Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac Flashback Attack Began With Wordpress Blogs

Posted by timothy on from the slashcode-was-lower-on-their-target-list dept.

With more on the Flashback malware plaguing many Macs, beaverdownunder writes with some explanation of how the infection grew so quickly: "Alexander Gostev, head of the global research and analysis team at Kaspersky, says that 'tens of thousands of sites powered by WordPress were compromised. How this happened is unclear. The main theories are that bloggers were using a vulnerable version of WordPress or they had installed the ToolsPack plug-in.'"

3 of 103 comments (clear)

  1. Re:In the end, it's better that it happened by oldlurker · · Score: 5, Informative

    Where did you hear this? At the cooler in Redmond?

    From the numbers it doesn't seem like an unlikely claim actually (single virus compromising percentage of installed base), though a citation would be nice so it made me check (source for numbers below):

    The Mach Flashback virus compromised around 600.000 Macs, which is around 1% of installed base.
    The single largest Windows-based infection ever was Conficker. At its peak in 2009, it infected about 0.7% of the total Windows installed base.

  2. Wordpress wasn't that vulnerable, timthumb was. by Anonymous Coward · · Score: 5, Informative

    "How this happened is unclear. The main theories are that bloggers were using a vulnerable version of WordPress or they had installed the ToolsPack plug-in."

    This it not unclear at all. There were a few security problems with WP in the last year. But a LOT of themes use the timthumb.php module to do dynamic rescaling of images. Timthumb used to be extremely vulnerable, you could download a file from http://www.youtube.com.attacker-domainname/anything.php, install it in the timthumb's cache and have full access like forever.

    Updating WP wouldn't do any good, as a fully updated WP installation can still run a vulnerable theme. Even when the flaws in timthumb were fixed and the theme is updated, these sites have been flooded with backdoors, varying from eval($_POST['a']) in wp-config.php to newly created admin users. (Admin users can edit .php files from /wp-admin, an admin user effectively has power to run any php code desired.)

    I've manually removed and analysed infections from several customers wordpress websites, all were hit by timthumb exploits. Some of these websites had literally dozens of backdoors, each of which gave full access to the site. I've seen malware that hid from googlebot to avoid detection. I've seen infections with timers, and infections that kept an IRC connection open to accept commands. These infections were just waiting for the right moment to be abused.

  3. Re:In the end, it's better that it happened by WrongSizeGlass · · Score: 5, Informative

    I say make it worse next time! And, target all OS's!

    The Java exploit used to spread Mac Flashback wasn't Mac specific, it just went unpatched for several months longer on OS X than on Windows. All the while almost all Mac users surfed the internet with a false sense of impunity.

    I don't think any researchers have tried to figure out how many PC's were affected by the same Java exploit, but the impact this has had on the Mac user mindset - and Apple's security responses - should be rather sobering.