New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

Flashback Tidbits: Flashback Checker, OpenDNS Protection, Apple's Low-Visibility Security Team

The Flashback malware affecting OS X systems has gained quite a bit of publicity since it was disclosed last week that over 600,000 Macs have been infected by the malware. Flashback began life last year as a trojan and has morphed into a drive-by download taking advantage of a vulnerability in Java that Apple did not patch until last week, despite Oracle having released patches for other systems back in February.

Over the past few days, a few additional tidbits of information on Flashback have surfaced, including the arrival of some new tools to help users manage the threat.

- As noted by Ars Technica, a new Mac app by the name of Flashback Checker has been released to help users determine whether their machines have been infected. Users have been instructed to use Terminal to enter commands searching for files created by the malware upon infection, and Flashback Checker offers a simple packaging of these commands behind a user interface. While the app is incredibly simple and does not offer assistance with removing Flashback if it is found on a given system, it does provide a more familiar interface for those who might be intimidated by delving into Terminal on their own.


- OpenDNS has announced that it has included filtering of Flashback in its services. OpenDNS offers a number of features to improve resolution of domain names, and the new filtering of Flashback helps prevent infection while also preventing already-infected machines from communicating with the command-and-control servers being used to deliver instructions to the infected machines.

- Forbes has an interview with Boris Sharov of Russian security firm Dr. Web, which was first to bring the magnitude of the Flashback threat to light. In the interview, Sharov describes how difficult it was to even track down the proper team at Apple with which to share their data, also noting how uncommunicative Apple has been throughout the process. In fact, the only sign of interest they've seen from Apple is the company's efforts to shut down the "sinkhole" Dr. Web was using to reroute traffic from infected machines to gauge how widespread the infections are.
“They told the registrar this [domain] is involved in a malicious scheme. Which would be true if we weren’t the ones controlling it and not doing any harm to users,” says Sharov. “This seems to mean that Apple is not considering our work as a help. It’s just annoying them.”

Sharov believes that Apple’s attempt to shut down its monitoring server was an honest mistake. But it’s a symptom of the company’s typically tight-lipped attitude. In fact, Sharov says that since Dr. Web first contacted Apple to share its findings about the unprecedented Mac-based botnet, it hasn’t received a response. “We’ve given them all the data we have,” he says. “We’ve heard nothing from them until this.”
Security experts at Kaspersky Lab, which verified Dr. Web's assessment of Flashback's prevalence, indicate that Apple is indeed taking the proper steps to address the threat, including tracking and shutting down the servers being used by the malware. But the company has little experience with threats of this magnitude and is undoubtedly scrambling to keep on top of the situation.

Top Rated Comments

(View all)

34 months ago
Secrecy has it's place for new product announcements, but Apple needs to get its head out of its ass in regard to security issues. Start working with the good guys, communicate a little bit with them. Playing ostrich doesn't help anyone examine or solve problems.
Rating: 17 Votes
34 months ago



. In the interview, Sharov describes how difficult it was to even track down the proper team at Apple with which to share their data, also noting how uncommunicative Apple has been throughout the process. In fact, the only sign of interest they've seen from Apple is the company's efforts to shut down the "sinkhole" Dr. Web was using to reroute traffic from infected machines to gauge how widespread the infections are.Security experts at Kaspersky Lab, which verified Dr. Web's assessment of Flashback's prevalence, indicate that Apple is indeed taking the proper steps to address the threat, including tracking and shutting down the servers being used by the malware. But the company has little experience with threats of this magnitude and is undoubtedly scrambling to keep on top of the situation.

Article Link: Flashback Tidbits: Flashback Checker, OpenDNS Protection, Apple's Low-Visibility Security Team (http://www.macrumors.com/2012/04/10/flashback-tidbits-flashback-checker-opendns-protection-apples-low-visibility-security-team/)


Typical apple ...
Rating: 15 Votes
34 months ago
The end of an era!

We’ve gone from:

* 2001: Macs are just as dangerous as Windows, probably worse, because, even though there has never been a successful real-world malware infestation on OS X, thousands of them are just about to happen any minute now!

To:

* Macs are just as dangerous as Windows, probably worse, because there has been ONE successful real-world malware infestation on OS X.

(I definitely do count this instance: it’s not a virus, not a worm, but it’s not a mere Trojan either—it’s a Trojan that installs itself; meaning the web site itself is the Trojan Horse—and one link is all it takes to get to a web site.)

P.S. I’d like to see more on the other side of the story: first a web site must be compromised, and only then can a Mac visiting it (with Java on) be compromised too. How are these web sites being compromised, which ones are they, how many of them, can we detect them, and can they be blocked if not fixed?
Rating: 12 Votes
34 months ago

Myth of the inherent invulnerability of OS X to malware... Busted! :eek:


No one ever claimed OS X was invulnerable to malware. This isn't the first piece of malware for OS X anyhow.
Rating: 10 Votes
34 months ago
And still no fix for Leopard and Tiger users
Rating: 8 Votes
34 months ago
Step 1: Fake trojan outbreak news

Step 2: Create bogus removal tool that infects Mac when run

Step 3: 20 millions of Macs now trojan’ed


:D


I’m sure it’s fine, and if you’re paranoid you can compile the source yourself (though if you can compile source, you should be able to perform the manual check easily...)
Rating: 8 Votes
34 months ago
Another piece I’m curious about: are email spam/phishing campaigns (possibly driven by Windows botnets) being used to send out clickable links to infected sites?

That’s a potential malware vector that I wouldn’t ignore if I were behind this, but email hasn’t been mentioned in the articles I’ve seen.

(By the way, Apple has stumbled in their communication on this—and maybe on their actions too—which does show their lack of experience; probably not their lack of caring. It may also be that this Russia-based sinkhole left them wondering who the good guys really are—which could well keep them silent while making sure of that. Even so, looking at the big security picture, I have to give credit where due: they’ve done things with Lion that NO other “more experienced” OS or vendor has done for security. They’re not the pros in every regard, but they do lead the security pack in other ways. Ways which make me even more glad to be on Mac.)

Also, as for Java being insecure, I always assumed that and always had it turned off, but it shouldn’t have been left to me to do so. Apple should turn it off by default, since most people never need it. I consider Java being enabled by default (much like Open Safe Files) to be a dropped ball by Apple. But easily remedied!


Whats more annoying is that all the idiotic Windows fanboys are parading around every known social networking site gloating that Mac's actually do get viruses.

How did so many people become so misinformed about the differences between trojans, worms, and viruses?


To be fair, “virus” (spreads itself from program to program) vs. “worm” (spreads itself from computer to computer) are terms few can tell apart, and even tech companies don’t always use them consistently. And “Trojan” is too simple a term—some distinction needs to be made between “requiring an unusual user action” and requiring simply visiting a web page. When I see Windows malware installing itself from someone simply visiting a web page, I certainly don’t minimize that risk! This time, it’s Macs. I guess “drive by” seems to be the term here, although I never heard that term before this.

Granted, trolls are making much more of this than it is (which no doubt hurts Mac sales as intended) but the term “virus” is kind of an understandable mistake.

No one ever claimed OS X was invulnerable to malware. This isn't the first piece of malware for OS X anyhow.


Exactly. First successful one, but here’s the real myth: the myth of “people who claim Macs are invulnerable.”

No, people merely claim they’re safer. Which they still are. For many reasons, all of them helpful!
Rating: 7 Votes
34 months ago

Wait, so it was difficult to contact someone because you don't have direct email addresses to internal people? Why do you need to know this? Here (https://ssl.apple.com/support/security/) it clearly states how to contact Apple.

You don't need to become pen pals with the folks inside Apple just because you found a security vulnerability.

It's not matter of becoming "pen pals", it's matter of tackling the security issues as fast as possible so that the minor number of users are at risk and the botnet does not become a bigger threat (and bloggers have less ammunition to start spreading FUD about Mac security).

Having direct contact information can help with that, but it's not needed, as long as someone fixes the vulnerability very fast and/or replies so that you can start a collaboration in the best interest of security.

Apple was informed long ago of the security holes. Apple did nothing. Zero. No fixes whatsoever. Many of those 600k infected machines could have been prevented with a more serious approach to security responses by Apple, which most likely needs to be implemented given that they are not under the radar anymore.
Rating: 5 Votes
34 months ago

Step 1: Fake trojan outbreak news

Step 2: Create bogus removal tool that infects Mac when run

Step 3: 20 millions of Macs now trojan’ed


:D
)


I sometimes wonder if these "security companies" who find these vulnerabilities, are not somehow connected to the hackers who exploit them. Particularly ones based in foreign countries where many of these attacks seem to originate.

Apple is no longer developing Java for OSX now that Oracle bought Sun and took over Java. I don't believe Java is included with the default Lion install. You specifically have to go download it and add it in. So if Oracle releases a fix for a Java security hole, it is understandable that Apple would need some time to make the changes to the JVM's they continue to support and then test them before rolling them out.

Most users have no need for Java on their machines these days. Very few mainstream web sites use it. Corporations that use Java based apps are probably using some type of ERP system, like Oracle, that use Java in some of their products, but for the average Mac user has very little need for it.

As for Apple being "secretive" or "non-communicative" - typical press noise and hype. These security experts all want their 15 minutes of fame. Or more if they can get it.

It cracks me up how many people come to an Apple focused web sites to whine, complain, and throw hate at Apple. If you are a Windows user, why would you even visit a Mac focused site? If your an Apple hater, why even buy an Apple product? What a pitiful life you must lead.
Rating: 4 Votes
34 months ago

"They told the registrar this [domain] is involved in a malicious scheme. Which would be true if we weren't the ones controlling it and not doing any harm to users," says Sharov. "This seems to mean that Apple is not considering our work as a help. It's just annoying them."


Ugh, this frustrates me.
Rating: 4 Votes

[ Read All Comments ]