FlashBack: Has Mac OSX been compromised?

Posted on by

By Nick Gressle

My email box was flooded from Mac users last week with the news about the Macintosh malware called “flashback”.
After reading some basic information about the attack I looked up the diagnostic instructions on the web and ran them on my Mac and all the Macs in our household.

Luckily this piece of coded chaos did not invade my systems.
Yet.

But it did peak my interest as to what type of malware flashback is and what could be it’s purpose.
So back to the net for some research. That is where I became more concerned with the reporting of flashback-than the actual damage-which it could be capable of doing.

Malware becomes a celebrity

Since the first outbreak of the Melissa virus in 1999, harmful computer code has developed a doomsday celebrity status rivaled only by the Mayan Calendar.
This is normal since it seems that human beings as a collective species seem to love an impending disaster.
With our lives so publicly infused into the internet, any threat to our digital persona sets off alarm bells around the world.
However, just like any other doomsday scenario we need to take a breath and look at the facts and filter out the hyperbole.

First things first

I always find it helpful to go back through my definitions whenever something new comes on the scene in the way of helpful or harmful code. And in this instance I wanted to refresh myself on the definition of a computer virus versus that of a trojan horse.

Computer Viruses are small programs or scripts that once introduced into a computer’s operating system can move or delete files on your hard drive. Alter the way your operating system responds to process commands, slow your computer’s performance down and in some cases can self-replicate (make copies) of themselves and then distribute those copies further into your system or to other users on a network. Almost all viruses are attached to an executable file.

The term computer virus has become synonymous with
“my computer is not working right.”
However a computer virus is just a subclass of a larger group of computer code meant to subvert an operating system or security system.
That parent group is known as Malware.

The Trojan Horse is another subclass of Malware and it is what the flashback attack seemed to be at first glance.

What’s in a Name?

The computer trojan horse is named after the trojan horse from the story of the Trojan War.
And like the mythological Trojan horse the computer variety performs a similar ruse.

Trojan Horses seem like harmless programs, a website perhaps that can help you with something. Or a program that you download or install that promises to speed up your computer or help you with some task.

But once a trojan horse is installed on your system it can take over certain aspects of the system. Many of these are annoyances rather than destructive. For example some trojan horses will change your desktop, or make your icons all look the same. However, some can be damaging to files and system resources.

In many ways it seems like a virus but the main difference is that it does not self-replicate and in many cases creates a “back-door” to your computer or network so that it can give access to other PC’s and individuals that wish to utilize your personal resources.

Is Flash Back a virus or a trojan horse?

With the definitions out of the way let’s examine Flashback.
It is important to note that the malware distinction of Flashback has some serious marketing perception issues for Apple.

Apple has widely published the fact that their computers and devices are “virus free”. If Flashback was a virus, that could be a game changer for Apple the company, and it’s many devoted customers. This would mean that the once securely walled palace of Mac has been invaded by the same rabble that has plagued Windows users for years.

If it is a trojan horse it is still a problem for the perception that the Mac is free of malware problems, but the security leak that allowed it to happen may be easier to repair with software updates.

But what if flashback is something altogether different?

In Ed Bott’s report on ZDNet he cites Kaspersky Labs and Dr.Web, (a Russian security company) that FlashBack is actually a Botnet.

A Botnet is different from a Trojan Horse in that it installs malicious code without the user interacting with a program.
Botnets are insidious applications that lie in wait to execute commands from a control server(s). The action they take could be to grab passwords, credit card info etc.

Ed Bott States…

“What makes this outbreak especially chilling is that the owners of infected Macs didn’t have to fall for social engineering, give away their administrative password, or do something stupid. All they had to do was visit a web page using a Mac that had a current version of Java installed.

Some commenters seem to have missed that point, so let me repeat those details more emphatically. The Flashback malware in its current incarnation does not use an installer. It does not require that the user enter a password or click OK in a dialog box. It is a drive-by download that installs itself silently and with absolutely no user action required, and it is triggered by the simple act of viewing a website using a Mac on which Java is installed.”

In many ways this may make FlashBack a greater threat than had it been a trojan horse or virus.
If current estimates are factual, 600,000 Macs had the BotNet installed. Based on Apple’s sales figures that would put the Bot on 1 in 100 Macs.
This woud make it one of the larger Botnet attacks to date for a single platform.
Conficker which was one of the more famous botnets only installed on an estimated 7 million PC’s which comprised .7% of total Windows installations.

How to Protect yourself

Apple has always created closed systems. Beautiful but controlled computing experiences. And that includes their use of widely used languages such as JAVA.
In the case of FlashBack, Apple’s reluctance to adopt open standards for Java left them vulnerable for an attack through JAVA on websites. And by the time they updated their own JAVA installation through security patches it was too late.
And lastly the Mac OS has it’s largest installed base to date, which makes it a target for black hat hackers.

If you are running Snow Leopard 10.6.8 or Lion 10.7+ you should run Apple’s software update and update your Java for the Mac through that outlet.

If you have an older Mac and are running Leopard 10.5.8 you will not be receiving any software updates as Apple has suspended their support for the older architecture. So you will need to open Terminal on your Mac and run the fix provided by following this link.

*Apple will have to look at security with a different lens now, and so will Mac users.
The Botnet is a powerful weapon in cybercrime and cyberwar. And the fact that a user does not have to actively/albeit ignorantly self install this form of malicious code makes the web a more dangerous place than ever before.

More Information:

*As of this post Apple has announced that they will be releasing a tool in the future that will help users remove the bot if it has been installed. 

Comments are closed.