PDA

View Full Version : 'Flashback' trojan estimated to have infected 600K Macs worldwide - What Happened?



Frank Petronio
5-Apr-2012, 05:31
This morning's Apple Insider has an article about how the Flashback Trojan Virus infected 600K Macs last year:

http://www.appleinsider.com/articles/12/04/05/flashback_trojan_estimated_to_have_infected_600k_macs_worldwide.html

Mac Viruses have been rare compared to PCs, making them a target of opportunity it seems.

What became of Flashback and what did it end up doing?

The detection and removal process looks difficult and it is unclear, to me at least, whether regular Apple software updates will prevent it or hunt it down and remove it.

You can't tell me 600K Mac users need to go into Terminal and diagnose what's going on when most are lucky to know how to do the most basic computer tasks (by design).

Even if you have the Flashback Virus, what is the net downside, did people get ripped off?

Bob Salomon
5-Apr-2012, 05:48
http://reviews.cnet.com/macfixit/?tag=mfiredir

See third entry.

Brian C. Miller
5-Apr-2012, 11:49
Here's a bit more explanation:
The Register: 550,000-strong army of Mac zombies spreads across world (Infected machines, not blank-eyed shuffling fanbois) (http://www.theregister.co.uk/2012/04/05/flashback_trojan_botnet/)

Mike Anderson
5-Apr-2012, 11:52
If you upgrade the OS (I just did to 10.6.8) it will fix the vulnerability. Don't know if it removes the virus if it's already there.

If you don't want to upgrade the OS, disabling Java will guard against getting the virus.

Reputable sites are pointing here for checking and removal instructions:

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

Kirk Gittings
5-Apr-2012, 11:58
It appears to need Safari (I thought I read that somewhere today) which I don't use (I use Google C) except to login to my credit card account which I did a few minuts ago. However I did the Java upgrade this morning without knowledge of this issue before using Safari to login to my CC act. Hmmm.......how do you know if you have the virus? That is not clear.

Mike Anderson
5-Apr-2012, 12:05
Even if you have the Flashback Virus, what is the net downside, did people get ripped off?

I think it can download executables and execute them as instructed by a controlling evil server, so the backdoor is wide open. It will probably try different things to get passwords and account numbers, etc.

Mike Anderson
5-Apr-2012, 12:09
It appears to need Safari (I thought I read that somewhere today) which I don't use (I use Google C) except to login to my credit card account which I did a few minuts ago. However I did the Java upgrade this morning without knowledge of this issue before using Safari to login to my CC act. Hmmm.......how do you know if you have the virus? That is not clear.

appleinsider.com and arstechnica.com are pointing here for instructions to check for and remove the virus:

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

Frank Petronio
5-Apr-2012, 12:09
It appears to need Safari (I thought I read that somewhere today) which I don't use (I use Google C) except to login to my credit card account which I did a few minuts ago. However I did the Java upgrade this morning without knowledge of this issue before using Safari to login to my CC act. Hmmm.......how do you know if you have the virus? That is not clear.

Right, I remember this last year and checked but it was very nerdy. Since then we've added new Macs for family and I forgot to check, and it just seems very un-Mac like to go through this much hassle if it is still a problem

toyotadesigner
5-Apr-2012, 12:18
How do you know if you have the virus?

Start 'Terminal', copy the first line below, insert it into terminal CMD+V and hit ENTER.

If your system is not infected then the output of these commands will state in part that the domain/default pair "does not exist"

Keep 'Terminal' running, copy the seconde line below, insert it into terminal CMD+V and hit ENTER.

If your system is not infected then the output of these commands will state in part that the domain/default pair "does not exist"

Keep 'Terminal' running, copy the third line below, insert it into terminal CMD+V and hit ENTER.

If your system is not infected then the output of these commands will state in part that the domain/default pair "does not exist"

--------------------//--

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

defaults read /Applications/Safari.app/Contents/Info DYLD_INSERT_LIBRARIES

defaults read /Applications/Firefox.app/Contents/Info DYLD_INSERT_LIBRARIES

--------------------//--

Frank Petronio
5-Apr-2012, 12:50
That's easy enough but what is my Mom in Florida supposed to do? Hell my 28-year old probably would loose her cookies over that!

toyotadesigner
5-Apr-2012, 12:58
but what is my Mom in Florida supposed to do?

She might invite you for a nice vacation in the sun. And - maybe - if you should have a few seconds, you might check her 'tin willy' :cool:

John NYC
5-Apr-2012, 13:02
In this case, it appears if you didn't type in your administrator password AND you don't have MS Office components and/or Skype on your machine, the trojan horse bails and your machine should be fine.

Don't ever type in your administrator password unless you are certain of why you are being asked to do so.

Mike Anderson
5-Apr-2012, 13:27
In this case, it appears if you didn't type in your administrator password AND you don't have MS Office components and/or Skype on your machine, the trojan horse bails and your machine should be fine.

Don't ever type in your administrator password unless you are certain of why you are being asked to do so.

I think you have the part about MS Office and Skype backwards, Flashback aborts if you do have those installed:


In cases where the user did not input their administrator password, the malware checks if the following path exists in the system:

/Applications/Microsoft Word.app
/Applications/Microsoft Office 2008
/Applications/Microsoft Office 2011
/Applications/Skype.app
If any of these are found, the malware again skips the rest of its routine and proceeds to delete itself, presumably to avoid infecting a system that has an incompatible application installed.

The quote is from the f-secure page (http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml).

Ken Lee
5-Apr-2012, 13:28
MS Office - No thanks :cool:

I use Open Office or Libre Office.

John NYC
5-Apr-2012, 13:35
I think you have the part about MS Office and Skype backwards, Flashback aborts if you do have those installed:


The quote is from the f-secure page (http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml).

Correct, I got that backwards.

cdholden
5-Apr-2012, 13:42
Right, I remember this last year and checked but it was very nerdy. Since then we've added new Macs for family and I forgot to check, and it just seems very un-Mac like to go through this much hassle if it is still a problem

Call Jordan Hubbard and let him know you only bought a Mac so you could be ten feet tall and bulletproof. Then you can tell him if the OS was open to more review by the open source crowd, it might have been prevented. Things like this get him going.
Then again, if it were more open to review, you could suffer from more of the same.
Ah, the joys of The Internet!

Worker 11811
18-Apr-2012, 22:35
Remember that "Flashback" isn't really a virus or a worm in the classic sense. It is a TROJAN. It operates differently.

A virus is malicious code attached to a file or program that activates when it is opened or executed.
A worm is malicious code that spreads from computer to computer via networks and can spread WITHOUT human interaction.
A Trojan is a malicious program that masquerades as a useful one; often a game. An unsuspecting person downloads it and runs it, thinking they are getting something useful but, in reality, their computer is compromised.

The reason I bring this up is because true viruses or worms are exceedingly rare on Mac OS. I have only ever seen a Mac virus one time, many years ago. It wasn't even a really nasty one. It just messed up certain files.

While it is still safe to say that Mac OS is relatively secure from viruses or worms (not completely safe, just mostly safe) there is *NO* computer that is safe from Trojans. There never has been a computer system that is safe from Trojans and there never will be a computer system that is safe from Trojans.

As long as there are people who download and/or install programs on computers without thinking first and as long as there are people who are stupid enough to type their password when the computer puts up a dialogue asking them to do so, there will be Trojans.

Most Trojans can be blocked if operating system programmers who make Mac OS, Windows, Linux and other systems know how those programs operate (or are likely to operate) but, as long as there are stupid people using computers, there will be Trojans. That's all there is to it. Period.

Smart users will stay away from backwater porn websites, and illegal download sites and they will not download programs from places they don't trust 100% and they will delete spam or unexpected e-mails without reading them or clicking on links.

Anybody who got hit with this Trojan was stupid enough to ignore this basic rule of safety and they got what they deserve.

No matter what operating system you use, just don't download $hit and you won't get a Trojan. It really is as simple as that.

Darin Boville
18-Apr-2012, 22:52
I just did this and I'm fine. However, it did say "You have new mail." What is up with that?

--Darin




Start 'Terminal', copy the first line below, insert it into terminal CMD+V and hit ENTER.

If your system is not infected then the output of these commands will state in part that the domain/default pair "does not exist"

Keep 'Terminal' running, copy the seconde line below, insert it into terminal CMD+V and hit ENTER.

If your system is not infected then the output of these commands will state in part that the domain/default pair "does not exist"

Keep 'Terminal' running, copy the third line below, insert it into terminal CMD+V and hit ENTER.

If your system is not infected then the output of these commands will state in part that the domain/default pair "does not exist"

--------------------//--

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

defaults read /Applications/Safari.app/Contents/Info DYLD_INSERT_LIBRARIES

defaults read /Applications/Firefox.app/Contents/Info DYLD_INSERT_LIBRARIES

--------------------//--

toyotadesigner
18-Apr-2012, 22:58
If you got the message(s) 'does not exist', your machine is clean. I have no idea why it said 'You have new mail'. Maybe a coincidence?

Did you try to run the check again and reproduce the strange 'You have new mail' message?

As far as I understand the routine it only checks for the DYLD message, but not for mail.:confused:

Darin Boville
18-Apr-2012, 23:16
It comes up just when it logs in:

Last login: Wed Apr 18 22:50:02 on ttys000
You have new mail.
darin-bovilles-imac-2:~ darin$


Weird, huh? I have no unread mail in my mail program!

-Darin



If you got the message(s) 'does not exist', your machine is clean. I have no idea why it said 'You have new mail'. Maybe a coincidence?

Did you try to run the check again and reproduce the strange 'You have new mail' message?

As far as I understand the routine it only checks for the DYLD message, but not for mail.:confused:

Greg Miller
19-Apr-2012, 04:41
Smart users will stay away from backwater porn websites, and illegal download sites and they will not download programs from places they don't trust 100% and they will delete spam or unexpected e-mails without reading them or clicking on links.

Anybody who got hit with this Trojan was stupid enough to ignore this basic rule of safety and they got what they deserve.

If only this were true. Many many legitimate web sites are compromised every day due to programming flaws that allow the bad guys to alter their code and plant malware. Big corporations run regular security audits on their web sites to try to detect these coding flaws, but they aren't always done for every web site update. Smaller companies rarely run these audits. So avoiding porn sites is hardly a guarantee that your computer is safe.

Brian C. Miller
19-Apr-2012, 07:22
Remember that "Flashback" isn't really a virus or a worm in the classic sense. It is a TROJAN. It operates differently.

The Flashback trojan operates a little differently in that it exploits a Java hole, so just touching an infected web site will load and execute it. Years ago I was hit by a drive-by download. Took me a whole afternoon to get rid of the adware on my machine. Yech.


It comes up just when it logs in:

Last login: Wed Apr 18 22:50:02 on ttys000
You have new mail.
darin-bovilles-imac-2:~ darin$


Weird, huh? I have no unread mail in my mail program!

-Darin

Yes, you do. It's the "mail" system mail. Type "mail" at the prompt, and read the mail. This is a holdover from long ago, and is your system's internal mail, during a time when multiple terminals were connected to a central computer. (Once upon a time, in front of a VT52 terminal, there sat a programmer who needed to send a message to his coworker, who wasn't in on the weekend. And so he ...)

Worker 11811
19-Apr-2012, 13:39
Interesting. In the words of Johnny Carson, "I did NOT know that." ;)

I don't allow Java to run in my browsers and I have "Flashblock" set to restrict the use of Javascript on any website I don't have specifically whitelisted but I will keep a closer eye on things like this, now.

Where can I find a page that describes Flashback and how it works. The only things I have found are "news" articles that say how bad it is but few, if any give salient details.

Darin Boville
19-Apr-2012, 13:57
Yes, you do. It's the "mail" system mail. Type "mail" at the prompt, and read the mail. This is a holdover from long ago, and is your system's internal mail, during a time when multiple terminals were connected to a central computer. (Once upon a time, in front of a VT52 terminal, there sat a programmer who needed to send a message to his coworker, who wasn't in on the weekend. And so he ...)

Got it--thanks. Looks like SuperDuper has been e-mailing me about something or other. Hundreds of times! All deleted now...

--Darin

Brian C. Miller
19-Apr-2012, 14:55
Where can I find a page that describes Flashback and how it works. The only things I have found are "news" articles that say how bad it is but few, if any give salient details.

The Register: New password-snatching Mac Trojan spreading in the wild (http://www.theregister.co.uk/2012/02/24/flashback_mac_trojan/)
Basically, applets need certain clearances to do various things, thus a "trust model" is configured. Flashback exploited a problem between the "trusted" and "untrusted" sections, and the software bug allowed an "untrusted" applet to become "trusted," thus giving it access to too much functionality. In this case, the malware only stole login information.