Phuket live wire: Mac attack

PHUKET: It was inevitable that somebody would create a Trojan – a botnet, no less – for the Mac OS X. But I don’t think anybody expected the first major Trojan would hit as hard, or so many people, as the one we’re witnessing right now.

According to numerous sources, more than 600,000 Macs have been infected – and most of the people who are infected don’t know it. Two weeks ago, a Russian company called Dr Web reported the massive infection. Last week, Kaspersky Labs verified it. “We were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID [a number that’s different for each Mac – Ed], we were able to calculate the number of active bots. Our logs indicate that a total of 600,000+ unique bots connected to our server in less than 24 hours.”

Yes, you read that correctly. Kaspersky set up a “honey pot” (that’s the technical term for it) and within 24 hours, more than 600,000 infected Macs phoned home. While more than half of the infected Macs phoned in from the US, there were also infected Macs calling from Thailand. Most embarrassingly, 274 of those phone home episodes originated in Cupertino, California, the home of Apple Inc.

If you own a Mac, or know somebody who owns a Mac, they need to run a check. Now. They also need to install antivirus software, just like us poor beleaguered Windows users. Now.

But first let me explain how Flashback works, and why it’s so disconcerting. Flashback can infect in many different ways. The people who created Flashback aren’t sitting on their laurels: the primary infection method has changed at least three times in the past three months.

Most commonly, Flashback is placed on infected web sites. If you go to an infected web site using a Mac and Safari, the Flashback infector looks to see if you have a specific older, unpatched version of Java installed. If so, Flashback simply infects your
machine: you don’t need to do a thing. That’s called a “drive-by attack” and it’s the most lethal of all web-based infection methods. You get infected, and you have no idea that you’re infected – and you didn’t do anything to deserve it.

The second method involves a bit of social engineering. If Flashback determines that the version of Java running on your Mac doesn’t have the two gaping security holes, it shows you an update certificate and asks you if you want to update your computer. This one’s a little lame because the certificate says it’s signed by Apple, but Safari will tell you that it can’t confirm the certificate: “This root certificate is not trusted.” Most people in the Windows world are wary of such warnings. Many people on the Apple side, though, have never seen a bogus certificate, and click through. If you click Continue, your Mac gets “pwned” (an expression that originates from “owned” used to describe when a hacker takes remote control of a server or another computer) .

The latest version of Flashback, called Flashback.N, has a much “improved” social engineering trick. If you’re using a Mac and Safari, and visit an infected web site, you’ll see the spinning gear “busy” icon for an extended period of time, followed by a typical Apple Software Update dialog. There’s no warning on the dialog about an invalid certificate: the dialog just says “Type your password to allow Software Update to make changes.”

Many people do, and their machines get taken over.

This is only the beginning – just the infection mechanisms have been discovered and documented. It’s hard to find unbiased reports. Mac lovers seem to react with “it’s no big deal.” Well, sorry, but it is a big deal: 600,000 subverted machines and counting, with a drive-by infection mechanism and a sophisticated rootkit style botnet – no matter how you define it, that’s a big deal.

So once your machine is infected, what happens? Again, it’s hard to find reliable details, but it looks as if the infecting program downloads a much larger payload from the internet, then forces Safari to quit, and installs “root” programs that run underneath Mac OS X. That’s what makes this program so hard to detect.

The root programs inject code into Safari that makes it a silent keylogger, looking for user names and passwords that you type into the browser. Those user names and passwords are stored up, and then periodically sent to a waiting web site. The exact name of the web site is calculated in a complex way, so if you look at the infected
program, it is difficult to figure out where the stolen data is going next.

Kaspersky managed to reverse-engineer the naming routine, registered one of the domain names, Krymbrjasnof.com, and set up their honey pot on that domain. That’s how they found 600,000 different Macs phoning home in 24 hours, with just one domain.

I can’t find any definitive information about changes in Flashback, but most botnets are set up to look at multiple web sites, and download updates if they’re available. Which means if you’re infected now and don’t clear up the infection, the next version of Flashback could start looking at everything, not just what you type on the web. And Flashback will upgrade itself, no intervention required.

What’s Apple doing? Not much. The original Flashback – which doesn’t seem to have infected nearly as many people – appeared at the end of September last year, where it masqueraded as an update to Adobe Flash. Apple is notorious for having dropped Flash on the Mac more than a year ago: you can’t even get it to run on iPads and iPhones, and you have to install it manually on Macs. That’s why the original Flashback didn’t infect many machines.

But these later versions take advantage of Java, which runs on all Macs (but not on iPads or iPhones). Java was updated to fix the two security holes I mentioned, way back in February. But Apple keeps its own version of Java, and Apple didn’t update that version until two weeks ago.

The Mac has a malware scanner called XProtect, but it’s proved toothless. Apple’s updated it twice recently to protect against Flashback, but the Flashback authors have found easy, quick workarounds.

If all of this sounds to you like Microsoft all over again – well, you’re not alone.

So what can you – or any other Mac user – do?

First, run over to Dr Web’s site and see if your Mac is in their database of compromised machines. The simple instructions are at public.dev.drweb.com/april. They’re updating the list constantly, so if you’re not on the list, check back again in a week or two.

Second, get patched! Download and install the latest Apple patch, at support.apple.com/kb/HT5228.

Third, get some sort of antivirus program! The most recent version of Flashback won’t even try to install itself on a Mac system running Little Snitch, XCode, Virus Barrier, iAntiVirus, Avast, ClamXav, HTTP Scoop, or Packet Peeper. Why? The guys who wrote Flashback are smart –they don’t want to draw any attention to themselves.

Fourth, if you’re running Mac OS Leopard or Tiger (OS X 10.4 or 10.5), move up to Snow Leopard (10.6) at least. Why? Apple didn’t even bother to patch Leopard or Tiger. If you’re running Leopard or Tiger you’re completely exposed, and there are no patches.

Fifth, realize that Macs can and will get infected. If you’re asked for a system password, don’t blithely type it and forget it. Watch the dialogs and see if they make sense. If you aren’t expecting to install a program, don’t do it. The halcyon days are over.

Yes, I’m saying Mac users need to start acting more like Windows users. Sorry, but it’s true.