Report: Mac trojan claims 500k machines

A trojan horse has emerged to take control half a million Macs, according to Russian antivirus company Dr. Web. Exploiting a vulnerability in Java, the naughty software connects to a remote host and modifies web pages displayed in your browser. Jacqui Cheng at Ars Technica:

Variations of the Flashback trojan have reportedly infected more than half a million Macs around the globe, according to Russian antivirus company Dr. Web. The company made an announcement on Wednesday—first in Russian and later in English—about the growing Mac botnet, first claiming 550,000 infected Macs. Later in the day, however, Dr. Web malware analyst Sorokin Ivan posted to Twitter that the count had gone up to 600,000, with 274 bots even checking in from Cupertino, CA, where Apple's headquarters are located.

At Daring Fireball, John Gruber wonders why there's so little news about it:

The weird thing to me is that if true, this sounds like the worst malware problem Mac OS X has ever seen — yet there doesn’t seem to be any hysterical media coverage about it. Hypothetical Mac security problems often get hysterical coverage; now we apparently have an actual security problem and it’s no big deal?

If this is for real, perhaps it's simply taken news media by surprise. Traditional "Mac virus" stories—the ones that turn out to be bullshit—are fed to us in readily-publishable form by analysts or the sort of researchers who help Symantec with its press releases.

⟿ Follow Rob Beschizza on Twitter.

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

nixiebunny

Perhaps someone else will corroborate this story with independent research? I hope so, since it’s a rather big story if true. I’d expect Norton to jump on it.
- Cowicide
  
  I don’t know about the numbers they claim, but the threat is very real if you have Java running in Safari and haven’t updated to Apple’s latest Java update.
  
  It was basically the first unpatched threat to hit OS X where users can get infected without putting in a password or any other user interaction if they were running Safari with Java enabled. Chrome & Firefox can ask you if you want to run Java, so there would at least be user interaction if you were running those apps.
  
  This all could have been avoided if Apple had released the patch much earlier, so they are clearly to blame for this. I hope this hurts Apple’s brand, because they really screwed up here. This was just pure laziness like you see with Microsloth.
  
  That said, Mac OS X has been out for over 10 years and it took using a Java vulnerability to finally pull a threat of this level off on OS X. Not a bad track record for Apple, especially if you compare to Windows which has this horseshit literally all the time (and it’s because of severe flaws in the OS, not Java!).
  
  But, yep. For the first time in over 10 years, we finally have gotten hit by a real nasty one that doesn’t require user interaction to install.
  
  Update your Java, bunny… update your Java…
  
  - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - -
  
  By the way, to those that say it’s because marketshare has gone up and now their dire predictions have come true that Apple only had security through obscurity… you’re still full of crap. Apple’s PC market share in the US is still around just 10 percent.
  
  Those “pawn contests” are bullshit hype and just show that all machines can be brought down under the right circumstances. Aside from Linux, Mac OS X is still the vastly more secure mainstream OS compared to Windows and that has very little to do with marketshare and everything to do with architecture.
  
  Case and point: When the Apple OS was a weaker, non-UNIX based architecture before OS X, OS 9 had far more widespread trojans (and even had viruses). This was when Apple’s marketshare was lower than it is today, so that goes to show the incentive to build malware for Apple has been around for a very long time even before OS X. This new threat just goes to show how lazy Apple has gotten with Java updates and not much more.
  - http://aqfl.net Ant
    
    Too bad Apple doesn’t support 10.5.8 and older. One has to disable Java in web browsers and Utilities’ Java Preferences. No Java then.
    - Cowicide
      
      You might be able to still use Java with Chrome and Firefox in 10.5.x at trusted sites like wikipedia, etc. – At least in 10.6 using Chrome/Firefox, Java won’t run unless you allow it to.
http://twitter.com/TaosJohn John Hamilton Farr

I for one *always* believe everything that comes from a Russian website.
- Guest
  
  Pravda
http://instantaneousinstances.com/ Spieguh

Anyone find they’re infected using the process detailed by F-Secure?

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

Looks like one variant modifies Safari, and another houses itself in the user’s home directory. Making your everyday user account not an administrator would help some, but would not entirely prevent this.
- EH
  
  Administrator? Not Windows. OSX is fully sudo-based.
- gtrjnky
  
  Thanks for the link, I am clean.
- RadioSilence
  
  Clean here too.
  
  Don’t forget to run Software Update people, there’s already a security update.
  (click the apple at the left of the menu bar, then Software Update)
- http://illustratorhints.com/ Jesseham
  
  Clean here. Skeptical until someone says otherwise.
  - Petzl
    
    ”I’ve never been affected, therefore I must be safe.”
    This is non-event feedback.
    - http://illustratorhints.com/ Jesseham
      
      It’s more like “very few Mac users have ever been affected, therefore unless you downloaded something weird from a sketchy Russian warez site, you ought to be safe”
      
      It’s not a virus, it’s a trojan. You have to have caused the problem yourself.
  - Cowicide
    
    Skeptical until someone says otherwise.
    
    I’m skeptical of the numbers of infection they are claiming, but the threat is very real. Update your Java right now.
- snowmentality
  
  Clean here too.
http://www.nathanhornby.com/ Nathan Hornby

Surely it’s not a difficult thing to corroborate, this is the only source I’ve heard so far. There didn’t seem to be much of a ‘fix’ either, so any more info is useful!
- RadioSilence
  
  I saw it on Lifehacker before here. There’s instructions there on how to check if you’ve got it and how to remove it, but they link to the same info Spieguh (above) did so click on his/her link.
John Wells

Mac users can simply switch off Java in their browser’s settings (honestly, when was the last time you used it) to become to immune to this. There’s also a Java update for Lion that fixes the issue.
- Guest
  
  It’s almost like someone found an exploit in Netscape Navigator.
- dculberson
  
  No joke, I haven’t had java on in my browser for quite some time. I’m not on a mac, either.
- percysowner
  
  Well when I turned off Java the comments didn’t come up here, so I guess I use it more than I thought. I’m also still on OSX 10.5.8 so no fix for me.
  - John Wells
    
    That’s like JavaSCRIPT which you’re turning off too, which will mess up Disqus-based comments. Java is all you need to turn off; JavaScript, despite sharing a similar name, is an entirely different beast.
    - percysowner
      
      Thanks, that helps. I turned on JavaScript and turned off Java.
- Cowicide
  
  There’s also a Java update for Lion that fixes the issue.
  
  There’s also a Java update for Snow Leopard that closes the security hole. This is exciting!
http://twitter.com/sfstagewalker Dan Wilson

Reading the comments on Ars Technica, people have been doing a little bit more research on this. It appears to be a Java exploit, and interestingly it deletes itself if it finds any folders named after antivirus software on the machine… or copies of Microsoft Office. So, to get this trojan, you need to be going to Russian torrent sites an an old Mac without antivirus software or Microsoft Office on your machine. … I’m actually surprised that 600K machines fit that spec….
- http://www.adamfields.com/ Adam Fields
  
  Does anyone know why it skips out if it finds Office or Skype?
  - Tribune
    
    Cross contamination of windows via Mac Office has been a concern in the past and thus greater scrutiny of potential threats. It also looks like it skips attempting to infect if Xcode is installed (developer software). I would guess that it is trying to not target computers that are used by people who might notice it.
    - Cowicide
      
      It also looks like it skips attempting to infect if Xcode is installed
      
      Sweet… if this was true then I guess I was relatively safe the whole week the threat was unpatched.
  - SoItBegins
    
    F-Secure’s website said it’d do that to avoid spreading to incompatible software.
    
    Or: Microsoft’s classically dubious coding standards are actually making it resistant to malware for once. Irony!
    - Cowicide
      
      Microsoft’s classically dubious coding standards are actually making it resistant to malware for once. Irony!
      
      I can handle the malware, but if this is true, the cognitive dissonance is killing me.
- percysowner
  
  Saved by Microsoft Office! Who knew?
petsounds

I’d also recommend Little Snitch. It runs at the kernel level of OS X and acts as a gatekeeper for all network traffic. If an app tries to open an internet connection you haven’t authorized, it’ll let you know.
- maxoid
  
  Apparently, this trojan checks if you have Little Snitch (and a few other antivirus programs), and if you do, does not install/deletes itself.
  - Cowicide
    
    I know an earlier variant checked for LS and then checked out if you had it installed, but I haven’t heard that for this variant. Do you have a source for that?
    - SoItBegins
      
      F-Secure says Flashback variant I will flee if it detects Little Snitch, VirusBarrier, iAntiVirus, or several other programs of the same nature.
- SoItBegins
  
  There’s a program called Hands Off! that does that AND limits app filesystem access.
http://twitter.com/KaliChan Kali

It’s not getting the media exposure it’s supposed to because holy shit smug mac users wouldn’t have as much to be smug about. Mass suicides, etc., etc…..
- morcheeba
  
  what mass suicides? And if you’re talking about the couple of suicides out of a million workers at Foxconn, then mac users who know china’s suicide rate (222/million/year) and have basic math skills should be smug knowing that they’ve literally saved lives. http://en.wikipedia.org/wiki/Suicide_in_the_People%27s_Republic_of_China#Working_conditions_and_suicide
  - http://twitter.com/KaliChan Kali
    
    WOW, way to not get a joke, dude.
- Cowicide
  
  smug mac users
  
  I was just sitting here on my Mac with my other Mac user friends at Starbucks. And we were laughing about how Windows users deal with this sort of nasty thing all the time. We had a wonderful chuckle with our lattes at your expense. We all had an “update Java” party last night and laughed heartily as we did it. Hahahahahahaha….
  
  [evil grin]
semiotix

Sounds terrible! Fortunately, I use a Mac, so I don’t ever have to worry about malware.
- Xof
  
  We would be smug, but we’re too busy fending off the massive quantities of spam coming from the tens of millions of Windows machines in botnets already.
  - rsk
    
    I’d be smug, but as a BSD user, I’m too busy already being smug toward the Linux users who are being smug toward the Mac users who are being smug toward the Windows users.
    
    p.s. “tens of millions” has been a severe underestimate for a decade. “Hundreds of millions” has been applicable for most of that time and will be for the forseeable future, given that (a) many things have happened to spur increases in the number of bots and (b) absolutely nothing has happened to spur decreases.
    - Xof
      
      Yeah, well, I just picked a number that I knew had to be within the range; doing actual research on a number in a blog comment is so 1999. :)
- Cowicide
  
  I see you trollin….
Nadreck

To be fair to Apple, it has nothing to do with OS X but is, rather a JAVA exploit that also runs on Windows. To be ever more fair to Apple, they only came out with their version of ORACLE’s patch yesterday – weeks after everyone else already had theirs.
- Cowicide
  
  Apple dropped the ball. I hope this hurts their brand and they learn from it.
Angryjim

yeah apple just did an automatic java update today. Im sure that’s what that was. Apple seems to keep on top of this stuff themselves rather than making you buy 3rd party virus software.
- Guest
  
  yeah, this walled garden sure is a real nuisance.
http://www.facebook.com/profile.php?id=704232015 R Scott LaMorte

I’ve been testing my Macs and my friends Macs. No sign of this trojan yet. Since the only source that claims to have found this malware is a Russian company that sells antimalware, I am skeptical until there’s independent corroboration.
http://rhinocrisy.org/ saurabh

Seriously, unless you are a physics grad student in the late 1990s, you probably shouldn’t be running Java in your browser.
- bobrk
  
  Then again, you might be working at a company who uses Java for their main products. Just sayin…
  - http://twitter.com/incarnedine_v Dan Hibiki
    
    hmm… how many people does Java employ? is it 600,000?
    - bobrk
      
      Well, I didn’t mean Java itself. Other companies use it in their products, as well.
    - invictus
      
      Java? I guess they must have purchased the Sun IP from Oracle while I wasn’t looking. You mean the island, right?
    - Cowicide
      
      [snare drum]
Ito Kagehisa

I suspect the only people more emotionally involved in their computing environment than mac users are probably java programmers. Well, I guess lisp programmers beat both groups, come to think of it.
- http://www.disoriented.net/ angusm
  
  I am now waiting eagerly for the headline that reads “New Mac malware targets vulnerability in LISP”.
  
  If there ever was a LISP-based Trojan for Mac, Patient Zero for the outbreak would probably be my former boss.
  
  Koan: What is the sound of one bot netting?
Gainclone

So how do I know if mine is one of the infected? Do I need to heat up some wire with a flamethrower pilot light and stick it into a petri dish?
- mindtheink
  
  The instructions on Ars are less than friendly. This is more straightforward: http://news.cnet.com/8301-27076_3-57410050-248/mac-flashback-malware-what-it-is-and-how-to-get-rid-of-it-faq/
  
  But really, I severely doubt anyone here is infected.
  But if your browser is dripping green goo or itching profusely, get yourself checked. And contact all your recent computing partners.
  - Cowicide
    
    Ha, the guy at that link says it’s because of Mac’s marketshare increase but he stupidly links to iOS marketshare. People just can’t get the marketshare myth out of their skulls. Mac OS X (for PCs) is still at around 10 percent in the USA.
http://www.openbuddha.com/ Al Billings

Friends don’t let friends run Java. Seriously, disable it in your browser. You don’t need it.
- Xof
  
  Doesn’t a lot of Wikipedia media still use Java to play?
  - Cowicide
    
    Yes, and Wikipedia is dumb for doing so and needs to stop it.
    - Xof
      
      Totally agree; just thinking of things that I’ve used Java for in the recent past.
pjcamp

Macs don’t get viruses. Didn’t you know?

Please do try to keep up.
- Cowicide
  
  Macs don’t get viruses. Didn’t you know? Please do try to keep up.
  
  Uh, this isn’t a virus. And there are no viruses in the wild for Mac OS X after over a decade.
  
  Please do try to educate yourself. ^_^
  
  http://www.webopedia.com/DidYouKnow/Internet/2004/virus.asp
  
  Don’t be afraid to go to that link if you’re on Windows or anything… haha…
  - pjcamp
    
    Uh. . Like it matters. Your computer isn’t being taken over by terminology.
    
    And Apple’s lackadaisical approach is sure to dope slap you in the back of your dumb head any time now. In May 2011 Apple released an OSX update that repaired 23 separate security vulnerabilities. Ed Bott looked at them in detail and found that every item on the list was capable of executing hostile code with little or no user interaction, and every item on the list had also been known about for a minimum of 18 months before being patched. That’s an awfully big window of opportunity and is a typical timeline for OSX patches. The current vulnerability is in Java, discovered in February, patched by Oracle in February . . . and patch not release by Apple until April. So for several months, every Mac owner was vulnerable unless they took specific steps to remove or disable Java.
    
    So let’s see — Apple’s market share is growing, largely due to people like yourself with more money than sense — affluent noobs. Apple treats security as someone else’s problem, best fought by benign neglect. I’m gonna go out on a limb here and predict a major mactastrophe in the near future due to this perfect storm of idiocy.
    
    By the way, the Leap-A virus was reported in the wild in 2006, in 2007 BadBunny delivered pornography to OSX screens, MacSweeper appeared in 2008 as well as three trojan hacking programs that caused Apple to beg users to buy antivirus software.
    
    iWorks-A was distributed in 2009 using Apple’s word processor as a vector, with an alternate version making the rounds via Photoshop. There was also the RSPlug trojan disguised as MacCinema, as well as the Tored/DNS Changer worm.
    
    All that fits neatly within the last decade.So now you’re educated. Macs aren’t immune to viruses. Nothing is. But given Mac users’ devout faith that they are, Apple’s promotion of that belief in their Get A Mac ads, and Apple’s evident inability to address major security issues a year and a half or more after they are identified . . . . .
    
    Well, have fun.
    - Cowicide
      
      Uh. . Like it matters. Your computer isn’t being taken over by terminology.
      
      It’s not getting taken over by trojans en masse either.
      
      Apple’s lackadaisical approach is sure to dope slap you in the back of your dumb head any time now
      
      Yep, I’ve been hearing that one for about 11 years now. Any day now… any day now…
      
      Ed Bott looked at them in detail and found that every item on the list was capable of executing hostile code with little or no user interaction
      
      Ed Bott is a sensationalist tool begging for cash with linkbait headlines and articles.
      
      He also calls this (already patched) vulnerability a “New Mac malware epidemic” whose “nightmare scenario finally arrived”. He then goes on to state that at least 600,000 Macs worldwide are infected… and, like a sensationalist tool he states that 600,000 number as fact. If he bothered to actually read his OWN source, he would’ve seen that they said:
      
      “We cannot confirm nor deny that all of the bots that connected to our server were running Mac OS X. “
      
      Whoops… He then goes on to fluff up his linkbait with more spurious statements tied to this very flakey 600,000 number that even his own source can’t confirm.
      
      This guy can’t research his way out of a wet paper bag and this is whom you quote?
      
      Apple released an OSX update that repaired 23 separate security vulnerabilities. Ed Bott looked at them in detail and found that every item on the list was capable of executing hostile code with little or no user interaction, and every item on the list had also been known about for a minimum of 18 months before being patched.
      
      Obviously you, nor Chicken Little, understands what he read.
      
      He didn’t “look at them in detail”, he just read off the basics of what Apple listed. What you don’t understand is that those were most likely found internally by Apple in most (if not all) cases. In other words, the likelihood of an outsider finding those holes before Apple does and closes them is very slim in most cases.
      
      He’s exploiting fear for linkbait dollars and you sure fell for it. No one is saying Macs are impregnable, no computers are. But to say that the only reason Mac OS X doesn’t have a lot of active, widespread exploits is only because of marketshare is stupid.
      
      All one has to do (if one really wants to educate oneself) is look at all the malware (trojans AND viruses) for Mac OS 9 when the Mac had LESS marketshare than it does today. If there wasn’t any incentive to make malware for Macs because of low marketshare, how do you explain that? You can’t.
      
      The reason there was so much malware for Mac OS 9 is because of the weaker architecture of the OS and the incentive (yes, incentive) to reach millions of computers purchased by people that tend to be a wealthier demographic than the rest of computer users. Mac OS 9 was before Apple changed over to OS X with its UNIX-based underpinnings.
      
      Since then, marketshare is UP higher and we haven’t seen a serious, widespread threat in literally over a decade. How do you and Chicken Little explain that? It’s the architecture, stupid. Security through obscurity is only perpetrated by hack writers who would rather spew linkbait than do proper research.
      
      Is marketshare a factor? Yes. But if you actually look at the FACTS and use critical thinking, you’d see that it’s a smaller factor than the general security of the architecture. Once again, go look at how many widespread threats there were for Mac OS 9 before Apple switched to a much better architecture and get back with me.
      
      , the Leap-A virus
      
      Wow, this shows how little you know of Mac security. That virus couldn’t propagate out of a wet paper bag because of the Mac OS X architecture. It failed miserably. As a matter of fact, every attempt at a virus for Mac OS X has failed… miserably.
      
      Now please, name a virus that propagated worth a shit? You can’t. I sense your desperation. You hate being wrong, don’t you?
      
      All that fits neatly within the last decade.So now you’re educated.
      
      All what in a decade? You can count all of them on one hand, dude… in a decade. Your desperation is showing.
      
      Any idiot knows about those threats that were few and far between and didn’t propagate for shit. You should really educate yourself on this stuff.
      
      Macs aren’t immune to viruses.
      
      Tell me more. I did not know that. ಠ_ಠ
      
      Macs aren’t immune to viruses. Nothing is. But given Mac users’ devout faith that they are
      
      Ironically, it’s you that believes in fairy tales here. I have yet to meet a Mac user who believes Macs are impregnable to all security threats. When you meet one, please introduce them to bigfoot, will ya?
http://www.jimdraws.com Thorzdad

That 500,000 number is undocumented and certainly smells of having been pulled out of a dark orifice or two. I’ve yet to see this in the wild, or even hear from anyone else who has seen it.

Also, as of 10.7, the Mac OS does not include Java. One has to specifically download the installer if they want/need Java.
- Cowicide
  
  The numbers may very well be bullshit, but the threat is real. If you DO have Java installed, that is. And, if you’re not running the latest Java.
  - Guest
    
    This is like a warning that the gas tanks of late 70′s Pinto’s may have a problem.
    - Ito Kagehisa
      
      I take it none of you people have corporate jobs?
      
      Java is entrenched. The unbelievably lame timeclock app that ADP shops (kronos, I think?) requires Java. There are literally millions of people who cannot get paychecks without running Java.
      
      Oh, wait, we’re talking about macs. Soulless zaibatsus hate macs almost as much as they love Java, never mind… the venn diagram intersection is probably microscopic.
      
      I wonder if my G4 running OSX 10.3.9 is vulnerable? I’m not loading Java to find out…