As we have had our first reports of Apple machines infected with malware, it is probably time to go into more detail on the Flashback infection. This is spread via a Java vulnerability that Apple neglected to fix as soon as it was fixed on other platforms, and they are apparently regretting this neglect. The executive summary of what to do about this is :-
- Make sure you are running OSX 10.6 (Snow Leopard), or OSX 10.7 (Lion), and apply any updates as soon as possible. Some updates released in the last few days will protect you against this malware.
- If you are running OSX older than 10.6, then your options are somewhat limited. The chief advice is to upgrade – you should not be connecting an unsupported operating system to any network and especially not the University network. If that is not currently an option, the advice from Apple is to disable Java (which may of course stop some things from working). Note that disabling Java will not necessarily stop the Flashback malware from working; detailed descriptions are a little thin on the ground but suggest that the Java vulnerability is used to download additional components that are not necessarily Java-based.
- Install an antivirus product such as Sophos or a suitably recommended alternative – and bear in mind that some malware is spread by purporting to be an antivirus product.
What Is Significant About This ?
After all, most of the advice above is what is routinely advised and malware has been a fact of life for decades. Well, Apple users can traditionally (and quite rightly) point out that malware is typically a problem for Windows users. Because of this, Apple users have been somewhat less than proactive in making sure they are protected against malware.
However it has always been a possibility that a mass malware infection could be a problem for Apple users, and now we have actually seen such an infection in the real world. And now Apple users need to protect themselves just as Windows users have. Whilst there have been previous malware outbreaks causing problems for Apple users, these have all relied on tricking users into installing malware – specifically fake antivirus products. This outbreak is different, because it does not require the user to actively do something they would be wiser not to – it just happens when the user visits a nasty website.
How Big Is This ?
The information (and here) indicates that there are in the region of 800,000 infected OSX machines out there in the world. After an initial surge to 600,000, and then a fall to about 150,000, the number of infections is rising again. It is quite possible that this could be a persistent malware issue that survives for a considerable length of time.
What Does It Do ?
There appear to be several different variations of the Flashback malware. Some of which require the user to enter their password to install part of the content; and some which will install the malware whether or not the user types their password at the relevant prompt.
After the malware has successfully invaded the computer it “phones home” to report that it is ready for use, and to download instructions. Some of these command and control servers have been taken over, but there is no guarantee that they all have been.
And as to what exactly the malware author is using all these OSX machines for, well nobody seems to know.
For Further Information
There is a great deal of information about Flashback out there, but some of the highlights include :-
- BBC News: http://www.bbc.co.uk/news/science-environment-17623422
- Sophos: http://nakedsecurity.sophos.com/2012/04/05/mac-botnets-gaining-traction-using-drive-by-java-exploit/
- Dr Web: http://news.drweb.com/show/?i=2341&lng=en&c=14 (The original research).
- Telegraph: http://www.telegraph.co.uk/technology/apple/9201908/Apple-Flashback-virus-outbreak-tackled.html