More than 600,000 Macs infected with Flashback botnet

Dark Shadow · Apr 8, 2012

greatwhite said:

Wow quite a bit of Apple knocking on this bit of the forum. How sad. I have always had an AV program on my Macs because firstly I don't want to forward anything to my windoze using friends without my knowledge and secondly I knew the day would come when we would start getting them on macs. Maybe this threat may wake up some mac users to install an AV program, lets hope so.
Click to expand...

A responsible Mac user.

noway · Apr 8, 2012

Don't worry. If it gets too bad, Apple will just shut your computer down by remote control until they fix it! (Just kidding)

crapbag · Apr 9, 2012

My lady has used Macs for something like 5 years and never had any kind of AV protection. I don't even think she updates all that regularly. I kinda hope it's automatic

Being a PC man, I'm a paranoid nut-job compared to her.

It's one of those weird things. Some of the AV's available for Macs are pretty pricy *cough* Intego *cough*. Until Mac viruses become a bit more widespread it just isn't worth shelling out for.

After reading about this new bug I made her install Sophos free Mac AV.

A scan revealed she had 9 threats. Only one was a Mac bug, some fake AV for Macs app. The other 8 threats were Windows threats. We've left them on there for now.

It's a tough call, but if you can get decent free or cheapish protection for your Mac I don't get why you wouldn't use it.

Dark Shadow · Apr 9, 2012

The thing is lets say you have an infected email thats target for windows on your mac,sure it wont hurt you but lets say you sent it off to family,friends running windows and they open the infected email that came from you. It is there resposibility to protect them self,but regardless you will become the evil villian that sent it to them.

Thats what greatwhite pointed out in post # 24 about infecting windoz users by running a AV program to prevent it all around.

SergM · Apr 10, 2012

BackDoor.Flashback.39 epidemic chronology

April 10, 2012
The news of the outbreak of BackDoor.Flashback.39 that has infected over 650 000 computers running Mac OS X quickly spread throughout the world, causing a strong public response. The Russian anti-virus company Doctor Web that was the first to issue a warning concerning this threat presents the brief BackDoor.Flashback.39 outbreak chronology.

February 2012 Oracle released an update for the Java Virtual Machine closing vulnerabilities exploited by BackDoor.Flashback.39.
March 25, 2012 First Flashback botnet domains registered
March 27, 2012 Doctor Web added the BackDoor.Flashback.39 signature into the virus database used by its Dr.Web for Mac OS X.
April 3, 2012 Doctor Web analysts reverse-engineered the routine employed by BackDoor.Flashback.39 to generate control server domain names, registered several domain names and began gathering statistics by analysing requests received from bots. More than 130000 bot replies were received in the very first hours.
April 4, 2012 According to data collected by Doctor Web virus laboratory, the number of infected hosts in the BackDoor.Flashback.39 botnet reached 550,000. Doctor Web issued a press-release concerning the BackDoor.Flashback.39 epidemic.
April 4, 2012 (April 3 for North America). Apple has released an update for Apple Java closing the vulnerabilities exploited by the Trojan BackDoor.Flashback.39. Due to the difference in time zones, many Mac OS X users got the update after a significant delay.
April 4, 2012 The number of hosts in the botnet exceeded 600 thousand infected Macs.
April 6, 2012 Apple released a second update that closed the vulnerabilities exploited by the Trojan BackDoor.Flashback.39.
April 9, 10 A corporation made unsuccessful attempts to block domains used by Doctor Web to study the BackDoor.Flashback.39 botnet.
April 10 The total number of computers infected by the Trojan has exceeded 650,000.

The current number of machines infected by BackDoor.Flashback.39 is 655 700. Mac users can use the free service from Doctor Web at www.drweb.com/flashback/ to check if their computers are infected.

View the article

SergM · Apr 10, 2012

http://www.forbes.com/sites/andygre...-to-cut-off-its-server-monitoring-infections/

JRViejo · Apr 10, 2012

In order to make it easier for average users to check whether their computers are infected, Kaspersky Lab launched a website on Monday where people can input their systems' unique hardware identifiers (UUIDs) to see if they are among the almost 700,000 Macs known to be infected with Flashback so far.
Click to expand...

Kaspersky Launches Free Flashback Removal Tool and Website to Check for Infections by Lucian Constantin.

twl845 · Apr 10, 2012

greatwhite said:

Wow quite a bit of Apple knocking on this bit of the forum. How sad. I have always had an AV program on my Macs because firstly I don't want to forward anything to my windoze using friends without my knowledge and secondly I knew the day would come when we would start getting them on macs. Maybe this threat may wake up some mac users to install an AV program, lets hope so.
Click to expand...

But MAC's don't get infected. Ask at the Apple forum.

Dark Shadow · Apr 10, 2012

JRViejo said:

Kaspersky Launches Free Flashback Removal Tool and Website to Check for Infections by Lucian Constantin.
Click to expand...

Wow the number is climbing.I wouldn't be a bit suprised if it climbs much higher then it is.

Dark Shadow · Apr 10, 2012

twl845 said:

But MAC's don't get infected. Ask at the Apple forum.
Click to expand...

Hopefully they will change there tune or just stay in denial.

FanJ · Apr 11, 2012

Apple is developing software that will detect and remove the Flashback malware.
Click to expand...

http://support.apple.com/kb/HT5244

FanJ · Apr 11, 2012

Free stand-alone removal tool from F-Secure:
http://www.f-secure.com/weblog/archives/00002346.html

Free stand-alone removal tool from Kaspersky (already mentioned by JRViejo):
http://www.securelist.com/en/blog/208193454/Flashfake_Removal_Tool_and_online_checking_site

===

BBC tech site:
http://www.bbc.co.uk/news/technology-17675314
Apple develops tool to 'detect and remove' Flashback Trojan

PCMag:
http://www.pcmag.com/article2/0,2817,2402914,00.asp
Number of Macs Infected With Flashback Trojan on the Decline

PCWorld:
http://www.pcworld.com/article/2535...tool_and_website_to_check_for_infections.html

Sophos:
http://nakedsecurity.sophos.com/2012/04/10/macs-safer-than-pcs/
Are Macs safer than PCs?

Symantec:
http://www.symantec.com/connect/blogs/osxflashbackk-suffering-slashback-infections-down-270000
OSX.Flashback.K – Suffering a Slashback – Infections Down to 270,000

TheKid7 · Apr 12, 2012

Some more info here:

Special project: remove BackDoor.Flashback.39 and learn about first Mac OS X virus outbreak
Click to expand...

http://news.drweb.com/?i=2354&c=5&lng=en&p=0

JRViejo · Apr 12, 2012

Kaspersky Lab on Thursday suspended distribution of its tool to remove the Flashback malware attacking Mac computers, saying the tool itself was making unacceptable alterations to user computers. A replacement is expected soon.
Click to expand...

Kaspersky Lab suspends Flashback-removal tool by Joel Mathis.

3x0gR13N · Apr 13, 2012

http://www.kaspersky.com/about/news...ashfake_Removal_Tool_Releases_Updated_Version

Kaspersky Lab has successfully fixed its free Kaspersky Flashfake Removal Tool. A bug was identified in the original version of the tool, which was first reported at approximately 17:40 MSK (GMT+4) on April 12. The tool was taken offline for maintenance.
Click to expand...

vasa1 · Apr 14, 2012

The latest Java update from Apple removes the known variants of the Flashback malware from infected Mac OS X systems. It also automatically disables Java if it has not been used during the previous 35 days. Once disabled, users have to manually re-enable Java in order for Java applets to run again. That means that malware attacks like Flashback would be unable to automatically execute and compromise Macs that don't regularly use Java.
...
Kudos to Apple. It may be late to the game when it comes to helping users remove the Flashback malware from Mac OS X, but it has raised the bar for proactively protecting systems at the same time.
Click to expand...

http://www.itworld.com/software/267...cludes-innovative-approach-reducing-risk-macs

m00nbl00d · Apr 14, 2012

I'm not sure if it's just me, but I can't stop but have the feeling that also automatically disables Java if it has not been used during the previous 35 days and Once disabled, users have to manually re-enable Java in order for Java applets to run again. is not really the solution.

Sure, it's good to be disabled after a while, but what if from day 1 to 34, the user visits a legitimate website with some third-party ads, coming from an hijacked ad network, which will then point to an exploit ready to exploit a Java security vulnerability?

Right. I didn't bother reading those articles, but do they make any mentions to Apple actually releasing Oracle's patches as soon as they come out? I imagine they don't, otherwise you folks would have mentioned something about it.

It may be late to the game... The thing is, they're not playing the game, at all.

JRViejo · Apr 14, 2012

What Apple didn't do was tell users that the tool existed. Not with a software update, not with a press release. It isn't listed on the Mac App Store and it doesn't show up in a search of the Apple website. And if you do somehow find and install it on your computer, it will disappear into the underlying code, making its presence known only if Flashback shows up.
Click to expand...

Apple's Flashback fixes: Three belts and a pair of suspenders by Philip Elmer-DeWitt.

Flashback Malware Removal Tool

JRViejo · Apr 15, 2012

Now, as the dust settles on what is considered to be the largest Mac malware threat to date, experts have started pointing fingers at Apple as being partially to blame for the scope of the Flashback malware infection. They argue that if Apple were more transparent about security issues--and if it had promptly released a Flashback fix--the extent of the damage could have been smaller. Also contributing to the magnitude of the infections is a boost in the number of Mac OS users, they say.
Click to expand...

Flashback Malware Puts Apple in Security Spotlight: Experts Weigh In by Howard Baldwin.

JRViejo · Apr 18, 2012

Though multiple removal tools are available from Apple and antivirus software vendors, the Flashback trojan is still infecting about 140,000 Macs. According to Symantec, the level of infection has dropped considerably since the latest Flashback variant was detected two weeks ago, but a surprisingly high number of Macs are still attempting to check in with command-and-control servers.
Click to expand...

Flashback waning, but still infecting about 140,000 Macs by Chris Foresman.

gerardwil · Apr 18, 2012

Boris Sharov (DrWeb):

The botnet seems to be slowly increasing inspite of Apple's updates.
Click to expand...

http://twitter.com/#!/b_sharov/status/192586162517450752

SergM · Apr 20, 2012

gerardwil said:

Boris Sharov (DrWeb):

http://twitter.com/#!/b_sharov/status/192586162517450752
Click to expand...

Doctor Web doesn't register significant decrease in BackDoor.Flashback.39 bot number

http://news.drweb.com/show/?i=2386&lng=en&c=5

guest · Apr 21, 2012

Flashback infections not waning after all; 650,000 Macs still hijacked

This image charts the number of Flashback bots from April 3 to April 19.

Ars said:

Analysis declaring the demise of the Flashback Mac backdoor has been greatly exaggerated, said researchers with a Russia-based antivirus firm, who on late Friday estimated there are 650,000 unique OS X machines currently infected by the malware.

Read more: http://arstechnica.com/apple/news/2...ning-after-all-650000-macs-still-hijacked.ars
Click to expand...

JRViejo · Apr 24, 2012

The new variant -- dubbed Flashback.S -- "is actively being distributed in the wild," taking advantage of a Java vulnerability that Apple has already patched, security company Intego said in a statement. The new variant installs itself on the user's home folder without a password and then deletes all folders and files from the Java cache folder to mask its presence.
Click to expand...

New Flashback variant making the rounds by Steven Musil.

Dark Shadow · Apr 24, 2012

ouch.

Log in or Sign up

More than 600,000 Macs infected with Flashback botnet

Dark Shadow Registered Member

noway Registered Member

crapbag Registered Member

Dark Shadow Registered Member

SergM Registered Member

SergM Registered Member

JRViejo Super Moderator

twl845 Registered Member

Dark Shadow Registered Member

Dark Shadow Registered Member

FanJ Updates Team

FanJ Updates Team

TheKid7 Registered Member

JRViejo Super Moderator

3x0gR13N Registered Member

vasa1 Registered Member

m00nbl00d Registered Member

JRViejo Super Moderator

JRViejo Super Moderator

JRViejo Super Moderator

gerardwil Registered Member

SergM Registered Member

guest Guest

JRViejo Super Moderator

Dark Shadow Registered Member

Log in or Sign up

More than 600,000 Macs infected with Flashback botnet

Dark Shadow Registered Member

noway Registered Member

crapbag Registered Member

Dark Shadow Registered Member

SergM Registered Member

SergM Registered Member

JRViejo Super Moderator

twl845 Registered Member

Dark Shadow Registered Member

Dark Shadow Registered Member

FanJ Updates Team

FanJ Updates Team

TheKid7 Registered Member

JRViejo Super Moderator

3x0gR13N Registered Member

vasa1 Registered Member

m00nbl00d Registered Member

JRViejo Super Moderator

JRViejo Super Moderator

JRViejo Super Moderator

gerardwil Registered Member

SergM Registered Member

guest Guest

JRViejo Super Moderator

Dark Shadow Registered Member

Useful Searches