Malware, Network Security, Patch/Configuration Management, Vulnerability Management

Apple releases another update to quell Flashback spread

Apple released a second security update on Friday in its continuing battle against the Flashback trojan, which already has infected nearly 650,000 Macs worldwide.

The computing giant may have found a glitch in its first update for Java, which contained a vulnerability that enabled the spread of Flashback. That forced Apple to follow up with a second patch, which is only for Mac OS X 10.7 (Lion), according to a blog post from security firm Intego.

Although the creators of Java, Oracle, released fixes for Java in February, Apple's response was delayed, said Charles Miller, principal research consultant at security consulting firm Accuvant Labs.

“They have a habit of taking a long time to supply patches [for third-party products], which always puts their users at risk,” Miller told in an email Friday. “I hope that this outbreak will help them to see this point and they will hurry up their patching in the future.”

A user's computer can become infected with Flashback by simply visiting a bogus web page, an attack known as a drive-by-download. Anti-virus software would be able to alert users of an infection, but outside of that, chances are Mac users would not notice the silent attack, Mikko Hypponen, chief research officer at F-Secure, told in an email Friday.

Once installed on the machine, Flashback is capable of a number of malevolent actions, including stealing data, hijacking search results and installing additional malware, though it doesn't seem to be targeting personal information just yet, according to experts.

“Versions of Flashback have been around for months, but this is the first one which uses an exploit to infect you,” Hypponen said. “From the user's point of view, the difference is that the user does not need to be tricked into entering a root password for them to get infected [as was the case with previous variants].”

“It might be time to think about getting anti-virus for your OS X systems.”

– Charles Miller, principal research consultant, Accuvant Labs

After experts at Russian AV vendor Dr. Web were able to “sinkhole” one of the botnet's command-and-control hubs, they were able to tap into the traffic, redirecting it to their own server, which allowed them to then count the number of compromised machines.

According to a report released Wednesday by Dr. Web, Flashback has infected 600,000 machines globally, and more than half -- 303,440 -- are located in the United States.

On Thursday, Igor Soumenkov, a Kaspersky Lab malware researcher, confirmed the numbers, according to a blog post, after his lab set up its own sinkhole.

“We were able to calculate the number of active bots,” Soumenkov wrote. “Our logs indicate that a total number of 600,000-plus unique bots connected to our server in less than 24 hours.”

Although they could not confirm or deny that the bots connected to the Kaspersky server were running Mac OS X, Soumenkov added that through fingerprinting techniques, “more than 98 percent of incoming network packets were most likely sent from Mac OS X hosts.”

However, he did qualify his remarks. “Although this technique is based on heuristics and can't be completely trusted, it can be used to make order-of-magnitude estimates,” he wrote.

According to market researcher, NetApplications, Windows is the most popular operating system in the world, running on more than 90 percent of computers, indicative of the attention malware authors place on it.

But cyber criminals likely will take note of the size of the Flashback botnet and thus more earnestly consider OS X as a viable target, said Miller.

“As more people buy Macs, malware authors will follow along too,” he said. “It might be time to think about getting anti-virus for your OS X systems.”

An Apple spokesperson could not be reached for comment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.