UPDATED 09:05 EDT / APRIL 05 2012

Got a Mac? You’re Probably Infected. Here’s What You Need

On Wednesday, Russian anti-virus vendor Doctor Web published an article stating that 550,000 Macs were infected with BackDoor.Flashback.39 –  a Trojan that targets an unpatched JavaScript codes (CVE-2011-3544, CVE-2008-5353 and CVE-2012-0507) vulnerabilities within Mac operating system.  The report was later updated in Dr. Web’s Twitter account stating that more than 600,000 Macs were compromised and the majority of which can be found in the United States.

Where it all began

Ars Technica had been keeping tabs on the Flashback Trojan since it appeared in 2011.  The Trojan posed as a Flash player installer, easily tricking some Mac users into installing the malicious program.  The threat was marked as “low” since not many Mac users use Flash.

Later, a more potent variation of the Flashback Trojan, Flashback C, surfaced, still posing  as a Flash installer.  The new variation disables Apple’s automatic updating mechanism for its system-wide malware application, rendering infected Macs doomed to never receive security updates needed for the removal of the malware.

Mode of transmission

The infection starts when a user gets redirected to a bogus site from a compromised resource, or via a traffic distribution system.  A JavaScript code is then used to load a Java-applet containing an exploit.  Analysts at Dr. Web discovered a large number of web-sites containing the code, and below are just some of the recently discovered:

  • godofwar3.rr.nu
  • ironmanvideo.rr.nu
  • killaoftime.rr.nu
  • gangstasparadise.rr.nu
  • mystreamvideo.rr.nu
  • bestustreamtv.rr.nu
  • ustreambesttv.rr.nu
  • ustreamtvonline.rr.nu
  • ustream-tv.rr.nu
  • ustream.rr.nu

The exploit then saves an executable file on the hard drive of the infected Mac, which downloads a malicious payload from a remote server and then launches it.
According to Dr. Web, attackers started exploiting the vulnerabilities in February of this year, but it wasn’t until April 3 that Apple closed the hole.

Am I infected?

If you’re using a Mac and are fond of visiting various websites, there’s a high probability that your machine is already infected.

Dr. Web strongly recommends Mac users to download and install the security update released by Apple, found here.

F-Secure, an anti-virus and computer security and computer software company, offers instructions on how to determine if your Mac had been compromised and how you can remove the Trojan.  Click here to learn more about it.

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.