A Week After Apple's Fix, Flashback Still Infects Half a Million Macs

Sparrowvsrevolution writes "Security firm Dr. Web released new statistics Friday showing that the process of eliminating Flashback from Macs is proceeding far slower than expected: On Friday the security firm, which first spotted the Mac botnet earlier this month, released new data showing that 610,000 active infected machines were counted Wednesday and 566,000 were counted Thursday. That's a slim decrease from the peak of 650,000 to 700,000 machines infected with the malware when Apple released its cleanup tool for the trojan late last week. Earlier in the week, Symantec reported that only 140,000 machines remained infected, but admitted Friday that an error in its measurement caused it to underestimate the remaining infections, and it now agrees with Dr. Web's much more pessimistic numbers."

Re:Well clearly

[jhoegl]

I figure it is because they dont feel they need to update since Apple products are soooo secure.

Re:Well clearly

[__aaqvdr516]

That's what TFA says. The infected machines haven't had the updates installed. That implies that the owners either don't know that they are infected or don't care. I'm leaning towards the former.

With the number of machines that remain, it seems clear also that Mac users aren't using auto updates. What's up with that?

makes more sense

[sribe]

I had wondered how in the hell it got that low that fast--a couple of days after Symantec reported 140,000, they or someone else reported 30,000. But checking the Java vulnerability against versions installed with Mac OS X, it seems that 10.4 and 10.5 should also be vulnerable, while Apple only patched for 10.6 and 10.7. That alone should prevent the numbers dropping so far so fast. Sigh. Smooth move Apple.

Re:makes more sense

[toxygen01]

That's right. However, according to Adium developers' statistics [1], only 13% of OS X users run 10.5 and 3.33% run 10.4. If you do the math and calculate probability with which someone can get infected, you will reach, I believe, very low numbers. 10.5 being apple's equivalent of vista, is dying every day and will be lost in the dust soon.

[1] http://www.adium.im/sparkle/#osVersion

Re:makes more sense

[hairyfeet]

Wow...10.5 was released in 2007 and its ALREADY unsupported according to the wiki? damn maybe folks shouldn't have marked the AC a troll that made the joke about buying a new Mac every year. I thought the big selling point on the Mac was how "high quality" Macs were? Yet the support drops after less than 5 years? I guess that's why I never really got into macs, i just don't get it.

As for TFA can we FINALLY acknowledge and admit that what the windows guys have been saying all these years is true, that you become a big enough target and you WILL get malware? After all we've seen this with both Apple and Linux with Android, and frankly it should have been incredibly obvious with just a moment's thought. I mean where do Windows viruses come from? Well since Vista made running as a limited user mandatory the vast majority I've seen has been PEBKAC, so how can switching OSes magically turn a PEBKAC user into an admin? Answer...it can't and that was the point.

In the end one can't escape the simple fact that ALL OSes are extremely complex collections of very advanced programs and as we all know the more advanced something is the easier it is for a clueless person to break it. Sadly in this case the clueless user was Apple for not pushing out the bog standard version of Java and instead insisting on rolling their own, which would have been fine if it could do so VERY quickly but instead the apple version of java fell farther and farther behind the mainstream. At that point a major attack was inevitable, the only question was when.

If I was a paranoid person i'd have to wonder if this wasn't by design, after all who would fault Apple if they restricted or outright banned Java as a security risk now? Of course Java like Flash allows one to run web based apps which bypasses the appstore which Apple has sunk so much into so a pessimist might say that Apple wants java to go the way of flash and what better way than to remove it to better protect the user?

Re:makes more sense

[Yaztromo]

Wow...10.5 was released in 2007 and its ALREADY unsupported according to the wiki? damn maybe folks shouldn't have marked the AC a troll that made the joke about buying a new Mac every year. I thought the big selling point on the Mac was how "high quality" Macs were? Yet the support drops after less than 5 years? I guess that's why I never really got into macs, i just don't get it.

10.5 was the last version that ran on PowerPC machines. People with older PowerPC machines who wanted to keep up to date with the OS needed to upgrade to Intel hardware to run 10.6.

10.6 for existing Intel Mac owners was $25. From what I've read and seen, a massive percentage of the user base upgraded to 10.6 pretty quickly. 10.6 wasn't a massive upgrade, but by shedding all of the PowerPC support and through compiler optimization, threading and multi-core support improvements (Grand Central Dispatch, and its use by most of the core applications), improved 64 bit support (including a 64-bit kernel and 64-bit apps), and various Intel-specific improvements, 10.6 was a pretty massive upgrade from 10.5 in terms of speed. According to this press release, OS X 10.6 saw twice as many purchases in its first week of release as 10.5 (four times more than 10.4's first week), with sales declining by only 25% in the second week. As such, from a practical standpoint for most Mac users, it's a non-issue, as the majority are now running 10.6 or 10.7 (roughly 78% according to the Adium page quoted by the GP post). 10.6 was such a massive improvement and so cheap (relative to other commercial OS's) that the only real reason to stick with 10.5 was if you're still on PowerPC hardware.

In terms of hardware support according to Apple systems go into "Vintage" classification if they're between 5 and 7 years old (which for most of the world means "obsolete/unsupported").

If I was a paranoid person i'd have to wonder if this wasn't by design, after all who would fault Apple if they restricted or outright banned Java as a security risk now?

Apple already dropped Java from OS X 10.7. It isn't included at all, but can download and install itself if it's needed (it will typically offer to do so if you try to run anything that requires it).

The latest Java updates disable Java applet support in Safari and other browsers that use Apple's Java plug-in. You can re-enable this if you need it, however it will disable itself again after a period of disuse. To be honest, while I've long been a Java developer and have no problem with rich Java applications, Java applets are a dead technology anyhow. I haven't come across one in many, many years now.

Point being, Apple has been moving in this direction for a while. At one point (back in 10.1 IIRC) Java was supposed to be one of the top-level development languages for the Mac. Apple developed and provided the Java Cocoa bindings, which allowed UIs designed in their Interface Builder tool to be bound to Java applications, and Cocoa objects to be easily accessed via Java (and vice-versa). This was deprecated in 2005. Then Apple decided not to support Java in iOS (smart move IMO). Now it's no longer included with the OS, is only available as a downloadable add-on, and applet support is disabled by default. I don't predict they'll be getting rid of it entirely (there are a lot of Java developers on OS X, yours truly included) -- IIRC they're trying to transition to having Oracle maintain it alongside the Linux and Windows versions, instead of doing it themselves. They just want to move into a model more akin to Window's Java support -- it works fine, and applications run just fine, but you have to get it from Oracle as a separate install.

All of which reminds me -- my parents are the type who continually ignore the pop-ups that software updates are available for their Mac (no matter how many times I've told them they need to stay up-to-date). I should call them this

There are half a milion Macs?

[squiggleslash]

I had no idea, that's almost 500 per coffee shop!

Re:There are half a milion Macs?

[squiggleslash]

Yep, once I finished my screenplay I sold my Powerbook and stopped hanging out there...

semantics of the term "Trojan"

According to wikipedia, Flashback uses web redirects and javascript to automatically load a Java applet that contains the vulnerability.

In my book, it's only a Trojan if a real person is duped into executing it, and IMHO an infected legitimate website redirecting someone to a malicious website that automatically runs something that infects the user's computer does not count as duping a person into executing something.

TL;DR: Flashback is not a trojan. We need a new term for this type of threat.

Re:semantics of the term "Trojan"

[DarwinSurvivor]

I believe they call it a "drive by".

Re:Apple didn't issue fix 10.5, 16.5% of it's user

[Billly+Gates]

10.5 makes up 16.5% of Mac users, sure a lot are on PPC and the Flashback isn't targeting it, or is it?

Also about 4-5% are still on 10.4%

Apple didn't issue Diginotar Root certs fixes for these older OS X version neither.

Come when 10.8 is released, a whopping 65% of Mac users on 10.4-10.6 will be ripe for the pickings

Because Apple only updates the last two OS X versions in circulation, then is now releasing a new OS X version every year.

Microsoft on the other hand issues updates for their OS for 10 years?

Mac's a better value? Less prone to malware? Not for too much longer...

... and yet I find it hilarious when I read all the angry rants on wired.com and here on how poor old XP is going to lose support in 2 years a mere 13.5 years after launch.

This dwells into the more serious issue of the security nightmare that will come when all internet enabled computers that are more used like XP become abandonded. Personally I think it would be a good idea to disable port 80 on all devices 3 months after support ends to keep the upcoming security nightmare. It will anger many users but many malware writters will target XP if MacOSX has so many infections yet remains so small marketshare wise still. We do not allow vehicles with rags for a gas cap to go on the road right?

I understand Apple losses money to support users but something should be done. If not after a few billion lost dollars in bank accounts will create some nasty lawsuits.

Re:Apple didn't issue fix 10.5, 16.5% of it's user

[jedidiah]

> ... and yet I find it hilarious when I read all the angry rants on wired.com and here on how poor old XP is going to lose support in 2 years a mere 13.5 years after launch.

When is the last time a new PC was sold with some version of XP installed by the hardware vendor?

THAT is your starting point for "support", not when the first version was originally released.

Re:Well clearly

[Moridineas]

With the number of machines that remain, it seems clear also that Mac users aren't using auto updates. What's up with that?

You're surprised that users dont install updates? Or choose to skip updates when they are offered? You must be new here... (and by here, I mean, anywhere) This is hardly a problem that is unique to mac users or even ignorant users.

Re:Apple didn't issue fix 10.5, 16.5% of it's user

[Moridineas]

I understand Apple losses money to support users but something should be done. If not after a few billion lost dollars in bank accounts will create some nasty lawsuits.

Apple has been getting more serious about security for awhile (in comparison to, "we're unix, we're ok"). Sandbox, gatekeeper, removal of automatic execution, malware removal tool, etc. They need to gt a LOT better in how they respond though.

Apple clearly understands support in general though. They routinely get excellent marks on their support. See the genius bars as an example. I personally have had out of warranty macs repaired for free. My sister had an out of warranty Macbook case top replaced when it chipped. And so forth. Support is one of the big reasons to buy an Apple, imho.

Re:Well clearly

[kybred]

The Software Update only notifies you of an available update and optionally downloads it in the background. It does not install the update automatically, a user has to click to start the update (and would have to provide admin authentication if they weren't logged into an admin account).

Re:There has been little else more pleasant in lif

[Billly+Gates]

Windows and even IE has been getting harder and harder to crack in after the laughing bad issue with XP pre SP1 and IE 6. Windows 7 has ASLR, DEP with all services, special VC2010 exception checking at runtime executable support, and sanboxing. Windows 8 and IE 10 have 2 sandboxes to get an exploit pass.

Ask any enterprise who migrated from XP to Windows 7 and they all say a drop in malware and virus infections is the first thing they notice.

Maybe MacOSX is an easier target?

The fact that most MacOSX users do not run anti virus software is also troubling. I say its essential now as a good one will look at behaviors and sandbox critical files and processes. Avast has a beta for MacOSX already if you hate Norton.

otherwise engaged

[PopeRatzo]

A Week After Apple's Fix, Flashback Still Infects Half a Million Macs

To be fair, Apple users may have more important things to do than install hotfixes. For example, engaging in a love that dare not speak its name can be very time-consuming.

I've heard...

Re:Apple didn't issue fix 10.5, 16.5% of it's user

[Moridineas]

PPC macs have not been sold since 2006. They are no longer supported (we still run 2 power pc macs running 10.4 at work, fwiw, running legacy applications). They were supported through the end of 10.5 (early 2011). 5+ years.

OSX 10.6 and 10.7 are being actively updated. I hate 10.7 and have stuck with 10.6.

First generation Intel Macs were released running 10.4. First generation Intel macs can run OSX 10.7, so they are still supported. They will no longer be supported with 10.8. ~6 years.

Apple seems to roughly support hardware for at least 5 years (given that we've gone through a PPC->Intel transition AND a 32-bit to 64-bit transition in the last ~7 years, not too shabby). I hope they will keep updating 10.6 now that they are hurrying up their OS release schedules.

Re:There has been little else more pleasant in lif

[LinuxIsGarbage]

Ask any enterprise who migrated from XP to Windows 7 and they all say a drop in malware and virus infections is the first thing they notice.

Flash drive Autorun viruses!

By default XP SP1 and newer (IIRC) while not automatically running autorun.inf files from flash drives, will give you the "What do you want to do" prompt including the autorun option. If you decline that, but double click the drive in my computer it will go ahead and run the autorun with no warning or indication. The default action on Windows 7 is to not even try to run autorun from flash drives.

On any computer I have control over (personal or for work) I completely disable autorun because:
a) It's annoying
b) It's dangerous.

Two large corporations I've worked for recently (still using XP) did not disable autorun! It's amazing how much autorun malware runs rampant. Crappy overpriced Symantec or McAfee don't pick them up either. I alert people when I stick their flash drive in my computer and notice hidden autorun.inf files, and hidden mischievous folders with random file names. I usually get stunned looks from them.

I also get stunned looks from IT when I point out the gaping, tractor-trailer sized hole in their security.

Re:Well clearly

No, most of them are talking about being utterly immune. And they were always wrong.

The numbers

[glitch0]

I'm not discrediting these guys and I'm honestly curious: How to they arrive at these numbers? How does one determine if a computer is infected without access to said computer?

Do they port scan 1000 random machines and extrapolate from there? I'm genuinely curious to know their methods. How could they arrive at such a precise number? Surely they must only have a sample of macs and use statistical models to extrapolate, right? They can't scan all the macs, right? right?

How do they do it?!?!

Re:Well clearly

[zippthorne]

And once again, it doesn't do even the above if you're logged in as a regular user. You have to manually kick it off to even find out there *are* updates.

It's not hard to kick it off, but it is something you have to bother to remember to do. Which, "your parents" probably do not ever really think about.

Re:Welcome to grown up computing

UNIX has been where grown-ups go to compute for the last 40 years, where have you been?

I wish Microsoft...

[sideslash]

...would hire those two dudes from the "I'm a Mac and I'm a PC" commercial for a reunion commercial. I'm sure Apple would sue, though, because Apple only has a sense of humor when they are making fun of other people.

Re:Apple didn't issue fix 10.5, 16.5% of it's user

First generation Intel Macs are not supported on 10.7.

Re:Apple articles always frustrate me

[loosescrews]

There actually was an article on Slashdot that had a link to the information you mentioned. It said how to check to see if you were infected and told how to remove it. By asking why something something that was posted wasn't posted, you are doing little to improve our collective opinion of Mac users.

Re:Well clearly

[arkhan_jg]

The updates are only available for Snow Leopard and Lion. If you're on Leopard (10.5) (still sold up until summer 2009) or older, you don't get the security patches OR the latest fixes to remove infection. Apple only support current and previous OS versions for security. Once Mountain Lion comes out in a couple of months, anyone who's running an OS older than october 2010 goes under the bus. Note, they're still selling snow leopard right now, as you need to install it first to go to lion - you can't jump from leopard to lion direct, as leopard don't have the app store needed. You can of course download and make a USB clean installer from an existing lion Mac, but if you've only got one physical machine and no-one can help you make an install, leopard -> snow leopard -> lion it is (pre-made lion install usb keys not available here)

We criticise microsoft for ending support for XP after 13 years, and Apple drops all support after TWO and get a pass? Something like 25% of mac users are using Leopard or older - not least due the removal of PPC support in snow leopard. Mountain Lion looks pretty pointless unless you're also an icloud user, and the steady of killing off of carbon library support in Lion and Mountain Lion means you may have to stick to snow leopard if a key app doesn't run on Lion yet - and you'll be in the same boat as Leopard users right now, running an 'obsolete' unsupported OS with no security patches that's still for sale right now!

Now apple are switching to an annual OSX release, they REALLY need to still support older OSes - such as the soon to be EOL'd snow leopard - longer than they do for critical security patches, such as this one. Apple decided they wanted to control java installation on OSX, they should have the decency to get security patches out for it in a prompt timescale. Don't forget, the whole reason this happened is Apple sat on upstream java security patches for months for even current OSX users - if they'd pushed out the patches THEN, instead of waiting for half a million + users to get infected...