When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
3. Re:Macs don't get hacked by Johnny+Mister · 2012-04-05 01:37 · Score: 5, Insightful
  
  The funny thing is that Linux users still seem to be under this belief about their OS. The truth is that every OS gets malware, it's just about the market share.
4. Re:Macs don't get hacked by ericloewe · 2012-04-05 01:39 · Score: 2, Interesting
  
  Apple should advertise OS X to hackers:
  Instead of stuff like "Robust Kernel based on Unix" hackers would surely be attracted towards "Familiar Unix-based Kernel with guaranteed fewer security measures than Windows or many Linux distros"
5. Re:Macs don't get hacked by fermion · 2012-04-05 01:42 · Score: 5, Funny
  
  My surprise is that there are 600K running macs to infect. I thought macs were just bought by rich people to display in there offices while they really used a PC. Clearly this article is propaganda.
  
  --
  "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
6. Re:Macs don't get hacked by Tarkadot · 2012-04-05 01:45 · Score: 5, Funny
  
  So, now that the Reality Distortion Field is weakening, it's time to activate the Someone Else's Problem field?
7. Re:Macs don't get hacked by ByOhTek · 2012-04-05 01:47 · Score: 4, Funny
  
  ... I tried to find where I should insert the Prozac. I tried the optical disc tray, but that didn't fix it. How do I unsad my Mac?
  
  --
  Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
8. Re:Macs don't get hacked by crazyjj · 2012-04-05 01:47 · Score: 5, Funny
  
  No, college kids love them. They use them to tweet out messages encouraging their fellow students to fight evil corporations.
  
  --
  What political party do you join when you don't like Bible-thumpers *or* hippies?
9. Re:Macs don't get hacked by 19thNervousBreakdown · 2012-04-05 01:53 · Score: 2, Funny
  
  Everybody knows us nerds are suckers for a pretty face with a bit of rouge.
  
  --
  <xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
10. Re:Macs don't get hacked by Anonymous Coward · 2012-04-05 02:08 · Score: 2, Informative
  
  Let me laugh :
  PC's wear biohazard suits, Macs don't need no biohazrd suits
  Mac versus Pc viruses
  I'm a MAC and I don't need no fucking antivirus/malware/biohazard suit you wippersnapper snotty little PC.
  ---> Pc walks away laughing at MAC. Look dady he's MAC and he's been zombiefied.
11. Re:Macs don't get hacked by tripleevenfall · 2012-04-05 02:09 · Score: 4, Insightful
  
  To be fair this is a Java exploit, and it's already been closed by Apple.
  The dullard users are probably receiving security updates automatically, and so they'd have been updated as of Tuesday.
  Aside from this, the general public does not seem vulnerable:
  
  Security researchers have uncovered yet another Mac Trojan in the wild, this time hiding inside pirated versions of the Mac OS X image editing application GraphicConverter.
  The pirated copy of GraphicConverter 7.4 is being actively distributed on file-sharing networks and torrent sites like Pirate Bay and contains the DevilRobber Trojan, Sophos researchers reported on 29 October. Once on the Mac OS X, DevilRobber creates a backdoor for remote access and installs a Bitcoin miner that uses up spare system resources and steals the content of the user’s Bitcoin wallet, according to Sophos.
12. Re:Macs don't get hacked by TheRaven64 · 2012-04-05 02:11 · Score: 5, Interesting
  
  It's not just about market share, although that does play a large part. For malware you spread you need a large or sufficiently interesting target for someone to bother writing it (an OS with only a dozen users, all of which were major banks that used it for Internet-facing transaction processing systems, for example, would be an interesting target even though it would have a tiny market share).
  Then you need an attack vector. Operating system vulnerabilities aren't that uncommon (check the CVE database for the Linux kernel), but most of the time these attacks come through userspace applications. From there, it depends on what the attacker wants to use. Desktop operating systems tend to be more vulnerable in this regard because very few applications are properly sandboxed, so once you've compromised one you've got complete access to everything the user does. Server software tends to be a bit more careful with privilege separation, so a Linux server may be a lot more secure than a Linux desktop.
  Finally, you need some mechanism for it to spread. This is often related to market share. For example, Windows worms used to be very common because if you look at any random IP on the local network you're likely to find a Windows machine. If you've got some Windows exploit, you can spread to every machine on the network very quickly. The same was true of email worms - a worm that compromised Outlook Express could send a message to everyone in the address book, and at least some of them would be running Outlook Express and so it would spread. In contrast, if the lone Mac in the corner of the office is infected then it's harder for it to find another Mac to infect before someone spots unusual traffic patterns and cleans it up.
  
  --
  I am TheRaven on Soylent News
13. Re:Macs don't get hacked by UnknowingFool · 2012-04-05 02:18 · Score: 4, Informative
  
  From what I read, the payload is delivered when you visit certain sites, but as a Trojan, it asks for and requires the user to enter their admin password to install.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
14. Re:Macs don't get hacked by tripleevenfall · 2012-04-05 02:19 · Score: 2
  
  (after reading more closely, that appears to be a trojan that exploited the same vulnerability.)
15. Re:Macs don't get hacked by bmo · 2012-04-05 02:21 · Score: 5, Interesting
  
  Security researchers have uncovered yet another Mac Trojan in the wild, this time hiding inside pirated versions of the Mac OS X image editing application GraphicConverter.
  This general method, by far, is the quickest and easiest way to create a botnet. Package up some wanted software with your trojan that you checked against the top 20 malware checkers, and upload away to all the public trackers you can find, and some private ones.
  Yet weeks later when your trojan gets added to the malware definitions, you'll continue to see Windows morons download, run a scan, and pronounce "LOL FALSE POSITIVE"
  There is no anti-malware for stupid.
  --
  BMO
16. Re:Macs don't get hacked by the_Bionic_lemming · 2012-04-05 02:21 · Score: 3, Funny
  
  Nobody ever claimed Macintoshes were bulletproof.
  Hi, I noticed you are new here, and just thought I'd welcome you.
  
  --
  _ _ _ Go for the eyes Boo! GO FOR THE EYES!
17. Re:Macs don't get hacked by bkaul01 · 2012-04-05 02:27 · Score: 4, Insightful
  
  To be fair this is a Java exploit, and it's already been closed by Apple.
  The dullard users are probably receiving security updates automatically, and so they'd have been updated as of Tuesday.
  To be fair, that's true of almost all malware that propagates in the wild on Windows-based systems too. Zero-days that haven't been patched by Microsoft/Apple/et al. are very rare on any platform, and usually only available to organizations with resources on the level nation states or the like for espionage/cyber-warfare purposes (c.f. Stuxnet).
18. Re:Macs don't get hacked by sosume · 2012-04-05 02:30 · Score: 2, Interesting
  
  Please provide reference to a recent study that a windows 7 box with default install will get "629 viruses and trojans a day" - Or did you mean a windows 95 box?
19. Re:Macs don't get hacked by rwise2112 · 2012-04-05 02:43 · Score: 2
  
  Well... Obviiously they were just holding them wrong.... or something.
  
  --
  
  "For every expert, there is an equal and opposite expert"
20. Re:Macs don't get hacked by crazyjj · 2012-04-05 02:48 · Score: 3, Insightful
  
  The reality distortion field might break under greater strain.
  That collapsed the second Jobs died. It's just a matter of time before everyone notices it and you start hearing hipsters and Macheads all saying some variation of:
  "Apple just isn't the same since Steve left. They sold out. It used to be about the MUSIC, man!"
  
  --
  What political party do you join when you don't like Bible-thumpers *or* hippies?
21. Re:Macs don't get hacked by tripleevenfall · 2012-04-05 02:50 · Score: 3, Insightful
  
  Certainly these things are true.
  For the novice user, they are safer with a Mac, I don't think that is any less true than it's been for a while. There are less vulnerabilities overall, there's less malware overall, there's no chance they are using IE when on a Mac, the process of keeping updated is more dummy-proof... dummy users are safer on Macs.
  And this is just for people using full PCs. Increasingly these novice users are spending all their computing time in iOS which is even less vulnerable.
22. Re:Macs don't get hacked by tripleevenfall · 2012-04-05 02:55 · Score: 2
  
  Also, Linux has roughly the same market share as Mac; with a 5%-6% share.
  I would certainly question the number of humans using OSX every day being roughly equal to the number using Linux.
23. Re:Macs don't get hacked by 0racle · 2012-04-05 03:01 · Score: 3, Insightful
  
  Aside from this, the general public does not seem vulnerable:
  
  Security researchers have uncovered yet another Mac Trojan in the wild, this time hiding inside pirated versions of the Mac OS X image editing application GraphicConverter.
  Yep, idiots doing idiot things because they're idiots. The OS doesn't protect you from yourself., when you tell it to install something it does it.
  
  --
  "I use a Mac because I'm just better than you are."
24. Re:Macs don't get hacked by MisterSquid · 2012-04-05 03:24 · Score: 3, Informative
  
  The Flashback.K variant requires no password to install itself.
  
  --
  blog
25. Re:Macs don't get hacked by VGPowerlord · 2012-04-05 03:40 · Score: 4, Informative
  
  the process of keeping updated is more dummy-proof... dummy users are safer on Macs.
  It is? Last time I checked, the default update mode for Windows will install updates the next time your shut down your computer after Windows detects an update has been released.
  This is a bit different in a corporate setting, but I assumed you meant for home users.
  
  --
  GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
26. Re:Macs don't get hacked by BronsCon · 2012-04-05 03:46 · Score: 2
  
  App Store si not a trusted repo. A trusted repo compiles its own binaries from (community or self) reviewed and vetted source. Apple never sees the source for apps in their store, just the binaries. It would be trivial to throw a bit of sleeping malware into an App Store app, set to activate on, say, 9-11-12 or 12-21-12, that would sneak you past the review process and keep you in the App Store for long enough to build up a decent install base, then BAM, malware activates. Even then, your app won't be pulled until Apples notes the problem as people begin reporting it and they trace it back toyour app, or Apple gets areound to re-reviewing your app. If you're careful to not make excessive use of resources, users won't notice it and it will go unreported; does Apple even do periodic audits of submitted apps once they've been accepted?
  Not saying this has already happened..... or am I?
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
27. Re:Macs don't get hacked by VGPowerlord · 2012-04-05 03:47 · Score: 2
  
  where every user was the equivalent of root at all times,
  2006 called. It wants its argument back.
  You know that UAC thing people who use Windows like to complain about?
  
  --
  GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
28. Re:Macs don't get hacked by bmo · 2012-04-05 03:49 · Score: 3, Informative
  
  Indeed, this is one of the reasons that got me into Linux in the first place - that I am not nickel-and-dimed for a workable computer.
  By the way, since the Gimp handles RGB images better than Photoshop, it's better for astrophotography processing. ImageMagick is also quite the program.
  Come for the free beer. Stay for the freedom. Use Linux.
  --
  BMO
29. Re:Macs don't get hacked by BronsCon · 2012-04-05 03:50 · Score: 2
  
  Or, maybe, they're being modded down because that's not the case anymore. HOST: CentOS 6.2 VM1: OSX Snow Leopard VM2: Win 7 No realtime scanners on any of those, weekly scans of each have revealed no infections.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
30. Re:Macs don't get hacked by tlhIngan · 2012-04-05 04:10 · Score: 3, Informative
  
  The funny thing is that Linux users still seem to be under this belief about their OS. The truth is that every OS gets malware, it's just about the market share.
  Actually, the vulnerability used in OS X is also in Linux. So yes, it can infect Linux!
  However, the payload only currently runs on OS X, so infecting Linux is a minor point since it does nothing.
  It's a Java vulnerability. Which is interesting since Apple stopped supporting and shipping Java since what, Leopard (10.5)? Heck, we can blame Oracle for the mess...
31. Re:Macs don't get hacked by phantomfive · 2012-04-05 04:10 · Score: 2
  
  Zero-days that haven't been patched by Microsoft/Apple/et al. are very rare on any platform, and usually only available to organizations with resources on the level nation states or the like for espionage/cyber-warfare purposes
  Wow, absolutely not. (Incidentally, "zero-day that hasn't been patched" is redundant. Once the vendor knows about the exploit it is no longer a zero day). These guys find zero days every year. Every iphone jailbreak is a result of a zero-day exploit, unless you are saying Apple purposely hides vulnerabilities in the system to make them easy to exploit.
  
  Zero day exploits are still pretty common, and it's worth taking extra steps to be prepared for them (like regular backups, running certain software in a chroot jail, etc).
  
  --
  "First they came for the slanderers and i said nothing."
32. Re:Macs don't get hacked by phantomfive · 2012-04-05 04:17 · Score: 2
  
  I didn't mean security features in the kernel, I meant more visible stuff like UAC (first one that comes to my mind).
  Let me introduce you to sudo. UAC's functionality is very similar to the "sudo" command. Incidentally, if you think UAC is what's needed to make a system secure, you need to spend a few weeks messing around with metasploit. It will open your eyes.
  
  --
  "First they came for the slanderers and i said nothing."
33. Re:Macs don't get hacked by BronsCon · 2012-04-05 04:34 · Score: 2
  
  Black and White, why don't you come together and make a nice shade of gray?
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
34. Re:Macs don't get hacked by Chester+K · 2012-04-05 04:42 · Score: 3, Insightful
  
  You know that UAC thing people who use Windows like to complain about?
  I have to laugh when I see self-proclaimed 'experts' disable UAC, solely because they're smart enough to know where the option to turn it off is; but apparently not smart enough to realize no matter how smart, competent, and safe of a user you think you are, it's never a good idea to run as root, even if you think you're Electronic Jesus who never makes mistakes. (There's considerable overlap between this group of 'experts' and the group of 'experts' who refuse to install MSE because they're 'too good' to need it.)
  Microsoft can only go so far to protect its 'expert' users from themselves. At some point, the user's own stupidity is at fault. And a user's stupidity doesn't go away just because they're using a different OS.
  
  --
  
  NO CARRIER
35. Re:Macs don't get hacked by nine-times · 2012-04-05 04:47 · Score: 2
  
  It's not *just* about market share. It's about a lot of things, including non-technical issues like the kinds of users the platform attracts, the kinds of work the computer is being used for, and the environment in which the computer is being used.
36. Re:Macs don't get hacked by tibit · 2012-04-05 05:03 · Score: 3, Informative
  
  Apple stopped supporting and shipping Java since what, Leopard (10.5)
  That's patently incorrect. Java is alive and well on OS X, and is still supported on Lion, Snow Leopard, and IIRC there was a Java update recently even for Leopard.
  
  --
  A successful API design takes a mixture of software design and pedagogy.
37. Re:Macs don't get hacked by cp.tar · 2012-04-05 05:09 · Score: 3, Funny
  
  Who targets less than 1%?
  The 99%?
  
  --
  Ignore this signature. By order.
38. Re:Macs don't get hacked by Dunbal · 2012-04-05 06:15 · Score: 2
  
  To be fair this is a Java exploit, and it's already been closed by Apple.
  To be fair, most Windows exploits have also been Java/Flash/(Insert 3rd party vendor here) exploits too. It's been a long time since a remote Windows OS vulnerability has been seen. XP service pack 2, perhaps? But then again Windows has never made claims about being inherently "more" secure, either.
  
  --
  Seven puppies were harmed during the making of this post.
39. Re:Macs don't get hacked by amicusNYCL · 2012-04-05 06:57 · Score: 3, Insightful
  
  600,000 computers didn't get infected because someone downloaded some pirated software loaded with the malware. This is not the DevilRobber trojan, this is Flashback. The Java vulnerabilities used to download and run the virus are exploited via the good old drive-by-download method, which does not require user interaction (thanks, Java!).
  
  According to the Dr Web blog posting, “systems get infected with BackDoor.Flashback.39 after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system. JavaScript code is used to load a Java-applet containing an exploit.”
  This is the exact same method that Windows machines get infected. The top 3 infection vectors are Java, Acrobat, and Flash because all 3 of them will load whatever the server tells them to in a hidden iframe if necessary. Vulnerabilities in IE itself account for less than 10 percent of Windows infections, the vast majority are from insecure third-party browser plugins. Those plugins do not all of a sudden become secure, and the vendors don't all of a sudden start using good security practices, just because the target OS runs on Apple-branded hardware.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
40. Re:Macs don't get hacked by default+luser · 2012-04-05 07:18 · Score: 2
  
  And not only will Windows automatically update, it will also automatically restart to install that update if you wait too long to do it.
  It seems to wait until the wee hours of the morning to do this, which makes the most sense.
  
  --
  Man is the animal that laughs.
  And occasionally whores for Karma.
41. Re:Macs don't get hacked by tripleevenfall · 2012-04-05 07:47 · Score: 3, Funny
  
  Agree totally. There's no need to pirate closed-source software when good open source solutions exist.
42. Re:Macs don't get hacked by tripleevenfall · 2012-04-05 07:50 · Score: 2
  
  This doesn't work as well in today's non-desktop world. Most people's laptops are sleeping when the lid is closed, which it often is at night.
  I think for the most part you'd find that people have the laptop asleep unless they're actively using it, which makes updates annoying and more likely to be canceled by the user.
How to check by Anonymous Coward · 2012-04-05 01:26 · Score: 2, Interesting

Is there any way to check whether your Mac is infected?
1. Re:How to check by alphatel · 2012-04-05 01:35 · Score: 2, Informative
  
  Macs don't get viruses, so there is no reason to check for them, so there is no "app for that".
  
  --
  When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
2. Re:How to check by jo_ham · 2012-04-05 02:06 · Score: 2
  
  Yes.
  From instructions here: http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml
  It basically boils down to running two commands in Terminal:
  defaults read /Applications/Safari.app/Contents/Info LSEnvironment
  defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
  If both of those come back as "The domain/default pair ... does not exist" then you are ok.
  Although even easier, if you have MS Office 2008, MS Office 2011 or Skype installed you are not infected - the Trojan checks for these (for some reason) and deletes itself if it finds them
  Similarly, it will check for the following directories, and if it finds them it stops installing and self-deletes: /Library/Little Snitch /Developer/Applications/Xcode.app/Contents/MacOS/Xcode /Applications/VirusBarrier X6.app /Applications/iAntiVirus/iAntiVirus.app /Applications/avast!.app /Applications/ClamXav.app /Applications/HTTPScoop.app /Applications/Packet Peeper.app
  A threat, certainly (and Apple closed the Java hole just this week), but it's trying to fly under the radar as much as possible at the moment for whatever reason.
Fight over the definition! by danbuter · 2012-04-05 01:28 · Score: 3, Insightful

It's only been a matter of time. Many people think that since the common knowledge is that Macs don't get viruses, they are immune to everything else (including trojans). Only the computer nerds differentiate between viruses, trojans, and malware you get by clicking on something on the internet.
1. Re:Fight over the definition! by mfnickster · 2012-04-05 03:15 · Score: 2
  
  A trojan is a program that gives remote access to a compromised machine.
  Not quite accurate. A Trojan Horse is malware of any type that gains privilege by misrepresenting itself as something else, so the user will authorize it.
  That said, can we PLEASE go back to calling them Trojan Horses and not Trojans? I don't want to keep thinking of condoms while talking about computer security.
  
  --
  "Slow down, Cowboy! It has been 3 years, 7 months and 26 days since you last successfully posted a comment."
no more Spirit of Steve protection? by alen · 2012-04-05 01:29 · Score: 2, Informative

it used to be magic pixie dust protected Macs but in the last 6 months i've been using the Spirit of Steve
time to find some new protection
It's not apple's fault... by ilsaloving · 2012-04-05 01:31 · Score: 3, Informative

The users just surfed wrong.
But seriously, Apple screwed the pooch really good on this one. Looks like it's time that their corporate culture goes through the same "trustworthy computing" initiative that Microsoft went through over the last few years.
1. Re:It's not apple's fault... by phantomfive · 2012-04-05 04:28 · Score: 2
  
  Looks like it's time that their corporate culture goes through the same "trustworthy computing" initiative that Microsoft went through over the last few years.
  They've been adding security to their system for a while now. You may not remember, but back in the day Microsoft security was extremely bad. Everyone running as Administrator was merely one symptom. OSX has had separate user accounts from day 1.
  
  --
  "First they came for the slanderers and i said nothing."
2. Re:It's not apple's fault... by ilsaloving · 2012-04-05 05:29 · Score: 2
  
  Perhaps not waiting for 6 weeks after everyone else had already patched the code?
  Until Apple formally hands over management of their version of Java to the OpenJDK project, it's still their responsibility to patch vulnerabilities in a timely manner.
  This is only going to get worse. OSX's overall virus protection is quite good and IMO is, at worst, on par with Microsoft's best. But that's only because Microsoft started so far behind that they've only now caught up. But in many aspects Microsoft is starting to take the lead. Things like random memory allocation, DEP, full disk encryption all came to Windows well before OSX. If Apple wants to keep their reputation of being more secure than Windows, they are going to have to start innovating more on their security.
  Windows and OSX are now essentially on par with each other now security-wise, and you can see the results. Hackers are focusing on other programs like Java or Adobe Reader or whatnot, instead of hitting the OS directly. But because Microsoft has been forced to put security in the forefront of their mindset, I believe that the tables may well turn in their favour.
  Of course, this prediction is tempered by the fact that Balmer is still at the helm, so grains of salt and all that.
Detection and Removal Info by Anonymous Coward · 2012-04-05 01:35 · Score: 2, Informative

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml
How to tell whether you are infected by daveschroeder · 2012-04-05 01:37 · Score: 5, Informative

See here: http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml
Summary:
If you open Terminal and run
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
and
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
and see:
The domain/default pair of [...] does not exist
for each, you are not infected. Also, if you run nearly any AV software or other tools like Little Snitch, you are not infected as it checks for these and deletes itself if found.
Also, no sensible person ever said "Macs don't get [infected/hacked/whatever]." It just a lot less likely, and has historically been, even accounting for differences in marketshare. As Mac share increases, it only makes sense they'll be targeted more with malware. But Macs, as a whole, are indeed "more secure", in that still, to this day, you are far less likely — even with the complacency or, if you prefer, ignorance, of Mac users — to become impacted with any malware than with Windows. Maybe someday this will change. But it's never been true to date, and isn't true now. The fact that single instances of Mac malware get so blown out of proportion, STILL, is ridiculous. (Though, Apple could do better with patching known vulnerabilities in Java on Mac OS X...)
The same advice and best practices for avoiding malware apply to Macs as well as any other desktop platform, and Mac users would do well to run current AV software. The Sophos free edition is nice.
1. Re:How to tell whether you are infected by ArhcAngel · 2012-04-05 01:48 · Score: 5, Funny
  
  Summary:
  
  If you open Terminal and run
  
  This just offended or confused 90% of the MAC users
  
  --
  "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
2. Re:How to tell whether you are infected by apcullen · 2012-04-05 01:55 · Score: 5, Insightful
  
  Excellent post.
  
  However, I have to disagree with you on one point:
  
  The fact that single instances of Mac malware get so blown out of proportion, STILL, is ridiculous.
  
  I don't think it's blown out of proportion, and, rather than being ridiculous, I think it's essential. Mac users generally share a believe that their computer "just works" and that they don't have to be concerned with-- or even aware of-- security. For the good of the community, that should be corrected.
3. Re:How to tell whether you are infected by 68kmac · 2012-04-05 01:58 · Score: 3, Interesting
  
  Also, no sensible person ever said "Macs don't get [infected/hacked/whatever]."
  Actually, Apple writes quite a few things that make me (and I'm a Mac user) cringe. For example:
  
  Download with peace of mind.
  Innocent-looking files downloaded over the Internet may contain dangerous malware in disguise. That’s why files you download using Safari, Mail, and iChat are screened to determine if they contain applications. If they do, OS X alerts you, then warns you the first time you open one.
  Yeah, when you download a file and click on it, a dialog pops up that tells you that the file was downloaded from the internet and may be dangerous. That's all. And after you had to click on that a couple of times for harmless files of all sorts, you just click on it automatically. And, boom, trojan infection ...
4. Re:How to tell whether you are infected by Sponge+Bath · 2012-04-05 01:59 · Score: 4, Insightful
  
  This just offended or confused 90% of the MAC users
  If you think 90% of Windows users are any less confused by the "Command Prompt", you have not had to give them technical support.
5. Re:How to tell whether you are infected by Anonymous Coward · 2012-04-05 02:00 · Score: 2, Funny
  
  You know, when you claimed that "no sensible person ever said, "Macs don't get infected"...", I got a little ticked off, because based on my experience, it seemed that NEARLY ALL Apple users had claimed this.
  Then I realized, we're both right.
6. Re:How to tell whether you are infected by Bill+Hayden · 2012-04-05 02:21 · Score: 5, Funny
  
  This just offended or confused 90% of the MAC users
  The fact that you wrote Mac as MAC offended or confused an even higher percentage of Mac users.
  
  --
  Protect your browser with the Force Safe Search add-on
7. Re:How to tell whether you are infected by Anonymous Coward · 2012-04-05 02:30 · Score: 2, Insightful
  
  http://www.youtube.com/watch?v=C5z0Ia5jDt4
  Haha, Apple must not be a sensible person. :) Go to the 2:40 mark.
  Yes, I realize this is a marketing ploy.
  In a Michael Moore-esque fashion, they use disingenuous wording to deceive. Apple only ever says that Apple's 'advanced technology' keeps you safe from Windows/PC Viruses, not 'computer viruses' or 'malware' or anything which they could every actually be infected by... because if a virus ever infects a Mac, it won't be a WINDOWS Virus. Crossplatform maybe, but not a Windows Virus.
8. Re:How to tell whether you are infected by kthreadd · 2012-04-05 02:40 · Score: 5, Insightful
  
  Not to mention the network technicians.
9. Re:How to tell whether you are infected by paleo2002 · 2012-04-05 02:57 · Score: 2
  
  Thanks for the link and instructions, very helpful. I ran through the procedures and am happy to see that I'm clean. The same page also indicates that this bit of malware basically deletes itself if it finds evidence of security software running on the system, such as Little Snitch or ClamXAV. I was neither offended nor confused by the reference to Terminal. Mac OS has had a hidden command line at least as far back as OS 7.1, IIRC.
  
  Another simple precaution Mac users can take is to make sure they are not logging into their computer for daily use as an Admin. In System Preferences, under Users & Groups, make sure your personal user account does NOT have Admin level access. Make a separate Admin account, with a very strong password (yes, yes slashdot community, I know there's no such thing . . . let's just pretend for now) and give your usual login account Standard access only. The bad news with this set up is that whenever you install software, move apps and files to a new directory, or change system settings you'll be prompted to enter the Admin login and password. The good news is that malware trying to install or run in the background will also run into the same obstruction.
10. Re:How to tell whether you are infected by nine-times · 2012-04-05 04:56 · Score: 2
  
  There's not really any way to protect users from themselves. If a user is technically able to download and install unknown applications, then the user can fall victim to a trojan.
  The only question in my mind is whether it's a good implementation-- making it prompt you too often will result in users always hitting "OK", so you have to use this sort of thing judiciously. That was the complaint about the early implementation of UAC in Vista. It prompted you *constantly*, and so it was both annoying and ineffective. It was greatly improved in Windows 7, and ultimately UAC is one of the things that makes Windows 7 much more secure than Windows XP.
  However, using prompts like this sparingly is both appropriate and common. It's a well-ingrained convention in user-interaction for all operating systems to have pop-up alerts to the user that you're about to do something potentially dangerous.
11. Re:How to tell whether you are infected by tknd · 2012-04-05 06:14 · Score: 2
  
  Pretty sure the GP's comment was targeted at Linux and other *nix based OSes for the amount of crap they would get about having to use a terminal for some special commands.
Check if you're infected by Anonymous Coward · 2012-04-05 01:38 · Score: 2, Informative

Gizmodo's article shows how to determine if your machine is infected. http://www.gizmodo.co.uk/2012/04/mac-flashback-trojan-find-out-if-youre-one-of-the-600000-infected/
now by ILongForDarkness · 2012-04-05 01:38 · Score: 4, Interesting

Can we please end the madness where people claim that since an OS is a variant of unix it can't get a virus? Users do stupid things, stupid things have consequences, doesn't matter the make of the car you are driving if you are a drunk moron soon enough you'll crash into something. Similarly if you are a horny moron eventually you'll browse to a site that will find a way to get you to install some junk that will trash your computer all in the name of some desperately needed friction motivation.
1. Re:now by betterunixthanunix · 2012-04-05 01:55 · Score: 2
  
  Can we please end the madness where people claim that since an OS is a variant of unix it can't get a virus?
  
  It does not help that Apple itself is telling people that their OS will protect them from malware:
  
  https://www.apple.com/macosx/what-is/security.html
  
  --
  Palm trees and 8
2. Re:now by itsdapead · 2012-04-05 02:39 · Score: 2
  
  Can we please end the madness where people claim that since an OS is a variant of unix it can't get a virus?
  Funny, because in this thread I currently see zero (0) fanbois desperately trying to defend Apple wailing "....but its not a virus, its a trojan, and its all Oracle's fault anyhow!" c.f. any number of haters saying "Ha Ha! Macs can so get viruses!!!". Methinks some people are just a bit too desperate to knock Apple.
  Actually, although this one is technically a trojan, it sounds quite nasty in that it can apparently infect your mac even if you don't fall for the "enter administrator password" dialog. Presumably it still needs some sort of user interaction to work.
  However, I do like the irony that having MS Office installed "inoculates" you against this trojan :-)
  
  --
  In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
3. Re:now by thejynxed · 2012-04-05 03:11 · Score: 2
  
  There's several for MacOS Classic.
  Several Trojans, Worms, etc for OSX. Virus in the classic form? Some proof-of-concepts here and there.
  For a blast from the past:
  http://ftp.cerias.purdue.edu/pub/tools/mac/mac-virus-list.txt (speaking about Mac viruses from the 1980's)
  Interesting read on creation of malicious software targeting OSX:
  https://www.securelist.com/en/analysis/204791948/Mac_OS_X
  A list of baddies for MacOS Classic and OSX:
  http://www.iantivirus.com/threats/
  Also interesting:
  http://lscr.berkeley.edu/archive/mail/magnet/2004/0418.html
  And then there's this:
  http://www.forbes.com/2006/02/16/apple-osx-virus-cx_po_0216autofacescan09.html
  This was amusing:
  https://www.youtube.com/watch?v=Sf6_sPkMupA
  I'm sure there's lots more if I care to dig.
  
  --
  @Mindless Drivel: 100% of Twitter posts ever Tweeted.
Haha by Anonymous Coward · 2012-04-05 01:42 · Score: 2, Funny

HAHA HAHAHHAHAHAHHA Hahahahahahhaahha
hahahahahhahahhahahahhahahahh
HAHAHAHAHAHAHahahahahahahaha
1. Re:Haha by shutdown+-p+now · 2012-04-05 08:19 · Score: 2
  
  You can buy Apple stuff from Brazil - that's manufactured locally.
Yet another Drive By Attack by FlyingGuy · 2012-04-05 02:03 · Score: 2, Insightful

This is the problem with the web. When the first DBI ( Drive By Infection ) happened the code that allowed this sort of thing to happen was not ripped out "with extreme prejudice" and in an old /. post I asked why and there was damn little in the way of a response.
So I ask once again, why has this not been fixed? Why are there so god damn many ways to do this and how come that ability has not been removed?
It seems to me that in the insanity of try to make the browser everything instead of a piece of software that renders text, there is nothing but vulnerability after vulnerability and I really don't see any end in sight since in trying to make the browser do everything it needs more and more access to the core functions of the OS it is running on. How can this not lead to more and more attack vectors?

--
Hey KID! Yeah you, get the fuck off my lawn!
1. Re:Yet another Drive By Attack by Whorhay · 2012-04-05 08:34 · Score: 2
  
  Because web developers love those flashy bits. Stuff like JavaScript just offers them too much to not make use of it. And it would kind of be like tossing the baby out with the bath water.
  One of the problems with Window for more than a decade has been that explorer could be exploited to gain administrative access, even if the user didn't normally have that level of access. Explorer was a core part of how Windows worked and so they couldn't do a whole lot to fix it until they redesigned for Vista.
  Personally I use NoScript and very rarely, twice in the last seven years or so, have gotten anything on my home system. I use Ubuntu in a virtualbox for anything that makes me too nervous. And reset to a known safe state on the virtual box when I'm done.
Re:But Macs... by geogob · 2012-04-05 02:08 · Score: 2

I hope for your sake that you're not living in Arizona.
About the users too by monkeyhybrid · 2012-04-05 02:11 · Score: 4, Insightful

Market share has something to do with it, as does a pretty good track record of security, but the type of users that use Linux is also a significant reason that we don't see widespread malware affecting desktop Linux. Your typical Linux user is generally more nerdy, computer literate and security concious.
If you did a survey of how many users clicked on pop-up banners, opened PDFs from spam email, granted permission to untrusted Java applets, etc, I bet the percentage of Linux users who fell in the traps would be smaller than the other OS users.
1. Re:About the users too by cp.tar · 2012-04-05 05:06 · Score: 2
  
  Well, here goes.
  My grandfather indeed does use Linux. He doesn’t know the difference because he’s never used Windows anyway.
  Whenever I take a look at his PC, I’m glad I gave him Linux; the amount of “codecs” he downloads when searching for porn alone would make a common Windows antivirus commit suicide.
  My father also uses Linux. He does have Windows on his computer, too, but he mostly uses Linux nonetheless. He’s more savvy, but I still keep an eye on things.
  Also, neither my father nor my grandfather will get to click on any banners that can be disabled through AdBlock Plus.
  
  --
  Ignore this signature. By order.
2. Re:About the users too by ProfessionalCookie · 2012-04-05 07:08 · Score: 2
  
  3rd world nations pirate windows, even where you can pay for it, it's pirated. I live in Northern Mozambique and have yet to see Linux preloaded on anything and every Ubuntu install I've done comes back a week later erased and reinstalled with Windows, including viruses.
Re:Linux by NatasRevol · 2012-04-05 02:31 · Score: 2

Wrong.
Here, step by step directions on how you can make one:
http://www.offensive-security.com/metasploit-unleashed/SET_Java_Applet_Attack

--
There are two types of people in the world: Those who crave closure
Re:Linux by jythie · 2012-04-05 02:45 · Score: 4, Insightful

The piece said 50% of infected machines were in the US, not 50% of US machines were infected.

And actually I do see linux boxes with old vulnerabilities pretty often. One of the problems with OSS is that updating often breaks libraries... which if you have compiled 3rd party software installed can be a real barrier to updating. We have one machine that has not been updated with any patches for 2-3 years now because they will break installed apps.
Re:It doesn't get PC Viruses by bmo · 2012-04-05 03:05 · Score: 5, Insightful

OSX has not had a single virus in the wild since its introduction. The first person to get a virus to spread from machine to machine on OSX will be world famous. And it's not like people don't try.
Viruses are self replicating code that spread themselves via the network or sneakernet. Since OSX, Linux, Solaris, FreeBSD and all other sane OSes strip the execute bit from files coming in off the wire, this is a major hurdle to get over, and is why virus and worm propagation on OSX, other Unices, and Unix like OSes like Linux sucks.
This was a trojan. Trojans are different. They typically need to trick the user into installing them, and they do not self-propagate.
But the distinction is lost on people, such as yourself who refuse to believe there is any difference between the Bagel worm and a program that tricks the user to deltree c:\*.* or rm -rf /*
With that said, there is a way to make certain well-behaved Windows viruses and worms spread cross-platform, and that is to run wine. But then the requirement is that the virus or worm be well behaved and not depend on undocumented Windows features. These are few and far between, and even then, it runs in userspace and the cure is to rm -rf .wine.
"even if you want to write a virus for iOS you can't" and "there is zero malware in the app store".
That's because your code is up for review if you want Apple to sell your program for you in the Apple store. They check it for bad stuff and vet the program. The Apple Store is much like the trusted repositories you see in the Linux world. The repo system for Linux has proven time and again this is a good way to go. The only difference with the Apple store is that there is only one repo, theirs.
>implying that third party software vulnerabilities are suddenly the OS vendor's fault
This is not even true in the Windows world. Nobody blames Microsoft for an Adobe Reader or Flash vulnerability. Adobe certainly does attract enough blame themselves.
--
BMO
Hilarious...so servers outnumber desktops now? by Brannon · 2012-04-05 03:07 · Score: 2

Only on slashdot.
Re:Linux by jythie · 2012-04-05 03:50 · Score: 2

Not all apps go through package management, and sometimes they depend on libraries that other system components also depend on.

Unfortunately 'sandboxing' sometimes requires so much of the system that the only solution is to set up a VM, which puts you right back in the 'old distribution' category'
Re:Linux by jythie · 2012-04-05 03:55 · Score: 2

*shrug* not everything comes with source or has source available, and not all vendors are happy (or willing) to keep providing new binaires over the years, esp if you are not paying them for it.

Which gets back to the issue with OSS in this specific domain. OSX and Windows do a pretty good job of maintaining backward binary compatibility. You install an app, that app will probably keep working across many updates. OSS tends to assume that you have the ability to rebuild form source or your app is being maintained through the packaging system of that distribution. For most people this is indeed the case, but when it is not such systems can become a real headache and it is not always possible (or at least not always easy) to isolate large parts of the system in order for the app to use some system libraries while everything else uses another. It gets even worse when you are talking about things that need kernel modules.

It kinda come back to 'to each their strengths and weaknesses', and this is a weakness of OSS when it comes to deploying exotic 3rd party applications.
Re:There are many more Macs than Linux boxes by chrb · 2012-04-05 04:56 · Score: 2

Nope, not an order of magnitude unless you mean base 2. Mac global desktop share is 5%, Linux global desktop share is 1.5%.
Re:600,000 infections? by chrb · 2012-04-05 05:22 · Score: 2

examine the claim of 600,000 infections?

F-Secure say that each infection uses the MAC address as a unique User-Agent, so it's easy to count individual infections.

I'm more than a little skeptical about the distribution of infections.
Yes, that is interesting. The register reports that Dr. Web only managed to compromise and "sinkhole" one of the Command and Control servers, so they are only seeing one segment of the network (600k is therefore the lowest bound). Dr. Web say "Over 550 000 infected machines running Mac OS X have been a part of the botnet on April 4. These only comprise a segment of the botnet".
Flashback uses some function to generate C&C addresses and then tries to connect to them. So the question is - is the C&C address generation function dependent on some aspect of the source IP, or geography, or reliant on network topology? Dr. Web do say "It should be noted that the malware utilizes a very peculiar routine for generating such addresses." If so, then it is possible that the Irish infections are connecting to a different C&C server than UK infections.

The UK has a population ten times bigger than Ireland
Actually it's 14x bigger.
Some tweets from Mikko Hypponen of F-Secure:
mikko : Assuming there are about 45 million Macs out there, Flashback would now have infected more than 1% of them.
mikko: That would make Flashback roughly as common for Mac as Conficker was for Windows.
Re:600,000 infections? by IrrepressibleMonkey · 2012-04-05 05:49 · Score: 2

So, do the numbers actually make sense to you then? Do you think this as big as Conficker? Because that would genuinely be news. I'm surprised that only Dr. Web have found an infection of this size. The other security companies must be asleep at the wheel.
No fix for Mac OS X 10.5.8's Java? :( by antdude · 2012-04-05 05:49 · Score: 2

I would assume so if Apple doesn't support Mac OS X 10.5.x anymore. I hope disabling Java in web browsers is enough since there's no way to uninstall it because Mac OS X came with it. :(

--
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Re:User accounts by tibit · 2012-04-05 06:14 · Score: 3, Informative

A bootable image is just an OS X install disc. If you lost yours, you can get one off eBay (or copy it from someone). As soon as the installer starts, you have an option of restoring a time machine backup. It was quite easy last time I tried it (1 year ago or so).

--
A successful API design takes a mixture of software design and pedagogy.
Re:600,000 infections? by boley1 · 2012-04-05 06:57 · Score: 2

According to the Dr. Web site: "Each bot includes a unique ID of the infected machine into the query string it sends to a control server. Doctor Web's analysts employed the sinkhole technology to redirect the botnet traffic to their own servers and thus were able to count infected hosts." Why such a strange distribution of infections? If you look at the list of known infected sites, you can see they would only appeal to a rather odd group of web surfers.
Removal Instructions by elliott666 · 2012-04-05 07:11 · Score: 2

Does anyone have any suggestions for getting rid of the damn thing?
Instead of flaming each other maybe we can skip to the part where we say how to remove it completely. Same goes for Windows Malware. If we put in one tenth of the energy documenting the removal of these things that we do into flaming there wouldn't be malware to speak of. Removing the stuff is a pain and every tech I know has a different set of tools they use to do the job.
In regard to this piece of malware I have scanned computers with Integro's VirusBarrier X6 and it takes days to complete a scan and doesn't seem to be able to remove it anyway. How it takes days is beyond me, there's only a handful of malware for macs and it seems like a full scan would take seconds, but hey, that's just me.
Re:It doesn't get PC Viruses by bmo · 2012-04-05 09:19 · Score: 3, Insightful

I said [trojans] do not self-propagate.
You said Sorry to break your bubble, but this was a drive-by exploit using a hole in Java.
That's not self-propagation. It also pretends to be a Flash update. That's not a virus. That's a trojan.
Hope this helps.
--
BMO
As I said, there is no such animal by Zero__Kelvin · 2012-04-06 01:11 · Score: 2

I'm afraid you don't have a clue. To start with, that would not be a Linux exploit. As you pointed out it would be a Java exploit. A Java exploit on Linux, Windows, or OS X is not a Linux, Windows, or OS X exploit. Obviously if I run software you have written on my machine that software will have vulnerabilities. On most Windows boxen in the wild (i.e. horribly and wrongfully configures out of the box), once I exploit your app I can own your OS. On almost all Linux distributions, however, you may access local user data and screw up the local users stuff, but you will not own the OS.

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun