Archive

Archive for April 8th, 2012

The Flashback Botnet Trojan on Macs

April 8th, 2012 6 comments

Well, it is finally here–what appears to be the first fairly large infestation of malware on Macs. We expected this, and there will doubtlessly be more. It looks like it is a fairly strong infestation, though it still represents only a small, even tiny fraction on the threat Windows users face every day. It’s also still just a trojan, not a virus or a worm (none for the Mac have ever been found), but appears to be more successful than any previous attack–maybe. If you use a Mac, it is naturally best to check (details below)–but it is also reasonable to have certain doubts about the stories being circulated. Let me give you my own experience on this.

My Own Experience with the Attack

About a week to two weeks ago, I started noticing that every day or two, I would, upon visiting some of my regular web sites, get inexplicably redirected to one of two weird sites. One was a “femalebodyinspector” site, another seemed to be a bogus UStream site (“ustreambesttv”). Both sites had a similar attribute: they had TLDs (top level domains, like “.com” or “.co.jp”) of “rr.nu”–which I had never seen before.

Upon looking into it, I found it was a WordPress hack–one or two blogs I visited regularly were, at least temporarily, hacked with this code that caused them to redirect to the “rr.nu” sites. Having suffered from the “Pharma” WordPress hack myself, I figured it was no more than an attempt to direct web traffic and get various ad revenues. Satisfied that it was not something wrong with my machine, I moved on. About a week ago, I stopped getting the redirects, and figured that the sites I visit had cleared out the hack.

FlashBack, and What It Is

However, now we’re hearing about something much wider, something called the Flashback trojan. Apparently, once you are, by whatever agent, redirected to one of these sites (the “rr.nu” TLD seems the best indicator), your browser may be prompted to automatically download a program which will then try to trick you into giving it your admin password–but even if you don’t give it, the trojan could still run in a limited manner.

It is reported that, once installed, it could attempt to harvest passwords or other confidential information, and may also use you computer as part of a “botnet”–a collection of many compromised computers (often referred to as “zombie computers”) to send spam, participate in swarming attacks on targeted web sites (DDoS), or other unpleasant endeavors. If your computer has been so compromised, you may never even be aware of it–the aim of the hacker is not to disrupt your computer, but to add its power to their network, and collect data on you in the meantime. Disrupting your computer’s operation would alert you and make the malware useless to them.

Apple has released patches to prevent this attack (go to “Software Update” in your Apple menu), but these patches only prevent new attacks after installation, and do not clean up an infected computer.

Are You infected? What Should You Do?

To find out if your computer is affected, you may wish to download and run the “Flashback Checker” app, or, if you prefer a more hands-on approach, follow these instructions (the desirable outcome is to get “does not exist” for both checks).

If your computer is infected, then you can disable the malware (instructions here, but they are not simple to follow), but cannot (at this time–an automated app is inevitable sometime) fully delete it short of a clean re-install of your OS and software. That means backing everything up; making sure you have all your installers, settings, and passwords in order; erasing the hard drive; re-installing the OS and software; replacing all your documents from the backup; and re-inputting all settings and passwords. Which, by the way, is something you should do every year or two anyway. If you have the time and haven’t done this in the past few years, you may want to do it anyway, even if your Mac is clean.

Whether or not your Mac is clean, you should install the updates from Apple. It might also be a good idea to disable Java on your browser in any case (for Safari, open Safari Preferences, click on the Security tab, and deselect the “Enable Java”), or even for your whole computer (see that, as well as Chrome & Firefox procedures as well, on this page). You may also want to start using antivirus software (Sophos and ClamXav are free), but no antivirus is perfect. Though this particular trojan would have been stopped were ClamXav installed, just by its own procedure.

The Story Being Told: Is It Believable?

The trojan is in fact real; there is no doubt about that. The question is, how widespread is it, what are the chances of any one person’s infection, and what threat does it represent?

According to the press release provided by an anti-virus software vendor, about 600,000 Macs have been infected by this trojan. However, it should be noted that these people make money selling people antivirus software. Which means that they have a vested interest in scaring the crap out of people with exaggerated reports–something these companies have been doing for years in the Mac community. The evidence for the claim of 600,000 Macs infected has not been presented, and is being treated with suspicious caution at the present time.

Was I Infected?

So, is my Mac infected since I was redirected to one of those sites? As it turns out, no–I ran the Flashback Checker app and got a clean bill of health, after running the terminal code as well. But if I was redirected to that infectious web site, then why is it that I’m clean?

Apparently, being a nerd helps. Remember, the people running this thing don’t want to be detected, and we nerds tend to be more cautious and apt to catch stuff like that. As a result, this particular malware performs a check before it attempts to install, and if it finds certain software, it self-destructs, it aborts and deletes itself. The software it looks for includes Xcode (Apple’s developer software which allows you to write apps), Little Snitch (an app that monitors activity in and out of your computer and alerts you to anything untoward), any antivirus software, or any other monitor of web traffic. Anyone with any of this software would be more apt to discover the breach and thus defeat the infestation, on their own computers and (as is hoped by this post and others) elsewhere. I have Xcode installed, and thus averted infection.

However, as I did get redirected to those sites, I can attest to the fact that this is in fact real–though I cannot attest to the claims that (a) anywhere near 600,000 Macs have actually been infected, or (b) that the infections actually mean that anything malicious is being done as a result.

What to Do: Bullet List

Of course, the best idea is to be as safe as possible. Here’s what to do:

  • Get the “Flashback Checker” app and run it.
  • If you are infected, and if you can follow instructions on how to use Terminal and manage files, then follow the trojan de-activation procedure.
  • Whether or not you are infected, run your Mac’s software update from the Apple menu and install the most recent updates, if you have not already.
  • Turn off Java on your Mac unless you have a special need for it.
  • DO NOT update ANY software which you did not initiate the update check for–if an app seems to alert you for an upgrade, then close the alert and either open the app itself and do an update from within the app, or navigate manually to the official web site and download the upgrade yourself.
  • Do not enter your admin password unless you are sure that it is actually required, and that you understand why.
  • If you wish, you can install antivirus on your Mac; free versions are here and here .

I would be very much interested to hear if you found an infection–please let me know in the comments.

Categories: Mac News Tags: