"600,000+ Macs are in this botnet, including 274 in Cupertino"

Filed Under: Apple, Botnet, Featured, Java, Malware, Vulnerability

Apple bite photo courtesy of ShutterstockFor the second time in a year there appears to be widespread malware infections affecting users of Apple's OS X operating system.

In the first half of 2011 we began seeing variants of fake anti-virus applications for OS X, after many years of the problem plaguing Windows users. The tactic must have worked as we began to see more and more variants distributed up until June.

Around the time Mac fake anti-virus malware disappeared a prominent Russian cybercriminal, Pavel Vrublevsky, was arrested and the problem appeared to be solved.

Unfortunately the Mac malware scene has made another advancement, and this time it doesn't rely on social engineering or human error.

As Graham wrote earlier this week cybercriminals have begun to use drive-by exploitation techniques to infect OS X users, the same way they have targeted their Windows brethren previously.

At the time the Java exploit in question (CVE-2012-0507) was not patched in the version of Java distributed by Apple. Yesterday Apple responded by patching the six week old flaw with an update to Java 6 update 31.

Here at Naked Security we received a reasonable amount of criticism (as we do every time we discuss Mac threats) about over-hyping the risk and trying to scare people into installing our *free* protection.

The number of attack reports from our customers increased dramatically in the last few days and now information from another anti-virus vendor has shed some light on the scope of the problem.

Russian anti-virus firm Dr. Web reports that they have been able to sink-hole one of the command and control servers used to control victims of this latest attack.

The result? Dr. Web is stating that more than 600,000 OS X users are part of this botnet, including 274 from Cupertino, California.

The Flashback malware being distributed by this exploit is what we refer to as a "downloader". In and of itself it doesn't do any harm to the system, it simply compromises the system and downloads a further payload that can do just about anything the attackers desire.

Flashback installerWe have seen two primary payloads associated with this attack. One is a data stealing Trojan that attempts to steal passwords and banking information from Safari.

The other appears to do search engine redirection, presumably to perform advertising fraud or direct victims to further malicious content.

First and foremost Mac users need to be sure they have installed the latest security patches from Apple.

Second, Mac users can no longer rely on simply updating their computers. Preventative protection is an essential defense mechanism to detect and thwart future attacks.

It doesn't cost anything to install, so why not give it a try?

Apple bite photo courtesy of Shutterstock.

, , , , , , , ,

You might like

47 Responses to "600,000+ Macs are in this botnet, including 274 in Cupertino"

  1. sean · 876 days ago

    As a thought exercise, how would the Mountain Lion "Gatekeeper" technology affect the spread of this or similar exploit launched threats. As far as I can see, since the malware isn't being delivered as a saved file, the checks would totally ignore this.

    I expect that there will be an "xprotect" plist update pretty soon.

    • sharp · 876 days ago

      "The latest version of Mac OS X (known as Lion), unlike earlier editions, does not include Java by default, meaning users are not at risk *unless* they have subsequently installed the software."

      GateKeeper does not care as Apple would rather you not use java. Gatekeeper will not stop the exploit, but I think it should affect the downloaded malware that it is meant to download from the exploit.
      http://nakedsecurity.sophos.com/2012/04/03/mac-ma...

  2. Leland · 876 days ago

    Does a java update rectify this?

    Also, if a computer is infected, how may this problem be removed?

    Does installing your free software remove it from an already infected machine?

    • Chester Wisniewski · 876 days ago

      Updating Java will prevent this exploit from working, but won't remove malware that may have already been installed. The easiest way to detect, remove and protect is to install Sophos Anti-Virus for Mac Home Edition (http://www.sophos.com/freemacav) and run a scan. All users of OS X 10.6 and 10.7 should apply all available patches as soon as possible. If you are using an older version of OS X it is time for an upgrade, Apple doesn't support anything older than 10.6 (Snow Leopard).

  3. Chad Doobray · 876 days ago

    "Dr. Web is stating"... It's ok to spread FUD, if you attribute the FUD to someone else? What does Sophos believe? I'm pretty confident that you won't be prepared to put your name behind this 600,000 infection estimate.
    Unfortunately, it's posts like this that draw the criticism that you complain about. Repeating scaremongering from unverified sources is as bad as making up yourself.

    • Agreed Sophos would likely not stand by that 600K number. Yet as a Mac user & security officer I've seen Mac malware for years in my territory for years.

    • Chester Wisniewski · 876 days ago

      Dr. Web was able to sinkhole part of this botnet. By definition only they know what traffic they are seeing, so I can't really verify it. All evidence suggests they are correct and matches up with all the other increases in traffic we are seeing (increased support tickets, more machines reporting detections, etc). I do not believe this is FUD, I am simply pointing out my sources so you can make up your own mind.

      • Chad Doobray · 875 days ago

        Come on Chester, we both know how a sinkhole works. Either the 600k is extrapolated from the sample that Dr. Web has (in which case the accuracy of distribution that they are reporting is clearly nonsense) or it's 600k infections they have actually seen and merely the tip of the iceberg. If the latter is true, then this is genuinely huge and you'd definitely be publishing corroborating evidence. The only other way to get accurate figures is to be in control of the network segment that all the Command and Control servers reside on. That could be true, but is very suspicious in itself. There's a reason that Sophos aren't applying any scrutiny to these claims; I'd assert it is because they help you market your products and position.

        • Chester Wisniewski · 874 days ago

          It would appear to be the tip of the iceberg. Kaspersky repeated DR. Web's research and came to an identical conclusion. Each Mac that is infected calls home to the C&C using a UUID, making it very easy to count unique UUIDs and determine the exact number of machines calling home during a given time Window. This malware generates a domain name to call home to each day, based on the date (very similar to Conficker). Kaspersky simply registered one of the domains that it checks that was not already registered by the criminals and counted UUIDs that called home on that date. Pretty hard to dispute really.

  4. Please for once and for all stop scaring apple users. Apple takes no more than an hour to stop any type of malware, before any user can be compromised, though all antivirus software have them own payed whitelist containining true malware!!! Earning millions of us dollars so they can keep free.damn.

    • sharp · 876 days ago

      How is this a scare? This information is to explain that a patch was resolved in February, and Apple has just now created a fix 6 weeks later. You could be one of the infected PCs for the past 6 weeks while Apple decided to take action for this, since your not running AV to know about recent up to date infections.

      You say Apple takes no more than an hour to stop malware, but then can you explain why 600,000 MACs have been compromised for a possible 6 weeks because Apple didn't take action when this exploit was discovered? I see this as 1008 Hours that Apple took to stop this malware, which is 1007 hours later as you stated that these infected PCs should have fixed themselves.

      I see way too many Mac users say they don't need protection, when really they are the ones infecting networks, and no AV protection to ever inform them. The only benefit of Apple is the simple process of removing issues, but unless your doing this 1 hour fix every time you turn on your PC, then you have a chance of infection without ever knowing.

    • Fabio, seriously, Apple's pattern recognition approach is doomed to failure. And, they are way way behind the pattern recognizers in the AV industry. Modern malware changes patterns quickly and they run polymorphic malware that changes pattern with each download. Criminal gangs running this malware update more frequently than Apple can add patterns. Its a losers game. What Apple should do, without giving up its AV efforts, is invest more in getting timely updates out. Bad guys can't infect me if my software is patched, but they left us exposed this time for what, 30 days? Not as bad as Adobe which may have left a critical out there for more the 6 weeks in the last year, but not what I expect as an apple customer.

  5. In response to, "Second, Mac users can no longer rely on simply updating their computers. Preventative protection is an essential defense mechanism to detect and thwart future attacks." I just don't think that makes sense. Would running Antivirus on a Mac really thwart off future attacks on Mac OS? I still stand behind the fact that Mac OS X's Unix upbringing has prevented many security problems. Just the other day I was visiting my relatives and their Trend Micro Antivirus was running their computer's CPU at 100%. I think Antivirus is just as big a problem as the viruses themselves. It's a backwards way of solving the problem by making your computer search and destroy every second it is turned on. I hope Apple responds to this with ways to improve security, such as putting better security sandboxes around Java in the browser instead of suggesting we run Antivirus. I should say that Windows has also made great improvements in security and I don't run Antivirus on Windows either.

    • sharp · 876 days ago

      Let me simplify for you. February 2012, Exploit known. Windows and AV programs already take measures to secure this is not a threat.

      April 4th 2012. After finding 600k Infected MACs Apple decides it should patch this flaw. By having AV protection it would have found the exploit and thwarted the attack during this 6 weeks while Apple was still deciding it as a concern to take action. Hence AV thwarts future attacks. In 6 weeks I can accomplish a lot; not only redirecting your browsers for a profit, but building a profile of where you go, what you do, usernames, passwords etc. and since you have no AV protection, you will never know that 10% of your CPU is being consummed by malware, or for my own purpose.

      So when you read the line "Preventative Protection is an essential defense mechanism to detect and thwart furture attacks." Makes 100% sense.

      Trend Micro does suck, but this is an issue of incorrect configuration, as you will find your relatives are not computer savy, and put the CD in and pressed install for the greatest setting or protection.

      • KPOM · 876 days ago

        "Trend Micro does suck, but this is an issue of incorrect configuration, as you will find your relatives are not computer savy, and put the CD in and pressed install for the greatest setting or protection."

        That's an issue in itself, though. Most people aren't tech saavy. They know how to do the basics, but most people shouldn't be expected to know the ins and outs of software configuration. I think the best solution will be based on built-in malware protection, which both OSes have to varying degrees (Windows is more advanced here because the problem became so rampant in the Windows 95/98 and XP days).

        • Interesting. Are you talking about Windows Defender as malware protection? I've been running that for years on my Windows PCs and it's never reported anything. I'm fairly tech savvy (I write apps, compile programs in linux, run WireShark frequently on my home network). Perhaps I'm just lucky but I really think Antivirus and Malware gives OS developers a cop-out. On Mac I'd much rather prefer to run Little Snitch or WireShark to see if I have malware or trojan problems than to say bloat my system down with a software that scans files and whatnot. Thanks for the reply.

      • Chad Doobray · 875 days ago

        Sorry, but you'll need to clarify what measures "AV programs" were taking back in February 2012? AV programs work on definitions and pattern matching. The malware needs to be written and discovered before the definition can be created and put in place. AV programs don't protect against exploits. They scan for known malicious software. Has Sophos confirmed that it has this variant in its Mac virus definitions? Maybe it can confirm when it was added?

        • Chester Wisniewski · 874 days ago

          Our detection EXP/20120507-A began detecting malicious content exploiting this vulnerability on March 27th. While detecting a specific sample with an accurate name requires having seen a sample, we proactively detect most malware based upon behavior and exploitation techniques. This exploit, for example, is predictable in the way it manipulates Java files in a way that is detectable without knowing what payload or damage it may be designed to deploy.

    • Alan · 876 days ago

      Security is more than anti-virus and in any case most companies don't make anti-virus in the traditional sense anymore (or in the sense that most MAC users seem to understand) because viruses in the strict sense of the term aren't really a problem. It's all the other types of malware, especially Trojans, that are an issue. Traditional signature-based detection is pretty much useless because of server-side polymorphism (i.e. every instance is unique). Effective modern malware detection focuses on suspect behavioral patterns.

      For effective defense you need to do other stuff as well: be aware of social engineering attacks, run with least privilege, patch OS and apps frequently, uninstall any software you don't need (do you really need to run Java?). There are other things you can do as well like use OpenDNS. You don't have to spend any money to do any of the above.

      The attackers in most cases don't care what OS you are using. Everything has vulnerabilities and they will exploit anything if it's worth their while. These activities are mostly undertaken by organized criminal enterprises and they are well-funded. They are constantly learning and adapting. You do to.

  6. Ella · 876 days ago

    I've just run a software update check and no OS or Java updates are showing. Is this only for certain versions of OS and if so, which ones?

    • T.Anne · 876 days ago

      The first time I ran the check it said I was good, ran it again this morning and found updates. Though that could've been a timing issue on my part from when I tried earlier this week. According to Krebs on Security the patch impacts Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7

      • Ella · 876 days ago

        Thanks. So if I'm on ancient 10.5.8 should I be doing anything?

        • Chester Wisniewski · 876 days ago

          Yes, upgrade! OS X 10.5 is not supported or updated any longer. You can disable Java in your browser, but you will still be vulnerable to operating system flaws. Only Snow Leopard (10.6) and Lion (10.7) are able to be fully patched.

          • Babkit · 876 days ago

            Unless Ella uses a PPC Mac, in which case she cannot upgrade without getting a new computer.

  7. MacUser · 876 days ago

    People who assume that articles related to Mac malware are intended to directly or indirectly scare Mac users are either home users who know nothing about IT security or network admins that should be looking for an other job. Mac malware is a real threat and if you are in charge of an organizations IT department you can not turn a blind eye to Mac malware.

  8. Machin Shin · 876 days ago

    I must say that I really do love the arrogant "I'm bullet proof" attitude of most Mac users. In reality I think there is a very important fact many are missing in this equation. That is that Macs are not bulletproof and never have been. Hackers are playing a numbers game, when you hope to maybe make a few cents off every 100 computers infected you aim for the largest group you can find. Macs have been protected largely due to their numbers and uses.

    It seems that most Mac users are going to need a catastrophic event to happen to wake them up. I for one am going to enjoy sitting back and watching it smack them in the face when it does happen though. Anyone with half a brain should be able to realize that there is no such thing as a perfect system. Just look at Chrome, they thought that browser was bulletproof and when they were arrogant enough to puff out their chest about it hackers promptly showed them they were wrong.

    The one thing I am sure of in this world is that if you want to see something done all you need to do is stand up and tell the hacking community it can't be done.

  9. longtimemac · 876 days ago

    I was skeptical. There was a trojan on my mac air (fully patched). In the last 3 weeks my gmail and yahoo were compromised. I didn't know how and locked those down. However, after running your product - a trojan was found. I will ensure that I am not so complacent next time. Only wish you had a product to check our iphones...malware can't be too far from that.

    • Chad Doobray · 875 days ago

      Wow - which trojan was that? Fully patched and yet you get au unspecified (keylogging?) trogan that Sophos was aware of and Apple wasn't? Good work Sophos! I hope I don't get infected by one of these non-specific trojans. Any chance you could link to the specific malware to remove any scepticism that may remain in my mind?

  10. Alan · 876 days ago

    OS X is designed to be secure? Do you even understand any of the basic principles that make a modern OS secure? Do you realize that Apple, like most other companies, releases a steady stream of security patches? Go to their site and check it out. And their widely criticized for being really slow to patch. No one waved a magic wand over OS X programmers but if you want to live in fairyland that's you choice.

    For a low-level technical overview of OS X security take a look at the slides from as talk at last year's Blackhat conference:
    http://www.isecpartners.com/storage/docs/presenta...

    Good news is that OS X has just about caught up with Windows security (e.g. now has decent implementation of ASLR etc.) but network security stinks.

  11. Stuart · 876 days ago

    Anyone that thinks over hypeing the threat of an infection is a complete plonker if you ask me.

    Granted some times they dont find everything first go but the support that Sophos provides in those instances is amazing, Its almost like you guys are pissed off that your software didnt find it and then make it your mission to resolve the problems.

    I just spent a week fighting a horrible issue with support from Sophos and im glad to say its finally under control and without Sophos's support i would of been screwed.

    I have been using Sophos for about 2 years now and the system seems to be the best i have see so far (we changed from Symantec) and compared to Symantec End Point security 10 (I believe it was when we jumped) is amazing.

    anyone out there drop your symantec and try out Sophos you wont look back!

    Keep on Hyping the issue and eventually people will take note and listen!!

    Come on mac users reading this that dont have protection! Download it nooow!!!!

    • Chad Doobray · 875 days ago

      What protection are you recommending? On-access scanning? Have Sophos confirmed it was able to detect this variant? You believe that it's worth taking the performance hit of on-access scanning? How many malware definitions are in the product, which aren't already known by the OS? Keep hyping the issue? You mean spreading FUD, right? Information is appreciated; hype is not.

      • Chester Wisniewski · 874 days ago

        We not only detect these samples, but over 100,000,000 other malicious samples for all platforms (Linux, Android, Windows, Mac OS Classic, etc). The performance impact from on-access scanning is nearly non-existent on modern computers. As always an ounce of prevention is worth more than a pound of cure. Apple's XProtect only detects a fraction of the Mac malware in the wild, and only under specialized circumstances.

        If you feel it is FUD, you are welcome to leave yourself open to the next attack. Everyone is entitled to their opinion.

  12. Alan · 876 days ago

    Metasploit on CVE-2012-0507 vulnerability in Java:

    "...the exploit should be very reliable across different systems. In the above screenshot, we tested the exploit against different platforms from Windows XP, Windows 7, all the way to Ubuntu and OSX. As long as your target has the vulnerable version of Java, this exploit should get you shells"

    https://community.rapid7.com/community/metasploit...

  13. NIck Galbreath · 876 days ago

    "It doesn't cost anything to install, so why not give it a try?" Are you claiming Sophos Mac AV detects this or not. And if so, when was the signature added? thanks.

    • Chester Wisniewski · 874 days ago

      Yes, we detect this and there are various identities associated with different components of this malware. Files that exploit the vulnerability (CVE-2012-0507) have been detected as EXP/20120507-A since March 27th. Other pieces that are installed after exploitation are detected as Troj/JavaDl-JI, OSX/Dloadr-DMU and OSX/Flshplyr-B.

      • NIck Galbreath · 873 days ago

        This is a much better reason to try your product than it being free ;-)

      • Alex · 869 days ago

        Hi, Chester

        I have had Sophos up and running on my Mac pretty much since it was made available.
        I never shut it down, it checks database updates daily, and I have the "on-access scan" feature on.

        However, I still managed to get infected somehow, according to the following site : http://flashbackcheck.com/

        How did that happen ?
        Am I doing something wrong ?

  14. hairy · 874 days ago

    Get protection before you get your mac-on.

  15. Lourens van Veelen · 874 days ago

    There we go again, I wonder how much money this will generate for all you folks, scaring people does wonders, but common sense is always better.

    Just don't install java or flash period.

    In the Netherlands no infections reported, strange but maybe there aren't any at all... Only in a russian lab of some anti-virus "company".

    I wonder if my message stays here for long.

    • dav2 · 872 days ago

      Guess it did.
      My question is how does the virus get in -
      is this via an email attachment (as the cis manager says)
      or can it be gotten as a hidden script on a webpage (and would noscript block it?)

      • Chester Wisniewski · 872 days ago

        It is being distributed through infected web pages with the Blackhole exploit kit. If you block scripting you may be safe, but the infections vector uses a Java applet. Disabling Java and scripting should prevent accidental infection.

  16. G dean · 871 days ago

    I use a mac because I have no wish to make my computer as unusable as a micros**t product. Apple have been pretty good a patching these problems in the past. Stop the scare mongering Sophos!

    • Guest · 869 days ago

      People like you are the reason why 600k+ machines are infected.... I swear people should take an exam to use computers, just like a drivers license...

      Do you know how to read? 600,000 infections... 6 weeks to take action?? The microsh!t product as you so "brilliantly" call, patches every week.... that speaks tons on the companies.

  17. Guest · 870 days ago

    Scaring people to make money? haha considering Sophos provide a free AV product for Mac users shouldn't they be scaring Windows users to make money.. some people's logic makes no sense

  18. Lawrence · 867 days ago

    How to create a new market, first give what they " need " for free so later on you can ask a small fee for your service.

    Great marketing strategy, always works!

    How good is your mathmetics? No computers in the Netherlands are effected till today not even 1% are we so different from the rest of the World?

  19. NinjaMice · 852 days ago

    funniest thing is that MAC users are so disconnected from securing their systems and getting to know their systems in the process, that this whole world of 'IT security' is entirely foreign and they shy away from it. Mac users and emerging security threats will either give birth to a new OS and electronic jelly bean invention or provide lots of cash opportunities to fix all the infected MACs owned by IT niave people who do no want to secure or fix their machine. lol I hope MAC sales increase, I think I have found my retirement plan .
    Also, why is apple so invested in preventing security for its MAC owners?
    It seems kind of odd considering the biggest deception in their advertising, which their customers repeat like a mantra, 'Apple is secure, Apple can't be hax'd'...I mean what motivation could Apple have to compromise the security & data of their customers en-masse? Could this be a lead up to a new product, providedby Apple for Apple's mistakes?
    I would have thought after S.Jobs died, people would have curbed their apple purchases, its not like he will know apple is dying too.
    Also, why dont people remember how Steve Jobbs attempted to prevent computers from humanity because he couldnt handle others using the technology better than he did, ie Bill Gates? For me, this makes Apple products a 'no-go' zone due to the ethics of supporting such business practices; maybe after MAC owners are compromised to a severe degree will Apple be investigated for producing products designed to keep their owners 'locked-out' and unable to operate the machine unless the owner is using it in teh precisely prescribed manner, decided by Apple.
    And will this eventually result in an investigation into Apple controlling machines remotely, backing up any & all personal data they choose and challenge the concept of 'technology ownership' which Apple has singlehandedly compromised and is now a 'standard' operation by IT developers, without any limits being prescribed to date.
    Once upon a time when you purchased an item, paying in full, you owned it and were responsible for how it is used. Apple changed this, whereby Apple still retains rights to use the product as it chooses, even after sale at purchase, not rented, pricing; setting the machine up to be managed by remote access AKA steve jobbs controll freak 101.

    What will it take? A sony style data theft? A bust/breach/hijack @ Apple data headquaters? Or a terrorist attack committed by the use of apple products, exposing the non-existant security and the zero responsability levelled against IT device 'owners' who have been forbidden, by design, from beign responsable for their equipment and the legal use of it.
    Its one thing to be hacked & your machine to be 'commandered' for other purposes, despite best efforts and available safe guards; but what about a company who specifically designed a vacume of responsability, taking as much of it from individuals as possible by the nature of Apple products, yet being accountable for absolutely none of it?
    I see apple as train wreck in slow motion.
    It was kinda fun while steve was playing catch-up with gates, while the hardcore consumerists greedily, rabidly, consumed everything & while IT devices became more and more mobile; now the novelty has worn off though, the world is filled with IT ignorant, innocent people, who are using machines which are by nature & design, compromised and a serious security threat to all who use & connect with it.
    Considering the future direction of TV, where will the limits of personal data available for exploitation, actually become defined?
    TV, Phone with Camera, Computer with Camera, Tablet with Camera, Car Devices, GPS, Music - Video - Media Devices...all with Camera and Vocie recording abilities, all connected for any exploitation which may present .

    Apple will one day be remembered as the "Bubonic Plague" of IT, its development and its place in modern civilization; a risk everyone else has warned about but was ignored for the hypnosis induced joy of the "electronic jellybean"!!

    • Lawrence · 851 days ago

      I read a lot of crap in my life, but this beats everything... But that's exactly the reason why people should have a choice, but I hope for you that Bill Gates will have a long life ... When you think this way then UNIX should be completely dead by now.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.