FlashBack now has 600,000 Mac OS X botnet

Nasty Java-applet used to infect 32,000 Aussies with Flashback Trojan.

Russian antivirus firm Doctor Web claims the Flashback Trojan variant has infected enough Mac OS X systems to create a botnet of 600,000 hosts.

By Windows standards, 600,000 is small. The Zeus botnet, which targeted Windows systems, by contrast, was claimed to have infected 13 million since 2007, according to Microsoft which took action against it last week.

But this is big by Mac OS X standards, which is often claimed to be off attackers’ radar.

Dr Web said its researchers used a “sinkhole” to redirect the Flashback botnet’s traffic to its own servers, allowing them to come up with the figure, which it initially reported as 550,000.

“Over 550 000 infected machines running Mac OS X have been a part of the botnet on April 4,” the security firm claimed.

More than half the infections were in the US, about 19 per cent in Canada, about 12 per cent in the UK, and fourth on the list was Australia at about 6 per cent, amounting to 32,527 infected hosts.

However, infections quickly climbed according to the company. Ars Technica referenced a Twitter updated by Dr Web malware analyst Sorokin Ivan who claimed infections had now hit 600,000 four hours after the initial report.

The FlashBack attackers have been working on new variants since first being discovered in 2011 and have been exploiting several Java (owned by Oracle) vulnerabilities over the past few months, the last of which F-Secure warned about last Sunday.

After a Mac user visits a rigged website, the Trojan first checks if the Mac is using one of several security products which it lists, and if they are not found it issues the payload.

“Systems get infected with BackDoor.Flashback.39 after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system. JavaScript code is used to load a Java-applet containing an exploit,” according to Dr Web.

Security researchers have ramped up warnings over the past week for Mac users to disable Java. F-Secure provides instructions how to do that here and removal instructions here.

Flashback, as F-Secure and Dr Web point out, were using exploiting Java vulnerabilities (CVE-2011-3544 and CVE-2008-5353) to infect systems without user interaction in February 2012.

Mac AV vendor Intego brought attention to the Trojan’s new techniques in February, but failed to mention which flaws it was exploiting to achieve infections without user intervention.

But they were the old flaws.

“After March 16 they switched to another exploit (CVE-2012-0507),” says Dr Web, a Java flaw that Oracle issued a fix for in February.

While Microsoft quickly issued a patch for that flaw, Apple only released its patch yesterday.

“The vulnerability has been closed by Apple only on April 3 2012,” Dr Web notes.

Mac users are strongly advised to update their OSX software immediately. Apple provides details about the update here.

According to Dr Web, there were more than 4 million pages that could infect Mac OS X systems without the Java update, including, reportedly, the website of widely-used networking company maker, DLink.

Dr Web said its research has debunked the myth “there are no cyber-threats to Mac OS X”.

i>Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleF-SecureIntegoMicrosoftOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place