Over 600,000 Macs infected with Flashback Trojan

[tlgerdes (Trevor)]

For those with Macs that dont have protection.
http://www.zdnet.com/blog/security/o...45?tag=nl.e539

The Flashback Trojan botnet reportedly controls over 600,000 Macs. Thankfully, Apple yesterday released a patch for Java, which the Trojan exploits, so make sure you install it.

In the past few months, Flashback has evolved to exploiting Java vulnerabilities. This means it doesn’t require any user intervention if Java has not been patched on your Mac: all you have to do is visit a malicious website, and the malware will be automatically downloaded and installed.

6.1% of those are located in Australia = 36,000

[Omaroo (Chris Malikoff)]

Yep - saw that, and thanks Trevor for highlighting it here.

We are fairly dependant on Java in our business (Sun Glassfish JSP environment) so have done the update on all of our OSX machines. This is a comparatively rare occurrence still, but as discussed a while ago here - there ain't no such thing as an infallible machine.

[tlgerdes (Trevor)]

I wanted to bring it to attention, as there was a belief that Mac's were immune from auto-installed malware.

This is not a stab at Mac, Apple, Windows, smart people, stupid people or any other majority or minority.

Just a timely reminder to all, that system patching is an absolute must nowadays. You cannot wait until it "has been tested", "is safe", " is 3 months down the track", or until my friend, mother, brother, cousin etc reminds me.

The advanced malware writers discover the holes, the poor malware writers wait until the holes are published by the OS, App vendor, then write new malware on the expectation that 98% of the population wont patch quickly.

Oh, and if you think you dont go to malicous websites, remember that an infection can come from the ads on websites, the adverstisers site gets compromised, malware is injected in to the ad, ad is read by thousands of computers across multiple sites

[mozzie (Peter)]

thanks had no idea!!!!!!!!!!

[cventer]

I'm PC
I'm Mac

Mac: What's that about to smack me in the face ?

PC: A big dose of humble pie for those stupid adverts convincing the world you were safer than me.

[joe_smith]

Really no system is safe, where there is a will there is a way. I found this interesting as well Anti-virus can't keep up with threat onslaught
its pretty scary remember the Stuxnet worm?? Even our mobile phones are now at risk. I imagine in the not to distant future, the computers in new cars will also be affected. As Stuxnet proved if they want a system they can, and will get it.

[tlgerdes (Trevor)]

Quote:

Originally Posted by kinetic

Sorry for the OT and off-platform post, but has anyone noticed
Win 7 / Firefox / java attempting or asking for an update in the
last 24/48 hrs also?

Yes, Java ask me to update about 30mins ago

[tlgerdes (Trevor)]

Quote:

Originally Posted by joe_smith

I imagine in the not to distant future, the computers in new cars will also be affected.

Exactly why I didnt get an Internet connected fridge, last thing I want is to come home ona hot day and find the beer warm and chocolate cream instead of ice cream

"Honest officer, my car was speeding all by itself, it must have caught a virus at the last service and now does what ever its botnet master wants"

[mithrandir (Andrew)]

As Joe says, the AV vendors can not keep up. The alternative is to whitelist applications and block everything else. It's a much smaller job to generate a whitelist than it is to keep trying to identify viruses and trojans that make trivial changes to their code every time they propogate to avoid detection. You need to make the default action in any popup when an unknown program tries to run to be block, and probably an "are you sure? did you get this program from a safe source?" popup.

Symantec Endpoint Protection for one puts up a "<program_name> is trying to make a connection to <ipaddress>:<port>. Block permanently? Block once? Allow once? Allow permanently?" popup.

[Omaroo (Chris Malikoff)]

As per OSXDaily - check for the trojan on your Macs:

http://osxdaily.com/2012/04/05/how-t...n-in-mac-os-x/

Quote:

Trojans and viruses are generally something Mac users don’t have to worry about, but there’s a lot of hubub about the so-called Flashback trojan that has apparently infected a several hundred thousand Macs worldwide. The trojan takes advantage of a vulnerability in an older version of Java that allows it to download malware which then “modifies targeted webpages displayed in the web browser.” As we mentioned yesterday on Twitter, the vulnerability has already been patched by Apple and if you haven’t downloaded the latest version of Java for OS X yet you should do so now. Go to Software Update and install the Java for OS X Lion 2012-001 or Java for Mac OS X 10.6 Update 7, depending on your version of Mac OS. That will prevent future infections from occurring, but you’ll also want to review if a Mac is infected.

We haven’t heard of or seen a single case of the Flashback infection on a Mac, but for the sake of optimal security we’re going to cover how to quickly check if a Mac is afflicted by Flashback trojan:

Launch Terminal (found in /Applications/Utilities/) and enter the following commands:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

If you see a message like “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist” proceed to the next defaults write command:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If you see a message similar to “The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist” then the Mac is NOT infected.

What if you see something different in the Terminal? If the defaults read commands show actual values, you may have the trojan though this does seem to be very rare. In the event you run into a Mac with the problem follow the guide on f-secure to remove the Flashback trojan, it’s just a matter of copying and pasting a few commands into the Terminal.

All in all this is nothing to freak out about, but it does serve as another reminder as to why it’s important to update system software as part of a general maintenance routine.

All of ours seem to be clear. We keep our systems up to date - constantly. Every update is always applied as soon as it becomes available. People who think it's safer to hang back and "let others check new software" before they do are kidding themselves.

[tlgerdes (Trevor)]

Andrew, that's not full effective either. With frameworks like Java, Flash and HTML5 your device must download code from a source ie website. If your source gets compromised then you will receive the exploit. These exploits usually perform buffer offerflows and the like, inserting themselves into your computer with credentials above that of an administrator and could probably insert itself into your whitelist as a valid program.

[tlgerdes (Trevor)]

Sorry, but got to take a stab at the line...

"The trojan takes advantage of a vulnerability in an older version of Java"

Yes, it was older version of Java for other platforms, as they patched at the beginning of Feb, but Apple didnt release their new Java version until 2 days ago that fixed the problem, that is poor form. This goes back to my comment-

"the poor malware writers wait until the holes are published by the OS, App vendor, then write new malware on the expectation that 98% of the population wont patch quickly."

[Octane (Humayun)]

Chris, I don't seem to have the ~/.MacOSX directory on my MacBook Pro. Is this normal?

Running a global find at the moment and it hasn't found anything, either.

The first defaults read command returned as per the quoted text.

H

[mithrandir (Andrew)]

Quote:

Originally Posted by tlgerdes

Andrew, that's not full effective either. With frameworks like Java, Flash and HTML5 your device must download code from a source ie website. If your source gets compromised then you will receive the exploit. These exploits usually perform buffer offerflows and the like, inserting themselves into your computer with credentials above that of an administrator and could probably insert itself into your whitelist as a valid program.

Trevor, there is only one way to make a computer safe. Turn it off, crush the storage media, fill it with concrete, and use it for a boat anchor.

The whitelist must not be user writable.

No-one should ever be doing anything as administrator if they can avoid it. Installing and configuring programs (from a secure location and with valid not self-signed cryptographic signatures) is the best example of what they should be allowed. Also the user running an app should not have write access to anything other than data.

[joe_smith]

I agree Trever, its the ones the bypass the checks that are the real problem. Code that exploits 0 day threats are worse as they usually pass all security checks and then tell you all is OK.

[tlgerdes (Trevor)]

Quote:

Originally Posted by mithrandir

Trevor, there is only one way to make a computer safe. Turn it off, crush the storage media, fill it with concrete, and use it for a boat anchor.

The whitelist must not be user writable.

No-one should ever be doing anything as administrator if they can avoid it. Installing and configuring programs (from a secure location and with valid not self-signed cryptographic signatures) is the best example of what they should be allowed. Also the user running an app should not have write access to anything other than data.

It doesn't matter if you are an admin/root or not, background processes often run at higher levels of privilege than the logged on user, if you find an exploit in a system process like that then you usually run your exploit at that level as well, sometimes you can force the system into higher levels of privilage as well, this is often referred to as privilage escalation and can happen through a raft of methods, including device drivers etc.

As you say, disconnect and crush your computer........ go look through your scope instead and grab a pencil and paper.

[mithrandir (Andrew)]

Quote:

Originally Posted by tlgerdes

It doesn't matter if you are an admin/root or not, background processes often run at higher levels of privilege than the logged on user, if you find an exploit in a system process like that then you usually run your exploit at that level as well, sometimes you can force the system into higher levels of privilage as well, this is often referred to as privilage escalation and can happen through a raft of methods, including device drivers etc.

Trevor, we do what we can. There is a limit to how much you can idiot proof anything. You eventually run into a better class of idiot.

[tlgerdes (Trevor)]

Quote:

Originally Posted by mithrandir

You eventually run into a better class of idiot.

I alway thought of myself as better class of idiot.

[kustard (Simon)]

I've been waiting for the patch from Apple ever since I saw this come up. It finally got patched in the past couple of days. Meanwhile I just made sure I kept an eye on my system and internet with various monitoring tools and as default have flash/scripting turned off on my browser.

In my past life as a sysadmin/IT person, patching, maintaining and monitoring a bunch of work computers was part of my daily routine. The speed in which patches were released varied immensely across the various platforms we used. In the end I made sure all machines were up to date and then educated as much as I could the end users, which is the hardest part of all

I much prefer being a coffee monkey now, the only time the coffee machine could crash now is if someone pulls it off the counter

[tlgerdes (Trevor)]

Quote:

Originally Posted by joe_smith

Really no system is safe,.....:.
Even our mobile phones are now at risk. I imagine in the not to distant future, the computers in new cars will also be affected. As Stuxnet proved if they want a system they can, and will get it.

Well it was only a matter of time, this is not a virus but a remote vulnerability in a network connected TV. Cannot wait for the malware for this one

http://seclists.org/bugtraq/2012/Apr/42

How do you patch your TV?