Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Fast-growing Flashback Botnet Includes Over 600,000 Macs, Malware Experts Say
PCWorld ^ | Apr 5, 2012 | Lucian Constantin

Posted on 04/05/2012 5:45:29 AM PDT by iowamark

More than 600,000 Macs have been infected with a new version of the Flashback Trojan horse that's being installed on people's computers with the help of Java exploits, security researchers from Russian antivirus vendor Doctor Web said on Wednesday.

Flashback is a family of Mac OS malware that appeared in September 2011. Older Flashback versions relied on social engineering tricks to infect computers, but the latest variants are distributed via Java exploits that don't require user interaction.

On Tuesday, Apple released a Java update in order to address a critical vulnerability that's being exploited to infect Mac computers with the Flashback Trojan horse.

However, a large number of users have already been affected by those attacks, Doctor Web said in a report issued on Wednesday. The company's researchers have managed to hijack a part of the Flashback botnet through a method known in the security community as sinkholing, and counted unique identifiers belonging to more than 550,000 Mac OS X systems infected with the Trojan horse.

Over 300,000 of the Flashback-infected Macs, or 56 percent of the total, are located in United States, while over 100,000 are located in Canada, Doctor Web said. The U.K. and Australia are next, with 68,000 and 32,000 infected Macs, respectively.

The botnet is growing at a rapid rate. Hours after Doctor Web issued its report, Ivan Sorokin, one of the company's malware analysts announced on Twitter that the botnet had grown to over 600,000 infected computers. He also said that 274 Macs infected with the new Flashback variant were located in Cupertino, the U.S. city where Apple has its headquarters.

F-Secure, the antivirus vendor that warned about the new Flashback attacks on Monday, couldn't confirm Doctor Web's estimate of the botnet's size...

(Excerpt) Read more at pcworld.com ...


TOPICS: Computers/Internet; Reference
KEYWORDS: apple; computersecurity; exploits; flashback; hackers; mac; macfud

1 posted on 04/05/2012 5:45:37 AM PDT by iowamark
[ Post Reply | Private Reply | View Replies]

To: iowamark

That is impossible: the Mac is unsinkable.


2 posted on 04/05/2012 5:54:43 AM PDT by Mr Ramsbotham (Laws against sodomy are honored in the breech.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: iowamark

Thanks for the info.


3 posted on 04/05/2012 6:03:03 AM PDT by ColoCdn (Neco eos omnes, Deus suos agnoset)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Mr Ramsbotham

600,000 systems infected is nothing alongside 60,000,000 users who will have to think twice before posting the ‘Get a Mac’ line on every computer thread.


4 posted on 04/05/2012 6:06:52 AM PDT by relictele (We are officially OUT of other people's money!)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Mr Ramsbotham

Must be the reason neither Flash nor Java Runtime are installed in OS X Lion by default. They are both ‘ports of entry’ for viruses.


5 posted on 04/05/2012 6:10:31 AM PDT by 6SJ7 (Meh.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Mr Ramsbotham
That's getting old.

if you put java on it, you get your problem. So the issue is java. I suppose that too fine a point for most to bother with.

6 posted on 04/05/2012 6:36:06 AM PDT by the invisib1e hand
[ Post Reply | Private Reply | To 2 | View Replies]

To: 6SJ7

Java developers are obnoxious, and I’d attribute the problem to that.


7 posted on 04/05/2012 6:38:13 AM PDT by the invisib1e hand
[ Post Reply | Private Reply | To 5 | View Replies]

To: the invisib1e hand

Ditto on both of your posts.


8 posted on 04/05/2012 7:11:39 AM PDT by RJS1950 (The democrats are the "enemies foreign and domestic" cited in the federal oath)
[ Post Reply | Private Reply | To 7 | View Replies]

To: Mr Ramsbotham

You mean it’s not? </sarc>


9 posted on 04/05/2012 7:11:59 AM PDT by carriage_hill (I'd vote for a "orange juice can", before 0bummer&HisRegimeFromHell, gets another 4yrs. Can-> later.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: the invisib1e hand
if you put java on it, you get your problem.

So "the sandbox" leaks?
10 posted on 04/05/2012 7:13:57 AM PDT by BikerJoe
[ Post Reply | Private Reply | To 6 | View Replies]

To: Mr Ramsbotham
That is impossible: the Mac is unsinkable.

That line of thought is the equivalent of spending $9.99 for after market tires for your Ford Explorer and then blaming Ford for the blowout you get on the highway.

11 posted on 04/05/2012 8:33:04 AM PDT by MarkL (Do I really look like a guy with a plan?)
[ Post Reply | Private Reply | To 2 | View Replies]

To: MarkL
That line of thought is the equivalent of spending $9.99 for after market tires for your Ford Explorer and then blaming Ford for the blowout you get on the highway.

It would be if I really meant it.

12 posted on 04/05/2012 8:37:46 AM PDT by Mr Ramsbotham (Laws against sodomy are honored in the breech.)
[ Post Reply | Private Reply | To 11 | View Replies]

To: iowamark

This does not compute.


13 posted on 04/05/2012 9:40:26 AM PDT by VeniVidiVici (The Democrat Ku Klux Klan is alive and well as the New Black Panthers, CBC and the NAACP)
[ Post Reply | Private Reply | To 1 | View Replies]

To: iowamark

Macs are perfect. Deal with it.


14 posted on 04/05/2012 9:55:06 AM PDT by Fresh Wind ('People have got to know whether or not their president is a crook.' Richard M. Nixon)
[ Post Reply | Private Reply | To 1 | View Replies]

To: iowamark; ~Kim4VRWC's~; 1234; Abundy; Action-America; acoulterfan; AFreeBird; Airwinger; Aliska; ...
An obscure Russian "computer security" company (that sells a Safari anti-virus checker) claims 600,000 Macs, most in the US and Canada, are infected by the FLASHBACK trojan botnet.—PING!

No other companies corroborate this claim... nor does it make sense. . . since this can install only on Macs that have an OPTIONAL install of the Java runtime library applet, not FLASH. The Trojan itself has been found on only a small number of obscure websites... and to infect such a large number of Macs, all of which would have to be running an older install of OSX (Leopard or older), it would have to be found on numerous popular and frequently visited websites! It simply is not on such websites that Mac users would frequent. Here is a list of the example websites Doctor Web says they found the malware that would infect Macs:

godofwar3.rr.nu
ironmanvideo.rr.nu
killaoftime.rr.nu
gangstasparadise.rr.nu
mystreamvideo.rr.nu
bestustreamtv.rr.nu
ustreambesttv.rr.nu
ustreamtvonline.rr.nu
ustream-tv.rr.nu
ustream.rr.nu

I don't find THOSE websites to be the type that Mac users would visit!

The rate of infection this company was reporting smacks of the kind we saw with viral infections, not Trojan installations.

In addition, Apple pushed out a patch for Java that fixed this variation of the Flashback vulnerability early Tuesday morning... and since even OSX Leopard Macs are updating their malware definition files daily, I find it even more unlikely that this story is credible.

Does this trojan exist? Yes. Is it in the wild? Yes. It is one of the 20-22 known OSX trojan horse applications out there now... that the OSX system will prevent from being downloaded or installed without the user over-riding the built-in protections. Has it infected 600,000 Macs and made them into a botnet? I highly doubt it.

Frankly, it sounds like FUD to me.


Apple Security Ping!

Please, No Flame Wars!
Discuss technical issues, software, and hardware.
Don't attack people!
Don't respond to the Anti-Apple Thread Trolls!
PLEASE IGNORE THEM!!!

If you want on or off the Mac Ping List, Freepmail me.

15 posted on 04/05/2012 9:19:07 PM PDT by Swordmaker
[ Post Reply | Private Reply | To 1 | View Replies]

To: All

Apple HAS pushed out another JAVA update... This one listed as 2012-002 today. It repairs some issues, unrelated to security, with the one released earlier as 2012-001.


16 posted on 04/05/2012 9:43:53 PM PDT by Swordmaker
[ Post Reply | Private Reply | To 15 | View Replies]

To: All

I have been searching forums... and so far, none of the 600,000 infected have reported they have been infected. Strange, don’t you think? It’s easy to check for and remove this infection, but no one is finding it.


17 posted on 04/05/2012 10:03:12 PM PDT by Swordmaker
[ Post Reply | Private Reply | To 15 | View Replies]

To: Swordmaker
CNET: Mac Flashback malware: What it is and how to get rid of it (FAQ)

How to remove the Flashback malware from OS X

18 posted on 04/05/2012 11:40:38 PM PDT by iowamark (The fault, dear Brutus, is not in our stars, But in ourselves)
[ Post Reply | Private Reply | To 15 | View Replies]

To: Swordmaker

” and since even OSX Leopard Macs are updating their malware definition files daily, I find it even more unlikely that this story is credible.”

What is this malware def file you are referring to?

Part of SW Update?

I ran SW Update last night on a Snow Leopard MBP and got two java updates.

I then ran SW Update on a Leopard Mini and got nothing but an itunes and a Camera Raw patch (then ran it a few extra times, and checked to see if any updates were turned off in SW Update Prefs, but nothing).


19 posted on 04/06/2012 12:13:26 AM PDT by Yehuda (http://jewpoint.blogspot.com)
[ Post Reply | Private Reply | To 15 | View Replies]

To: Swordmaker
It’s easy to check for and remove this infection, but no one is finding it.

I know of two people who have found the trojan, both were found because Little Snitch was blocking a connection from .rserv to cuojshtbohnt.com.

Apple Discussion Forums has a thread detailing exactly what they were experiencing. I walked one of them through removing it, and if I understand the Apple discussions correctly, the fact that they had Little Snitch installed and they properly blocked it, it did no harm. As a matter of fact, it may have deleted part of itself when it detected Little Snitch from what some are saying, but that seems odd since Little Snitch blocked it in the first place.

It pisses me off to hear people talking about this as if it's a virus. It's a trojan and there is a huge difference. And both of the people I know who got it, they have teenagers and I'm pretty sure they don't monitor their kids' internet usage (don't get me started).
20 posted on 04/06/2012 1:08:10 AM PDT by af_vet_rr
[ Post Reply | Private Reply | To 17 | View Replies]

To: iowamark

Thanks for the reminder not to touch Apple products with a ten foot pole. Let the gays, the tragically hip, the vain, the young skulls full of mush buy those overpriced ridiculousities


21 posted on 04/06/2012 3:40:42 AM PDT by dennisw (A nation of sheep breeds a government of Democrat wolves!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: the invisib1e hand
if you put java on it, you get your problem. So the issue is java. I suppose that too fine a point for most to bother with. 

So I can run Java on my homebuilt quad-core w 8GB ram PC and Apple users cannot? I spent a grand total of $160 last Christmas on memory, motherboard and CPU while Apple buyers (read suckers) pay thousands for machines that will get infected if they run Java. What a scam

22 posted on 04/06/2012 3:47:34 AM PDT by dennisw (A nation of sheep breeds a government of Democrat wolves!)
[ Post Reply | Private Reply | To 6 | View Replies]

To: Swordmaker
> ...so far, none of the 600,000 infected have reported they have been infected. Strange, don’t you think?

There are undoubtedly SOME infected machines. Might be in the hundreds or even thousands. Over half a million? How is that number generated? By Russian anti-virus "Doctor Web"'s Marketing Department with a dart board, most likely.

Is there a botnet? Well, let's wait a little while and see.

I doubt it. I think this is another case of typical anti-virus bullshit marketing, taking a known small problem and trumpeting it as though it's the End Of The World As We Know It.

In a month or two, we'll know. The Apple Haters can show me the headlines... THEN. Until then, I call FUD too.

23 posted on 04/06/2012 8:31:59 AM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 17 | View Replies]

To: dennisw
Hey Dennis:

> "the gays, the tragically hip, the vain, the young skulls full of mush"

> "Apple buyers (read suckers)"

You're entitled to your opinion. But hurling personal insults at other FReepers is not permitted. Why not cool it and just discuss the topic, instead of trolling? It's not like you're making your point any better for all the crap names you throw around.

24 posted on 04/06/2012 8:44:32 AM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 22 | View Replies]

To: the invisib1e hand
"if you put java on it, you get your problem. So the issue is java."

Exactly. This 600,000 number is more inflated than Obama's "jobs created" numbers. Anyone buying into this handwringing probably also believe NBC's Zimmerman tape is the real deal.

The conditions that have to be in place for an infection to even be possible, might apply to a small fraction of users. And because the non-Admin variant causes so much system instability it would be discovered quickly and takes mere seconds to eradicate.

Now that Apple is the overwhelming machine of choice, at some point we might actually get a bug to worry about, but this ain't it.

25 posted on 04/06/2012 9:06:06 AM PDT by moehoward
[ Post Reply | Private Reply | To 6 | View Replies]

To: relictele
. 50,000,000 users who will have to think twice before posting the ‘Get a Mac’ line on every computer thread.

Make that 59,999,999.

26 posted on 04/06/2012 9:32:06 AM PDT by itsahoot (Tag lines are a waste of bandwidth, as are most of my comments.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: dennisw
pay thousands for machines that will get infected if they run Java. What a scam

Yep, unlike your machine which is totally invulnerable, in fact you can run millions of free viri and trojans at no extra cost to you. Sigh..... if only I could do that on my Mac.

27 posted on 04/06/2012 9:39:58 AM PDT by itsahoot (Tag lines are a waste of bandwidth, as are most of my comments.)
[ Post Reply | Private Reply | To 22 | View Replies]

To: dennisw
Thanks for the reminder not to touch Apple products with a ten foot pole.

So after seven months Flashback, the first ever successful Mac trojan (which we all admitted was going to come eventually), has managed to infect 600,000 Macs, and that's a reason not to get a Mac.

Let's see how it has been in your world. It only took about a week for Code Red to hit almost 400,000 Windows machines running IIS -- and IIS wasn't even very popular back then, on a few million servers at most.

Over the last decade, it's been far safer to run a Mac.

28 posted on 04/07/2012 10:22:49 PM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 21 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson