For those with Macs that dont have protection.
http://www.zdnet.com/blog/security/over-600000-macs-infected-with-flashback-trojan/11345?tag=nl.e539

The Flashback Trojan botnet reportedly controls over 600,000 Macs. Thankfully, Apple yesterday released a patch for Java, which the Trojan exploits, so make sure you install it.

In the past few months, Flashback has evolved to exploiting Java vulnerabilities. This means it doesn’t require any user intervention if Java has not been patched on your Mac: all you have to do is visit a malicious website, and the malware will be automatically downloaded and installed.

6.1% of those are located in Australia = 36,000

Yep - saw that, and thanks Trevor for highlighting it here.

We are fairly dependant on Java in our business (Sun Glassfish JSP environment) so have done the update on all of our OSX machines. This is a comparatively rare occurrence still, but as discussed a while ago here - there ain't no such thing as an infallible machine.

I wanted to bring it to attention, as there was a belief that Mac's were immune from auto-installed malware.

This is not a stab at Mac, Apple, Windows, smart people, stupid people or any other majority or minority.

Just a timely reminder to all, that system patching is an absolute must nowadays. You cannot wait until it "has been tested", "is safe", " is 3 months down the track", or until my friend, mother, brother, cousin etc reminds me.

The advanced malware writers discover the holes, the poor malware writers wait until the holes are published by the OS, App vendor, then write new malware on the expectation that 98% of the population wont patch quickly.

Oh, and if you think you dont go to malicous websites, remember that an infection can come from the ads on websites, the adverstisers site gets compromised, malware is injected in to the ad, ad is read by thousands of computers across multiple sites

thanks had no idea!!!!!!!!!!

I'm PC
I'm Mac

Mac: What's that about to smack me in the face ?

PC: A big dose of humble pie for those stupid adverts convincing the world you were safer than me.

Really no system is safe, where there is a will there is a way. I found this interesting as well Anti-virus can't keep up with threat onslaught
(http://www.brisbanetimes.com.au/digital-life/consumer-security/antivirus-cant-keep-up-with-threat-onslaught-20120405-1weis.html) its pretty scary remember the Stuxnet worm (http://www.youtube.com/watch?v=7g0pi4J8auQ)?? Even our mobile phones are now at risk. I imagine in the not to distant future, the computers in new cars will also be affected. As Stuxnet proved if they want a system they can, and will get it.

Yes, Java ask me to update about 30mins ago:lol:

Exactly why I didnt get an Internet connected fridge, last thing I want is to come home ona hot day and find the beer warm and chocolate cream instead of ice cream :lol:

"Honest officer, my car was speeding all by itself, it must have caught a virus at the last service and now does what ever its botnet master wants" :lol:

As Joe says, the AV vendors can not keep up. The alternative is to whitelist applications and block everything else. It's a much smaller job to generate a whitelist than it is to keep trying to identify viruses and trojans that make trivial changes to their code every time they propogate to avoid detection. You need to make the default action in any popup when an unknown program tries to run to be block, and probably an "are you sure? did you get this program from a safe source?" popup.

Symantec Endpoint Protection for one puts up a "<program_name> is trying to make a connection to <ipaddress>:<port>. Block permanently? Block once? Allow once? Allow permanently?" popup.

As per OSXDaily - check for the trojan on your Macs:

http://osxdaily.com/2012/04/05/how-to-check-for-the-flashback-trojan-in-mac-os-x/



All of ours seem to be clear. We keep our systems up to date - constantly. Every update is always applied as soon as it becomes available. People who think it's safer to hang back and "let others check new software" before they do are kidding themselves.

Andrew, that's not full effective either. With frameworks like Java, Flash and HTML5 your device must download code from a source ie website. If your source gets compromised then you will receive the exploit. These exploits usually perform buffer offerflows and the like, inserting themselves into your computer with credentials above that of an administrator and could probably insert itself into your whitelist as a valid program.

Sorry, but got to take a stab at the line...

"The trojan takes advantage of a vulnerability in an older version of Java"

Yes, it was older version of Java for other platforms, as they patched at the beginning of Feb, but Apple didnt release their new Java version until 2 days ago that fixed the problem, that is poor form. This goes back to my comment-
"the poor malware writers wait until the holes are published by the OS, App vendor, then write new malware on the expectation that 98% of the population wont patch quickly."

Chris, I don't seem to have the ~/.MacOSX directory on my MacBook Pro. Is this normal?

Running a global find at the moment and it hasn't found anything, either.

The first defaults read command returned as per the quoted text.

H

Trevor, there is only one way to make a computer safe. Turn it off, crush the storage media, fill it with concrete, and use it for a boat anchor.

The whitelist must not be user writable.

No-one should ever be doing anything as administrator if they can avoid it. Installing and configuring programs (from a secure location and with valid not self-signed cryptographic signatures) is the best example of what they should be allowed. Also the user running an app should not have write access to anything other than data.

I agree Trever, its the ones the bypass the checks that are the real problem. Code that exploits 0 day threats are worse as they usually pass all security checks and then tell you all is OK.

It doesn't matter if you are an admin/root or not, background processes often run at higher levels of privilege than the logged on user, if you find an exploit in a system process like that then you usually run your exploit at that level as well, sometimes you can force the system into higher levels of privilage as well, this is often referred to as privilage escalation and can happen through a raft of methods, including device drivers etc.

As you say, disconnect and crush your computer........ go look through your scope instead and grab a pencil and paper.

Trevor, we do what we can. There is a limit to how much you can idiot proof anything. You eventually run into a better class of idiot.

I alway thought of myself as better class of idiot.:D

I've been waiting for the patch from Apple ever since I saw this come up. It finally got patched in the past couple of days. Meanwhile I just made sure I kept an eye on my system and internet with various monitoring tools and as default have flash/scripting turned off on my browser.

In my past life as a sysadmin/IT person, patching, maintaining and monitoring a bunch of work computers was part of my daily routine. The speed in which patches were released varied immensely across the various platforms we used. In the end I made sure all machines were up to date and then educated as much as I could the end users, which is the hardest part of all ;)

I much prefer being a coffee monkey now, the only time the coffee machine could crash now is if someone pulls it off the counter ;)

Well it was only a matter of time, this is not a virus but a remote vulnerability in a network connected TV. Cannot wait for the malware for this one

http://seclists.org/bugtraq/2012/Apr/42

How do you patch your TV?:shrug:

Sony have software updates for their TVs. I suppose all the other manufacturers do too.

I wonder if they are any more responsive to patching than M$?