Connect with us

Phuket

Phuket live wire: Mac attack

Legacy Phuket Gazette

Published

 on 

PHUKET: It was inevitable that somebody would create a Trojan – a botnet, no less – for the Mac OS X. But I don’t think anybody expected the first major Trojan would hit as hard, or so many people, as the one we’re witnessing right now.

According to numerous sources, more than 600,000 Macs have been infected – and most of the people who are infected don’t know it. Two weeks ago, a Russian company called Dr Web reported the massive infection. Last week, Kaspersky Labs verified it. “We were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID [a number that’s different for each Mac – Ed], we were able to calculate the number of active bots. Our logs indicate that a total of 600,000+ unique bots connected to our server in less than 24 hours.”

Yes, you read that correctly. Kaspersky set up a “honey pot” (that’s the technical term for it) and within 24 hours, more than 600,000 infected Macs phoned home. While more than half of the infected Macs phoned in from the US, there were also infected Macs calling from Thailand. Most embarrassingly, 274 of those phone home episodes originated in Cupertino, California, the home of Apple Inc.

If you own a Mac, or know somebody who owns a Mac, they need to run a check. Now. They also need to install antivirus software, just like us poor beleaguered Windows users. Now.

But first let me explain how Flashback works, and why it’s so disconcerting. Flashback can infect in many different ways. The people who created Flashback aren’t sitting on their laurels: the primary infection method has changed at least three times in the past three months.

Most commonly, Flashback is placed on infected web sites. If you go to an infected web site using a Mac and Safari, the Flashback infector looks to see if you have a specific older, unpatched version of Java installed. If so, Flashback simply infects your
machine: you don’t need to do a thing. That’s called a “drive-by attack” and it’s the most lethal of all web-based infection methods. You get infected, and you have no idea that you’re infected – and you didn’t do anything to deserve it.

The second method involves a bit of social engineering. If Flashback determines that the version of Java running on your Mac doesn’t have the two gaping security holes, it shows you an update certificate and asks you if you want to update your computer. This one’s a little lame because the certificate says it’s signed by Apple, but Safari will tell you that it can’t confirm the certificate: “This root certificate is not trusted.” Most people in the Windows world are wary of such warnings. Many people on the Apple side, though, have never seen a bogus certificate, and click through. If you click Continue, your Mac gets “pwned” (an expression that originates from “owned” used to describe when a hacker takes remote control of a server or another computer) .

The latest version of Flashback, called Flashback.N, has a much “improved” social engineering trick. If you’re using a Mac and Safari, and visit an infected web site, you’ll see the spinning gear “busy” icon for an extended period of time, followed by a typical Apple Software Update dialog. There’s no warning on the dialog about an invalid certificate: the dialog just says “Type your password to allow Software Update to make changes.”

Many people do, and their machines get taken over.

This is only the beginning – just the infection mechanisms have been discovered and documented. It’s hard to find unbiased reports. Mac lovers seem to react with “it’s no big deal.” Well, sorry, but it is a big deal: 600,000 subverted machines and counting, with a drive-by infection mechanism and a sophisticated rootkit style botnet – no matter how you define it, that’s a big deal.

So once your machine is infected, what happens? Again, it’s hard to find reliable details, but it looks as if the infecting program downloads a much larger payload from the internet, then forces Safari to quit, and installs “root” programs that run underneath Mac OS X. That’s what makes this program so hard to detect.

The root programs inject code into Safari that makes it a silent keylogger, looking for user names and passwords that you type into the browser. Those user names and passwords are stored up, and then periodically sent to a waiting web site. The exact name of the web site is calculated in a complex way, so if you look at the infected
program, it is difficult to figure out where the stolen data is going next.

Kaspersky managed to reverse-engineer the naming routine, registered one of the domain names, Krymbrjasnof.com, and set up their honey pot on that domain. That’s how they found 600,000 different Macs phoning home in 24 hours, with just one domain.

I can’t find any definitive information about changes in Flashback, but most botnets are set up to look at multiple web sites, and download updates if they’re available. Which means if you’re infected now and don’t clear up the infection, the next version of Flashback could start looking at everything, not just what you type on the web. And Flashback will upgrade itself, no intervention required.

What’s Apple doing? Not much. The original Flashback – which doesn’t seem to have infected nearly as many people – appeared at the end of September last year, where it masqueraded as an update to Adobe Flash. Apple is notorious for having dropped Flash on the Mac more than a year ago: you can’t even get it to run on iPads and iPhones, and you have to install it manually on Macs. That’s why the original Flashback didn’t infect many machines.

But these later versions take advantage of Java, which runs on all Macs (but not on iPads or iPhones). Java was updated to fix the two security holes I mentioned, way back in February. But Apple keeps its own version of Java, and Apple didn’t update that version until two weeks ago.

The Mac has a malware scanner called XProtect, but it’s proved toothless. Apple’s updated it twice recently to protect against Flashback, but the Flashback authors have found easy, quick workarounds.

If all of this sounds to you like Microsoft all over again – well, you’re not alone.

So what can you – or any other Mac user – do?

First, run over to Dr Web’s site and see if your Mac is in their database of compromised machines. The simple instructions are at public.dev.drweb.com/april. They’re updating the list constantly, so if you’re not on the list, check back again in a week or two.

Second, get patched! Download and install the latest Apple patch, at support.apple.com/kb/HT5228.

Third, get some sort of antivirus program! The most recent version of Flashback won’t even try to install itself on a Mac system running Little Snitch, XCode, Virus Barrier, iAntiVirus, Avast, ClamXav, HTTP Scoop, or Packet Peeper. Why? The guys who wrote Flashback are smart –they don’t want to draw any attention to themselves.

Fourth, if you’re running Mac OS Leopard or Tiger (OS X 10.4 or 10.5), move up to Snow Leopard (10.6) at least. Why? Apple didn’t even bother to patch Leopard or Tiger. If you’re running Leopard or Tiger you’re completely exposed, and there are no patches.

Fifth, realize that Macs can and will get infected. If you’re asked for a system password, don’t blithely type it and forget it. Watch the dialogs and see if they make sense. If you aren’t expecting to install a program, don’t do it. The halcyon days are over.

Yes, I’m saying Mac users need to start acting more like Windows users. Sorry, but it’s true.

Seth Bareiss holds computer sessions on every-other Wednesday afternoon, from 1 to 3pm. If you have a Windows problem that needs to be solved, drop by one of Seth’

— Woody Leonhard

 

Get more from The Thaiger

📱 Download our app on Android or iOS
👋 Have your say on our Thailand forums
🔔 Subscribe to our daily email newsletter
📺 Subscribe / Join YouTube for daily shows
👍 Like/Follow us on Facebook
🐦 FOLLOW us on Twitter
📷 FOLLOW us on Instagram

image

Join the conversation and have your say on Thailand news published on The Thaiger.

Thaiger Talk is our new Thaiger Community where you can join the discussion on everything happening in Thailand right now.

Please note that articles are not posted to the forum instantly and can take up to 20 min before being visible. Click for more information and the Thaiger Talk Guidelines.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Archiving articles from the Phuket Gazette circa 1998 - 2017. View the Phuket Gazette online archive and Digital Gazette PDF Prints.

Follow Thaiger by email:

Coronavirus (Covid-19)40 mins ago

Friday Covid Update: 17,345 new cases and 117 deaths

Phuket8 hours ago

Domestic travel to Phuket all but banned starting August 2

Coronavirus (Covid-19)9 hours ago

Despite Covid-19 Phuket Sandbox continues at least 2 weeks

Sponsored19 hours ago

Experience Phuket’s Islands with 5 Star Marine

Welcome back to Thailand!

Thaiger is getting behind local businesses for the restart of tourism in Thailand - up to 50% discounts across all advertising packages!

Coronavirus (Covid-19)11 hours ago

Chulalongkorn University progressing on domestic mRNA vaccine

Koh Samui15 hours ago

Black Club Covid-19 outbreak on Koh Samui widens

Thailand16 hours ago

Possible earthquake in Nonthaburi this morning

image
Join the conversation on the Thaiger Talk forums today!
Best of16 hours ago

Chiang Mai’s 8 most indulgent spa hotels

Coronavirus (Covid-19)17 hours ago

Bangkok Bang Sue scam under investigation, 7 volunteers and counting to be questioned

Thailand17 hours ago

Thailand News Today | ‘Crowding’ due to camera angles, train hospitals | July 29

Thailand18 hours ago

Spray guns ineffective and dangerous, says TFDA

Drugs18 hours ago

Methamphetamine pills hidden in instant noodle packets delivered for Covid patient

Coronavirus (Covid-19)18 hours ago

Anonymous “Dr Sandy” says pray the Covid situation gets better

Coronavirus (Covid-19)19 hours ago

Thursday Covid Update: Record high of 17,669 new cases; provincial totals

Phuket20 hours ago

Phuket governor eyes construction camps for stricter Covid measures

Best of21 hours ago

Top 5 spas in Chiang Mai

Thailand5 months ago

Thailand News Today | Thai Airways in rehab, All go for Songkran | March 4

Tourism5 months ago

Phuket’s nightlife. Yes, bars and clubs are still open | VIDEO

Phuket5 months ago

Thailand News Today | Covid passport talks, Thai Airways heads to court | March 2

Tourism5 months ago

Phuket Thai food treats you need to try | VIDEO

Thailand5 months ago

Thailand News Today | Bars, pubs and restaurants ‘sort of’ back to normal | Feb 23

Tourism5 months ago

In search of Cat & Dog Cafés in Phuket Town | VIDEO

Thailand6 months ago

Thailand News Today | Gambling crackdown, Seafood market to reopen, Vlogger challenge | Jan 21

Thailand6 months ago

Thailand News Today | Covid testing for visas, Business impact, Vaccine approval | January 19

Thailand6 months ago

Thailand News Today | Weekend Bangkok bombs, Thailand fires, Covid update | January 18

Thailand7 months ago

Thailand News Today | Stray car on runway, Indonesian quake, 300 baht tourist fee | January 15

Thailand7 months ago

Thailand News Today | Governor off respirator, sex-trafficking arrest, condo prices falling | January 14

Thailand7 months ago

Thailand News Today | Chinese vaccine, Thailand ‘drug hub’, Covid update | January 13

Thailand7 months ago

Thailand News Today | Bangkok may ease restrictions, Phuket bar curfew, Vaccine roll out | January 12

Thailand7 months ago

Thailand News Today | Covid latest, Cockfights closed down, Bryde’s Whale beached | January 11

Thailand7 months ago

Thailand News Today | Southern floods, Face mask fines, Thai Air Asia woes | January 8

Trending