Like the Titanic, Macs Aren’t Unsinkable: 600,000 Claimed Infected with Botnet Virus

  • Share
  • Read Later
Dr.Web

If you still think your Mac is bulletproof, impervious and zip-locked when it comes to viral incursions, let this latest infection fiasco lift the scales from your eyes: Over 600,000 Macs may have succumbed to a Flashback Trojan, a number arrived at after a Russia-based antivirus vendor deployed a method called “sink-holing” to glean distribution information about the malware.

The vendor, Dr.Web, first wrote about the “spreading” Trojan yesterday, dubbed BackDoor.Flashback, and claimed that it had infected “more than 550,000” systems running Mac OS X, most of which it said were located in the U.S. and Canada. “This once again refutes claims by some experts that there are no cyber-threats to Mac OS X,” added Dr.Web. As you can see from the image above, Dr.Web estimates 56.6% of affected Macs are in the U.S. (303,449), 19.8% in Canada (106,379), 12.8% in the U.K. (68,577) and 6.1% in Australia (32,527). In any other country, the estimated number is less than 1%.

(MORE: Mac Malware’s Back, Threatens to Bring Friends)

After the CRO of F-Secure, Mikko Hypponen, tweeted “we can’t confirm or deny [Dr.Web’s] figure,” Dr.Web analyst Sorokin Ivan replied that “at this moment botnet Flashback over 600k, include 274 bots from Cupertino and special for you Mikko – 285 from Finland.”

According to Dr.Web, Mac users are infected with something called BackDoor.Flashback.39, after which they’re redirected to a bogus site that employs JavaScript to load a Java-applet that contains the exploit. Some of the websites containing the code include one named after Sony’s God of War 3 video game as well as another whose URL seems to promise access to Iron Man the movie. The exploit then saves an executable file to the Mac’s hard drive, which downloads a “malicious payload” from a remote server that ultimately notifies servers of its install success before pumping out information.

Flashback malware first appeared in September 2011, but that version depended on social engineering tricks where users were involved in order to spread (it originally tried to fake users out by posing as an Adobe Flash installer). The newer version, by contrast, simply exploits Java and does what it needs to on the sly.

Apple issued a “Java for OS X” fix on April 3 (it’ll pop up if you perform a manual “Software Update”), but Dr.Web says attackers began spreading this malware in February 2012, switching to another last month. Thus while it may seem Apple’s on the ball here, since reporting about the exploit coincides with Apple’s release of a fix, it’s that release that appears to have alerted both security companies and the media. If you think you’ve already been infected, F-Secure has instructions on how to remove it here.

MORE: Okay, Maybe This Mac Security Problem Is Real