Home > Mac News > The Flashback Botnet Trojan on Macs

The Flashback Botnet Trojan on Macs

April 8th, 2012

Well, it is finally here–what appears to be the first fairly large infestation of malware on Macs. We expected this, and there will doubtlessly be more. It looks like it is a fairly strong infestation, though it still represents only a small, even tiny fraction on the threat Windows users face every day. It’s also still just a trojan, not a virus or a worm (none for the Mac have ever been found), but appears to be more successful than any previous attack–maybe. If you use a Mac, it is naturally best to check (details below)–but it is also reasonable to have certain doubts about the stories being circulated. Let me give you my own experience on this.

My Own Experience with the Attack

About a week to two weeks ago, I started noticing that every day or two, I would, upon visiting some of my regular web sites, get inexplicably redirected to one of two weird sites. One was a “femalebodyinspector” site, another seemed to be a bogus UStream site (“ustreambesttv”). Both sites had a similar attribute: they had TLDs (top level domains, like “.com” or “.co.jp”) of “rr.nu”–which I had never seen before.

Upon looking into it, I found it was a WordPress hack–one or two blogs I visited regularly were, at least temporarily, hacked with this code that caused them to redirect to the “rr.nu” sites. Having suffered from the “Pharma” WordPress hack myself, I figured it was no more than an attempt to direct web traffic and get various ad revenues. Satisfied that it was not something wrong with my machine, I moved on. About a week ago, I stopped getting the redirects, and figured that the sites I visit had cleared out the hack.

FlashBack, and What It Is

However, now we’re hearing about something much wider, something called the Flashback trojan. Apparently, once you are, by whatever agent, redirected to one of these sites (the “rr.nu” TLD seems the best indicator), your browser may be prompted to automatically download a program which will then try to trick you into giving it your admin password–but even if you don’t give it, the trojan could still run in a limited manner.

It is reported that, once installed, it could attempt to harvest passwords or other confidential information, and may also use you computer as part of a “botnet”–a collection of many compromised computers (often referred to as “zombie computers”) to send spam, participate in swarming attacks on targeted web sites (DDoS), or other unpleasant endeavors. If your computer has been so compromised, you may never even be aware of it–the aim of the hacker is not to disrupt your computer, but to add its power to their network, and collect data on you in the meantime. Disrupting your computer’s operation would alert you and make the malware useless to them.

Apple has released patches to prevent this attack (go to “Software Update” in your Apple menu), but these patches only prevent new attacks after installation, and do not clean up an infected computer.

Are You infected? What Should You Do?

To find out if your computer is affected, you may wish to download and run the “Flashback Checker” app, or, if you prefer a more hands-on approach, follow these instructions (the desirable outcome is to get “does not exist” for both checks).

If your computer is infected, then you can disable the malware (instructions here, but they are not simple to follow), but cannot (at this time–an automated app is inevitable sometime) fully delete it short of a clean re-install of your OS and software. That means backing everything up; making sure you have all your installers, settings, and passwords in order; erasing the hard drive; re-installing the OS and software; replacing all your documents from the backup; and re-inputting all settings and passwords. Which, by the way, is something you should do every year or two anyway. If you have the time and haven’t done this in the past few years, you may want to do it anyway, even if your Mac is clean.

Whether or not your Mac is clean, you should install the updates from Apple. It might also be a good idea to disable Java on your browser in any case (for Safari, open Safari Preferences, click on the Security tab, and deselect the “Enable Java”), or even for your whole computer (see that, as well as Chrome & Firefox procedures as well, on this page). You may also want to start using antivirus software (Sophos and ClamXav are free), but no antivirus is perfect. Though this particular trojan would have been stopped were ClamXav installed, just by its own procedure.

The Story Being Told: Is It Believable?

The trojan is in fact real; there is no doubt about that. The question is, how widespread is it, what are the chances of any one person’s infection, and what threat does it represent?

According to the press release provided by an anti-virus software vendor, about 600,000 Macs have been infected by this trojan. However, it should be noted that these people make money selling people antivirus software. Which means that they have a vested interest in scaring the crap out of people with exaggerated reports–something these companies have been doing for years in the Mac community. The evidence for the claim of 600,000 Macs infected has not been presented, and is being treated with suspicious caution at the present time.

Was I Infected?

So, is my Mac infected since I was redirected to one of those sites? As it turns out, no–I ran the Flashback Checker app and got a clean bill of health, after running the terminal code as well. But if I was redirected to that infectious web site, then why is it that I’m clean?

Apparently, being a nerd helps. Remember, the people running this thing don’t want to be detected, and we nerds tend to be more cautious and apt to catch stuff like that. As a result, this particular malware performs a check before it attempts to install, and if it finds certain software, it self-destructs, it aborts and deletes itself. The software it looks for includes Xcode (Apple’s developer software which allows you to write apps), Little Snitch (an app that monitors activity in and out of your computer and alerts you to anything untoward), any antivirus software, or any other monitor of web traffic. Anyone with any of this software would be more apt to discover the breach and thus defeat the infestation, on their own computers and (as is hoped by this post and others) elsewhere. I have Xcode installed, and thus averted infection.

However, as I did get redirected to those sites, I can attest to the fact that this is in fact real–though I cannot attest to the claims that (a) anywhere near 600,000 Macs have actually been infected, or (b) that the infections actually mean that anything malicious is being done as a result.

What to Do: Bullet List

Of course, the best idea is to be as safe as possible. Here’s what to do:

  • Get the “Flashback Checker” app and run it.
  • If you are infected, and if you can follow instructions on how to use Terminal and manage files, then follow the trojan de-activation procedure.
  • Whether or not you are infected, run your Mac’s software update from the Apple menu and install the most recent updates, if you have not already.
  • Turn off Java on your Mac unless you have a special need for it.
  • DO NOT update ANY software which you did not initiate the update check for–if an app seems to alert you for an upgrade, then close the alert and either open the app itself and do an update from within the app, or navigate manually to the official web site and download the upgrade yourself.
  • Do not enter your admin password unless you are sure that it is actually required, and that you understand why.
  • If you wish, you can install antivirus on your Mac; free versions are here and here .

I would be very much interested to hear if you found an infection–please let me know in the comments.

Categories: Mac News Tags: by
  1. April 9th, 2012 at 04:37 | #1

    Clean on my MacBook Pro late 2011 running 10.7.3.

    Wonder if Apple has fixes for 10.5 and 10.6 for my parents and their older Macs?

    Stupid Java vulnerability.

  2. Troy
    April 9th, 2012 at 04:40 | #2

    I’ve long thought OS X’s security model was retarded, having to type in your password to give installers adminstrator access to your system.

    Here the trojan installer uses this power to inject executable code directly into Safari if it get administrator permissions, or if the user does not give admin password it does something even worse, it injects its pass-through backdoor library into the user’s home directory and sets the environment such that ALL apps go through it.


    Apple patched one flavor of this attack in 2007, where the dynamic library directory could be changed to inject backdoors into the system.

    It’s simply completely f—ing retarded that in 2012 Apple still allows this Unix-level crap to be executable from the browser.

    Maybe more recent OS releases have closed this particular hole. Doing some research, people are complaining in 2011 that they weren’t able to get DYLD_INSERT_LIBRARIES working, which is good, because DYLD_INSERT_LIBRARIES is a spectacularly massive security hole that should never have been allowed in the first place.

    I’ve never been a big fan of the UNIX sublayer. It’s great for cross-compatibilty with the modern-day web stack but all that crap tends to bring in more trouble than its worth (compare Apple’s progress with iOS 2007-2012 vs. the decade the Unix people have been futzing with their own retarded efforts in this space).

  3. Troy
    April 9th, 2012 at 04:46 | #3

    >if Apple has fixes for 10.5 and 10.6 for my parents and their older Macs?

    yes. I ran them for my Mom a couple of days ago.

    Which is kinda funny because this weekend she was saying her Target site wanted to install a new Flash player. I try to educate her to NEVER trust an installer, but she was saying how the installer was telling her that it would improve security.

    I said you’ve got to imagine that every installer you see was written by a crafty Russian trying to trick you.

    Some day the Russians are going to do a good copy of Apple’s own updater UI, and it’s going to be very very messy to clean up the damage.

    As I said above, the UNIXy segmentation of permissions into root, group, and user is utterly retarded. Apple in a lot of ways took a step back adopting OPENSTEP in 1996.

    Not that Apple’s own efforts in the mid-1990s were all that hot, but someday I’d like a minty-fresh OS designed from the ground up to be slick.

  4. Andrew
    April 12th, 2012 at 13:27 | #4

    Thank you, this is terrific.

    Should we also disable Java script?

  5. Luis
    April 12th, 2012 at 18:00 | #5


    No, just Java.

    Apple says they’re working on an app to remove the malware

    Kaspersky is distributing one as well, to go along with their web-based checker–but some people are reporting (a) false positives from the checker, and (b) that the Kaspersky removal utility sometimes locks users out of the system.

  6. Andrew
    April 13th, 2012 at 13:49 | #6

    Thank you, this is extremely helpful, as is the blog.

Comments are closed.