Reports: Flashback trojan has infected over half a million Macs

We don’t normally report on security issues, especially not when they occur on Mac OS X. So far, the security issues on the Mac can barely be labelled as such, and really don’t deserve a lot of attention. Now, however, it would appear we’re looking at the first successful widespread malware infection on Mac OS X. Not a bad track record for an eleven year old operating system, by the way.

There’s a trojan called Flashback rummaging around the web, which can infect a Mac without the need for a root password. Earlier this week, a Russian antivirus company (little red flag going up) claimed over half a million Macs were infected by the Trojan, creating a pretty sizeable botnet. Some perspective: relatively speaking, this botnet is similar in size to Conficker (both infecting about 1% of the installed base).

Just a single antivirus company making such claims is not something that piques my interest. Antivirus companies tend to be pretty sleazy, and they like nothing more than making a threat look bigger than it really is because, hey, what do you know, their antivirus product stops this particular super-dangerous cat-killing virustrojanmalwarething.

We now have a second source corroborating the figures. Kaspersky Labs (yup, another antivirus company) confirmed the figures in their own independent investigation into the matter.

“We reverse engineered the first domain generation algorithm and used the current date, 06.04.2012, to generate and register a domain name, ‘krymbrjasnof.com’. After domain registration, we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots,” Kaspersky’s Igor Soumenkov writes, “Our logs indicate that a total of 600000+ unique bots connected to our server in less than 24 hours. They used a total of 620000+ external IP addresses. More than 50% of the bots connected from the United States.”

In fact, according to the earlier investigation, 274 unique IP addresses came from… Cupertino.

The trojan uses a security hole in Java, which Oracle patched in February 2012; Apple didn’t send out a patch until a few days ago. Get this patch and install it, because if the investigations are correct, Mac users are actually running a risk this time. If you’re afraid you might be one of those ~600000, Ars has a detailed guide on how to check your machine, and if necessary, how to remove it.

Since Apple does not ship Java by default any more, I’m guessing these are mostly older machines and machines that haven’t been updated to the latest release (and Minecraft players). So, especially if you belong in either of those groups, it might not hurt to give your machine a check-up.

Now, we’re looking at data from security firms, so I’m still a little bit sceptical. However, I’m risking the “You’re anti-Apple!!1!!!”-crap because it’s looking more and more like this is an actual serious issue. Do with it as you please.

35 Comments

  1. 2012-04-08 1:10 am
    • 2012-04-08 2:36 am
      • 2012-04-08 3:25 am
        • 2012-04-08 7:53 am
      • 2012-04-08 9:29 am
    • 2012-04-08 2:57 am
    • 2012-04-12 11:04 am
  2. 2012-04-08 2:31 am
  3. 2012-04-08 2:35 am
  4. 2012-04-08 3:19 am
    • 2012-04-08 4:30 pm
  5. 2012-04-08 4:00 am
    • 2012-04-08 6:04 am
      • 2012-04-08 6:16 am
      • 2012-04-08 4:46 pm
    • 2012-04-08 10:52 pm
  6. 2012-04-08 6:34 am
    • 2012-04-08 8:10 am
    • 2012-04-08 6:17 pm
      • 2012-04-09 7:32 am
  7. 2012-04-08 7:55 am
  8. 2012-04-08 8:15 am
    • 2012-04-08 8:50 am
      • 2012-04-08 8:56 am
        • 2012-04-08 1:40 pm
      • 2012-04-08 8:57 am
  9. 2012-04-08 12:46 pm
    • 2012-04-09 6:29 pm
  10. 2012-04-08 2:12 pm
  11. 2012-04-08 6:37 pm
  12. 2012-04-08 9:59 pm
    • 2012-04-08 10:36 pm
  13. 2012-04-09 12:29 am
  14. 2012-04-09 2:07 am
  15. 2012-04-09 9:49 am