Sign in to SC Magazine
Join the SC Magazine community
Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
| I have read and accept the Privacy Policy and Conditions of Use of registration* | |
Apple update quells Flashback
Apple hacker says Mac users should get anti-virus.
Apple released a second security update on Friday in its continuing battle against the Flashback trojan, which already has infected nearly 650,000 Macs worldwide.
The computing giant may have found a glitch in its first update for Java, which contained a vulnerability that enabled the spread of Flashback.
That forced Apple to follow up with a second patch, which is only for Mac OS X 10.7 (Lion), according to a blog post from security firm Intego.
Although the creators of Java, Oracle, released fixes for Java in February, Apple's response was delayed, said Charles Miller, principal research consultant at security consulting firm Accuvant Labs.
“They have a habit of taking a long time to supply patches [for third-party products], which always puts their users at risk,” Miller said.
“I hope that this outbreak will help them to see this point and they will hurry up their patching in the future.”
A user's computer can become infected with Flashback by simply visiting a bogus web page, an attack known as a drive-by-download.
Anti-virus software would be able to alert users of an infection, but outside of that, chances are Mac users would not notice the silent attack, Mikko Hypponen, chief research officer at F-Secure said.
Once installed on the machine, Flashback is capable of a number of malevolent actions, including stealing data, hijacking search results and installing additional malware, though it doesn't seem to be targeting personal information just yet, according to experts.
“Versions of Flashback have been around for months, but this is the first one which uses an exploit to infect you,” Hypponen said. “From the user's point of view, the difference is that the user does not need to be tricked into entering a root password for them to get infected [as was the case with previous variants].”
After experts at Russian AV vendor Dr. Web were able to “sinkhole” one of the botnet's command-and-control hubs, they were able to tap into the traffic, redirecting it to their own server, which allowed them to then count the number of compromised machines.
According to a report released Wednesday by Dr. Web, Flashback has infected 600,000 machines globally, and more than half -- 303,440 -- are located in the United States.
On Thursday, Igor Soumenkov, a Kaspersky Lab malware researcher, confirmed the numbers, according to a blog post, after his lab set up its own sinkhole.
“We were able to calculate the number of active bots,” Soumenkov wrote. “Our logs indicate that a total number of 600,000-plus unique bots connected to our server in less than 24 hours.”
Although they could not confirm or deny that the bots connected to the Kaspersky server were running Mac OS X, Soumenkov added that through fingerprinting techniques, “more than 98 percent of incoming network packets were most likely sent from Mac OS X hosts.”
However, he did qualify his remarks. “Although this technique is based on heuristics and can't be completely trusted, it can be used to make order-of-magnitude estimates,” he wrote.
According to market researcher, NetApplications, Windows is the most popular operating system in the world, running on more than 90 percent of computers, indicative of the attention malware authors place on it.
But cyber criminals likely will take note of the size of the Flashback botnet and thus more earnestly consider OS X as a viable target, said Miller.
“As more people buy Macs, malware authors will follow along too,” he said. “It might be time to think about getting anti-virus for your OS X systems.”
An Apple spokesperson could not be reached for comment.
This article originally appeared at scmagazineus.com
Copyright © SC Magazine, US edition The computing giant may have found a glitch in its first update for Java, which contained a vulnerability that enabled the spread of Flashback.
That forced Apple to follow up with a second patch, which is only for Mac OS X 10.7 (Lion), according to a blog post from security firm Intego.
Although the creators of Java, Oracle, released fixes for Java in February, Apple's response was delayed, said Charles Miller, principal research consultant at security consulting firm Accuvant Labs.
“They have a habit of taking a long time to supply patches [for third-party products], which always puts their users at risk,” Miller said.
“I hope that this outbreak will help them to see this point and they will hurry up their patching in the future.”
A user's computer can become infected with Flashback by simply visiting a bogus web page, an attack known as a drive-by-download.
Anti-virus software would be able to alert users of an infection, but outside of that, chances are Mac users would not notice the silent attack, Mikko Hypponen, chief research officer at F-Secure said.
Once installed on the machine, Flashback is capable of a number of malevolent actions, including stealing data, hijacking search results and installing additional malware, though it doesn't seem to be targeting personal information just yet, according to experts.
“Versions of Flashback have been around for months, but this is the first one which uses an exploit to infect you,” Hypponen said. “From the user's point of view, the difference is that the user does not need to be tricked into entering a root password for them to get infected [as was the case with previous variants].”
After experts at Russian AV vendor Dr. Web were able to “sinkhole” one of the botnet's command-and-control hubs, they were able to tap into the traffic, redirecting it to their own server, which allowed them to then count the number of compromised machines.
According to a report released Wednesday by Dr. Web, Flashback has infected 600,000 machines globally, and more than half -- 303,440 -- are located in the United States.
On Thursday, Igor Soumenkov, a Kaspersky Lab malware researcher, confirmed the numbers, according to a blog post, after his lab set up its own sinkhole.
“We were able to calculate the number of active bots,” Soumenkov wrote. “Our logs indicate that a total number of 600,000-plus unique bots connected to our server in less than 24 hours.”
Although they could not confirm or deny that the bots connected to the Kaspersky server were running Mac OS X, Soumenkov added that through fingerprinting techniques, “more than 98 percent of incoming network packets were most likely sent from Mac OS X hosts.”
However, he did qualify his remarks. “Although this technique is based on heuristics and can't be completely trusted, it can be used to make order-of-magnitude estimates,” he wrote.
According to market researcher, NetApplications, Windows is the most popular operating system in the world, running on more than 90 percent of computers, indicative of the attention malware authors place on it.
But cyber criminals likely will take note of the size of the Flashback botnet and thus more earnestly consider OS X as a viable target, said Miller.
“As more people buy Macs, malware authors will follow along too,” he said. “It might be time to think about getting anti-virus for your OS X systems.”
An Apple spokesperson could not be reached for comment.
This article originally appeared at scmagazineus.com
Company/Organisation
Technology
Email this
Print this
Tweet this
Site feedback
Sign up to receive SC Magazine email newsletters
FOLLOW US...
Most Read
SC Magazine follows
Top IT security tweets
helpnetsecurity 0-day in Backtrack Linux found, patched - bit.ly/HNuYmf 2 minutes ago · reply · retweet · favorite
csec 0-day in Backtrack Linux found, patched: [net-security.org] A zero-day vulnerability affecting the last version... csec.tk/Ia0SoX 10 minutes ago · reply · retweet · favorite
SCADAhacker SCADA Firewalls Need to be Stateful - part 1 of 3 part series which will include a short demo video - @ISSSource - bit.ly/IY3p6r 15 minutes ago · reply · retweet · favorite
SCADAhacker Stuxnet continues to show holes in many ICS sites - little defense from "insider" with malware ... malicious or not! - bit.ly/HO0AVd 16 minutes ago · reply · retweet · favorite
Asher_Wolf CIA's Secret Fear: High-Tech Border Checks Will Blow Spies' Cover m.wired.com/dangerroom/201… via @dangerroom 19 minutes ago · reply · retweet · favorite
SCADAhacker Stuxnet Loaded by Iran Double Agents - excellent story by @isssource - bit.ly/HO0AVd 19 minutes ago · reply · retweet · favorite
csec Samba releases patch to fix critical remote code execution hole: [techworld_security] The developers of Samba, the... cybr.tk/I9WOVM 22 minutes ago · reply · retweet · favorite
Asher_Wolf Facebook Offers More Disclosure to Users nytimes.com/2012/04/13/tec… via @nytimes 28 minutes ago · reply · retweet · favorite
rsasecurity New #RSA Blog Post! Time to Push the Reset Button? rsa.im/IKPkg4 30 minutes ago · reply · retweet · favorite
helpnetsecurity HSBC customers under phishing attack - bit.ly/HKOsbE 33 minutes ago · reply · retweet · favorite
paperghost KFC apologises for 'buy fried chicken during tsunami' Facebook message bit.ly/IKn6Su < amazing. 35 minutes ago · reply · retweet · favorite
csec Trojanized Angry Birds offered for download: [net-security.org] The extreme popularity of Rovio&aposs Angry... csec.tk/I9SFRI 36 minutes ago · reply · retweet · favorite
SecurityHumor Apple promises Flashback malware killer bit.ly/HJXRzH <- Just great. This is what killer apps have come to. 37 minutes ago · reply · retweet · favorite
usnistgov RT @npl: Jeffrey Fong from NIST on how modern statistics can improve reliability of aging engineering structures ow.ly/aeqBn 39 minutes ago · reply · retweet · favorite
Sponsored Links
Most Popular
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.
Click here to login | Click here to register