Flashback trojan infects Macs

Following up on yesterday’s reminder to update for the recent Java exploit, more information on just how big this threat is. In the last year, we have a significant uptick in malware and exploits for Mac OS X and we highly advise all Mac users follow safe best practices for PC security. A breakdown of these are available at: http://helpcenter.uconn.edu/pc/pchealth.html.


If you think your Mac may be comprised, please do not hesitate to contact your local IT support team ASAP.


Clif Hirtle

User Services Development

University Information Technology Services

Flashback trojan reportedly controls half a million Macs and counting



Variations of the Flashback trojan have reportedly infected more than half a million Macs around the globe, according to Russian antivirus company Dr. Web. The company made an announcement on Wednesday—first in Russian and later in English<http://news.drweb.com/show/?i=2341>—about the growing Mac botnet, first claiming 550,000 infected Macs. Later in the day, however, Dr. Web malware analyst Sorokin Ivan posted to Twitter<https://twitter.com/#!/hexminer/status/187623741273026562> that the count had gone up to 600,000, with 274 bots even checking in from Cupertino, CA, where Apple’s headquarters are located.


We have been covering<http://arstechnica.com/apple/news/2011/09/mac-trojan-pretends-to-be-flash-player-installer-to-get-in-the-door.ars> the Mac Flashback trojan<http://arstechnica.com/apple/news/2011/10/variation-on-mac-malware-disables-built-in-os-x-malware-protections.ars> since 2011, but the most recent variant from earlier this week targeted an unpatched Java vulnerability<http://arstechnica.com/apple/news/2012/04/mac-trojan-exploits-unpatched-java-vulnerability-no-password-needed.ars> within Mac OS X. That is, it was unpatched (at the time) by Apple—Oracle had released a fix for the vulnerability in February of this year, but Apple didn’t send out a fix<http://arstechnica.com/apple/news/2012/04/apple-has-issued-a-security.ars> until earlier this week, after news began to spread about the latest Flashback variant.


According to Dr. Web, the 57 percent of the infected Macs are located in the US and 20 percent are in Canada. Like older versions of the malware, the latest Flashback variant searches an infected Mac for a number of antivirus applications before generating a list of botnet control servers and beginning the process of checking in with them. Now that the fix<http://support.apple.com/kb/HT5228?viewlocale=en_US&locale=en_US> for the Java vulnerability is out, however, there’s no excuse not to update—the malware installs itself after you visit a compromised or malicious webpage, so if you’re on the Internet, you’re potentially at risk.


If you think one of your machines may be infected, F-Secure has instructions<http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml> on how to use the Terminal to find out.