The biggest Mac malware attack of all time - blogger names suspected mastermind

Filed Under: Apple, Botnet, Featured, Malware, OS X

Apple in snow. Image from ShutterstockThe remote Russian region of Mordovia, famed for its prison camps, may be the home of the author of the most notorious malware ever to hit Mac computers - the Flashback Trojan horse (called OSX/FlshPlyr-A by Sophos products).

The Flashback malware hit more than 600,000 Mac computers in early 2012, posing as a bogus installer for Adobe Flash and exploiting an unpatched vulnerability in Java.

Despite the malware's prevalence on Mac computers and the high media profile it achieved after even hitting hundreds of Mac computers in Cupertino, the computer crime fighting authorities have made no arrests in connection with Flashback.

Mac backdoor Trojan

Award-winning security blogger Brian Krebs has written today about his investigation into who might have been behind Flashback.

Krebs's investigation took him to Russian-language forums belonging to the computer underground, where he found a user called "Mavook" claiming to be the author of Flashback, and saying that he specialised in finding security exploits and creating botnets.

Combing the net for further information, and digging through historic website registration records, Krebs went on to link "Mavook" with Maxim Selihanovich, a man in his thirties, living in the city of Saransk, in Mordovia.

You can read more about the clues Krebs pieced together in his blog post.

Apple in snow image from Shutterstock.

, , , , , , ,

You might like

13 Responses to The biggest Mac malware attack of all time - blogger names suspected mastermind

  1. gmd · 919 days ago

    Are installations of Sophos anti virus for mac falling off again? Go on Sophos, cary on creating a culture of fear to push your products:-(

    • Umm.. I know I shouldn't really feed the troll.. but how specifically we creating fear in this article?

    • 4caster · 918 days ago

      All these security bulletins are intended to create a culture of awareness of the dangers lurking in cyberspace. Call it fear if you wish. It does not cause me to be terrified, but encourages me and many others to take sensible precautions.
      If you don't want to know, then don't read the bulletins. Ignorance is bliss - until it no longer is bliss.

  2. Stein A · 919 days ago

    Will it have been detected by Sophos Anti-virus software?

  3. Beth Singer · 919 days ago

    Thanks for the update! I get update requests for flash all the time on my Mac. This malware is kind of ingenious, yet creepy. I just ran my Sophos check the other day, and all was clean. I appreciate the updates to keep us informed. I don't see it as a ploy to sell products. It is the security industry (companies like Sophos) that find these types of malware and help protect our systems.

  4. TED · 919 days ago


    Another Mac zealot that thinks OS X is OpenBSD. Some how AV, always seems to be the anti-Christ to these guys. AV is not the answer, but it is another layer.

    There is NO difference between Windows 7/8 and OS X when they both get pwnd by an authentication by-pass dropper through third party software. Gatekeeper and X-Protect can be by-passed with ease by a skilled malware writer.

    Windows and OS X a equally hardened as a base goes, it is the third party software that lets the pathway to use the vulnerabilities and both OSes are equally vulnerable. OS X is actually more vulnerable because it has not been vetted by skilled malware writers( except for the Moldavia guy) yet and it is BSD and has 1/3 more code to find those vuls in. It is truly security through obscurity! OS X is still not on organized crimes to-do list.

  5. Samuel · 918 days ago

    Eset found it first

  6. Steven · 918 days ago

    Your right. People can see things - others overlook, if sophos - this blog, had not reported it, I would of never known. People pick and choose how to use knowledge for good or bad, therefore Malware.

    Maybe Sophos was the first, to clearly define it, yet something we were using did, more than a year ago, Norton was detecting something that prevented me from using my HP Printer, or some other software did, yet not clearly explained, I had the same reaction, when Nvidia was affected, there was a conflict, not clearly stated, I had to buy a different printer to be able use a printer, which did far better in many ways.

  7. Nigel · 918 days ago

    Posted by gmd: "Are installations of Sophos anti virus for mac falling off again? Go on Sophos, cary on creating a culture of fear to push your products"

    To "gmd": With all the syntax errors (spelling, punctuation, capitalization) in your post, it's no surprise that it also reveals a breathtaking depth of cluelessness. I suppose the malice is thrown in as a bonus.

    It's difficult to understand how you expect to succeed in portraying Sophos as some kind of bad guy for providing the free Sophos Anti-Virus for Mac, and for providing the excellent NakedSecurity blog (also free).

    Get back on your meds. You're embarrassing yourself.

  8. TED · 918 days ago


    I think Dr. Web found it first. Graham can find that out I would think. Graham???

    • Umm.. not quite sure why there's so much interest in discovering who found this malware first. Especially as it was over a year ago!

      The important thing is that up-to-date anti-viruses protect Macs against it. :)

  9. Unknown · 917 days ago

    And people say that Macs can't get malware.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley