“600,000+ Macs are in this botnet, including 274 in Cupertino”


Apple bite photo courtesy of ShutterstockFor the second time in a year there appears to be widespread malware infections affecting users of Apple’s OS X operating system.

In the first half of 2011 we began seeing variants of fake anti-virus applications for OS X, after many years of the problem plaguing Windows users. The tactic must have worked as we began to see more and more variants distributed up until June.

Around the time Mac fake anti-virus malware disappeared a prominent Russian cybercriminal, Pavel Vrublevsky, was arrested and the problem appeared to be solved.

Unfortunately the Mac malware scene has made another advancement, and this time it doesn’t rely on social engineering or human error.

As Graham wrote earlier this week cybercriminals have begun to use drive-by exploitation techniques to infect OS X users, the same way they have targeted their Windows brethren previously.

At the time the Java exploit in question (CVE-2012-0507) was not patched in the version of Java distributed by Apple. Yesterday Apple responded by patching the six week old flaw with an update to Java 6 update 31.

Here at Naked Security we received a reasonable amount of criticism (as we do every time we discuss Mac threats) about over-hyping the risk and trying to scare people into installing our *free* protection.

The number of attack reports from our customers increased dramatically in the last few days and now information from another anti-virus vendor has shed some light on the scope of the problem.

Russian anti-virus firm Dr. Web reports that they have been able to sink-hole one of the command and control servers used to control victims of this latest attack.

The result? Dr. Web is stating that more than 600,000 OS X users are part of this botnet, including 274 from Cupertino, California.

The Flashback malware being distributed by this exploit is what we refer to as a “downloader”. In and of itself it doesn’t do any harm to the system, it simply compromises the system and downloads a further payload that can do just about anything the attackers desire.

Flashback installerWe have seen two primary payloads associated with this attack. One is a data stealing Trojan that attempts to steal passwords and banking information from Safari.

The other appears to do search engine redirection, presumably to perform advertising fraud or direct victims to further malicious content.

First and foremost Mac users need to be sure they have installed the latest security patches from Apple.

Second, Mac users can no longer rely on simply updating their computers. Preventative protection is an essential defense mechanism to detect and thwart future attacks.

It doesn’t cost anything to install, so why not give it a try?

Apple bite photo courtesy of Shutterstock.