A Week After Apple's Fix, Flashback Still Infects Half a Million Macs

Sparrowvsrevolution writes "Security firm Dr. Web released new statistics Friday showing that the process of eliminating Flashback from Macs is proceeding far slower than expected: On Friday the security firm, which first spotted the Mac botnet earlier this month, released new data showing that 610,000 active infected machines were counted Wednesday and 566,000 were counted Thursday. That's a slim decrease from the peak of 650,000 to 700,000 machines infected with the malware when Apple released its cleanup tool for the trojan late last week. Earlier in the week, Symantec reported that only 140,000 machines remained infected, but admitted Friday that an error in its measurement caused it to underestimate the remaining infections, and it now agrees with Dr. Web's much more pessimistic numbers."

Re:Well clearly

[jhoegl]

I figure it is because they dont feel they need to update since Apple products are soooo secure.

Re:Well clearly

[__aaqvdr516]

That's what TFA says. The infected machines haven't had the updates installed. That implies that the owners either don't know that they are infected or don't care. I'm leaning towards the former.

With the number of machines that remain, it seems clear also that Mac users aren't using auto updates. What's up with that?

makes more sense

[sribe]

I had wondered how in the hell it got that low that fast--a couple of days after Symantec reported 140,000, they or someone else reported 30,000. But checking the Java vulnerability against versions installed with Mac OS X, it seems that 10.4 and 10.5 should also be vulnerable, while Apple only patched for 10.6 and 10.7. That alone should prevent the numbers dropping so far so fast. Sigh. Smooth move Apple.

Re:makes more sense

[toxygen01]

That's right. However, according to Adium developers' statistics [1], only 13% of OS X users run 10.5 and 3.33% run 10.4. If you do the math and calculate probability with which someone can get infected, you will reach, I believe, very low numbers. 10.5 being apple's equivalent of vista, is dying every day and will be lost in the dust soon.

[1] http://www.adium.im/sparkle/#osVersion

Re:makes more sense

[hairyfeet]

Wow...10.5 was released in 2007 and its ALREADY unsupported according to the wiki? damn maybe folks shouldn't have marked the AC a troll that made the joke about buying a new Mac every year. I thought the big selling point on the Mac was how "high quality" Macs were? Yet the support drops after less than 5 years? I guess that's why I never really got into macs, i just don't get it.

As for TFA can we FINALLY acknowledge and admit that what the windows guys have been saying all these years is true, that you become a big enough target and you WILL get malware? After all we've seen this with both Apple and Linux with Android, and frankly it should have been incredibly obvious with just a moment's thought. I mean where do Windows viruses come from? Well since Vista made running as a limited user mandatory the vast majority I've seen has been PEBKAC, so how can switching OSes magically turn a PEBKAC user into an admin? Answer...it can't and that was the point.

In the end one can't escape the simple fact that ALL OSes are extremely complex collections of very advanced programs and as we all know the more advanced something is the easier it is for a clueless person to break it. Sadly in this case the clueless user was Apple for not pushing out the bog standard version of Java and instead insisting on rolling their own, which would have been fine if it could do so VERY quickly but instead the apple version of java fell farther and farther behind the mainstream. At that point a major attack was inevitable, the only question was when.

If I was a paranoid person i'd have to wonder if this wasn't by design, after all who would fault Apple if they restricted or outright banned Java as a security risk now? Of course Java like Flash allows one to run web based apps which bypasses the appstore which Apple has sunk so much into so a pessimist might say that Apple wants java to go the way of flash and what better way than to remove it to better protect the user?

There are half a milion Macs?

[squiggleslash]

I had no idea, that's almost 500 per coffee shop!

Re:There are half a milion Macs?

[squiggleslash]

Yep, once I finished my screenplay I sold my Powerbook and stopped hanging out there...

semantics of the term "Trojan"

According to wikipedia, Flashback uses web redirects and javascript to automatically load a Java applet that contains the vulnerability.

In my book, it's only a Trojan if a real person is duped into executing it, and IMHO an infected legitimate website redirecting someone to a malicious website that automatically runs something that infects the user's computer does not count as duping a person into executing something.

TL;DR: Flashback is not a trojan. We need a new term for this type of threat.

Re:semantics of the term "Trojan"

[DarwinSurvivor]

I believe they call it a "drive by".

Re:Apple didn't issue fix 10.5, 16.5% of it's user

[Billly+Gates]

10.5 makes up 16.5% of Mac users, sure a lot are on PPC and the Flashback isn't targeting it, or is it?

Also about 4-5% are still on 10.4%

Apple didn't issue Diginotar Root certs fixes for these older OS X version neither.

Come when 10.8 is released, a whopping 65% of Mac users on 10.4-10.6 will be ripe for the pickings

Because Apple only updates the last two OS X versions in circulation, then is now releasing a new OS X version every year.

Microsoft on the other hand issues updates for their OS for 10 years?

Mac's a better value? Less prone to malware? Not for too much longer...

... and yet I find it hilarious when I read all the angry rants on wired.com and here on how poor old XP is going to lose support in 2 years a mere 13.5 years after launch.

This dwells into the more serious issue of the security nightmare that will come when all internet enabled computers that are more used like XP become abandonded. Personally I think it would be a good idea to disable port 80 on all devices 3 months after support ends to keep the upcoming security nightmare. It will anger many users but many malware writters will target XP if MacOSX has so many infections yet remains so small marketshare wise still. We do not allow vehicles with rags for a gas cap to go on the road right?

I understand Apple losses money to support users but something should be done. If not after a few billion lost dollars in bank accounts will create some nasty lawsuits.

Re:Apple didn't issue fix 10.5, 16.5% of it's user

[jedidiah]

> ... and yet I find it hilarious when I read all the angry rants on wired.com and here on how poor old XP is going to lose support in 2 years a mere 13.5 years after launch.

When is the last time a new PC was sold with some version of XP installed by the hardware vendor?

THAT is your starting point for "support", not when the first version was originally released.

Re:Well clearly

[Moridineas]

With the number of machines that remain, it seems clear also that Mac users aren't using auto updates. What's up with that?

You're surprised that users dont install updates? Or choose to skip updates when they are offered? You must be new here... (and by here, I mean, anywhere) This is hardly a problem that is unique to mac users or even ignorant users.

Re:Apple didn't issue fix 10.5, 16.5% of it's user

[Moridineas]

I understand Apple losses money to support users but something should be done. If not after a few billion lost dollars in bank accounts will create some nasty lawsuits.

Apple has been getting more serious about security for awhile (in comparison to, "we're unix, we're ok"). Sandbox, gatekeeper, removal of automatic execution, malware removal tool, etc. They need to gt a LOT better in how they respond though.

Apple clearly understands support in general though. They routinely get excellent marks on their support. See the genius bars as an example. I personally have had out of warranty macs repaired for free. My sister had an out of warranty Macbook case top replaced when it chipped. And so forth. Support is one of the big reasons to buy an Apple, imho.

Re:Well clearly

[kybred]

The Software Update only notifies you of an available update and optionally downloads it in the background. It does not install the update automatically, a user has to click to start the update (and would have to provide admin authentication if they weren't logged into an admin account).

otherwise engaged

[PopeRatzo]

A Week After Apple's Fix, Flashback Still Infects Half a Million Macs

To be fair, Apple users may have more important things to do than install hotfixes. For example, engaging in a love that dare not speak its name can be very time-consuming.

I've heard...

Re:Apple didn't issue fix 10.5, 16.5% of it's user

[Moridineas]

PPC macs have not been sold since 2006. They are no longer supported (we still run 2 power pc macs running 10.4 at work, fwiw, running legacy applications). They were supported through the end of 10.5 (early 2011). 5+ years.

OSX 10.6 and 10.7 are being actively updated. I hate 10.7 and have stuck with 10.6.

First generation Intel Macs were released running 10.4. First generation Intel macs can run OSX 10.7, so they are still supported. They will no longer be supported with 10.8. ~6 years.

Apple seems to roughly support hardware for at least 5 years (given that we've gone through a PPC->Intel transition AND a 32-bit to 64-bit transition in the last ~7 years, not too shabby). I hope they will keep updating 10.6 now that they are hurrying up their OS release schedules.

Re:There has been little else more pleasant in lif

[LinuxIsGarbage]

Ask any enterprise who migrated from XP to Windows 7 and they all say a drop in malware and virus infections is the first thing they notice.

Flash drive Autorun viruses!

By default XP SP1 and newer (IIRC) while not automatically running autorun.inf files from flash drives, will give you the "What do you want to do" prompt including the autorun option. If you decline that, but double click the drive in my computer it will go ahead and run the autorun with no warning or indication. The default action on Windows 7 is to not even try to run autorun from flash drives.

On any computer I have control over (personal or for work) I completely disable autorun because:
a) It's annoying
b) It's dangerous.

Two large corporations I've worked for recently (still using XP) did not disable autorun! It's amazing how much autorun malware runs rampant. Crappy overpriced Symantec or McAfee don't pick them up either. I alert people when I stick their flash drive in my computer and notice hidden autorun.inf files, and hidden mischievous folders with random file names. I usually get stunned looks from them.

I also get stunned looks from IT when I point out the gaping, tractor-trailer sized hole in their security.

Re:Well clearly

No, most of them are talking about being utterly immune. And they were always wrong.

The numbers

[glitch0]

I'm not discrediting these guys and I'm honestly curious: How to they arrive at these numbers? How does one determine if a computer is infected without access to said computer?

Do they port scan 1000 random machines and extrapolate from there? I'm genuinely curious to know their methods. How could they arrive at such a precise number? Surely they must only have a sample of macs and use statistical models to extrapolate, right? They can't scan all the macs, right? right?

How do they do it?!?!

Re:Well clearly

[arkhan_jg]

The updates are only available for Snow Leopard and Lion. If you're on Leopard (10.5) (still sold up until summer 2009) or older, you don't get the security patches OR the latest fixes to remove infection. Apple only support current and previous OS versions for security. Once Mountain Lion comes out in a couple of months, anyone who's running an OS older than october 2010 goes under the bus. Note, they're still selling snow leopard right now, as you need to install it first to go to lion - you can't jump from leopard to lion direct, as leopard don't have the app store needed. You can of course download and make a USB clean installer from an existing lion Mac, but if you've only got one physical machine and no-one can help you make an install, leopard -> snow leopard -> lion it is (pre-made lion install usb keys not available here)

We criticise microsoft for ending support for XP after 13 years, and Apple drops all support after TWO and get a pass? Something like 25% of mac users are using Leopard or older - not least due the removal of PPC support in snow leopard. Mountain Lion looks pretty pointless unless you're also an icloud user, and the steady of killing off of carbon library support in Lion and Mountain Lion means you may have to stick to snow leopard if a key app doesn't run on Lion yet - and you'll be in the same boat as Leopard users right now, running an 'obsolete' unsupported OS with no security patches that's still for sale right now!

Now apple are switching to an annual OSX release, they REALLY need to still support older OSes - such as the soon to be EOL'd snow leopard - longer than they do for critical security patches, such as this one. Apple decided they wanted to control java installation on OSX, they should have the decency to get security patches out for it in a prompt timescale. Don't forget, the whole reason this happened is Apple sat on upstream java security patches for months for even current OSX users - if they'd pushed out the patches THEN, instead of waiting for half a million + users to get infected...