Ann Arbor Area Business Monthly
Small Business and the Internet

Flashback On The Mac

May 2012

By Mike Gould

I told ya so. Every time I wrote about malware in the past (links below), I have always reminded Mac users that their days of being virus-free were numbered. And now the cyberChickens have come home to roost and the ones and zeroes have hit the fan in AppleTown in a spectacular display of mixed metaphor.

We’re talking the Flashback trojan: the current malware manifestation that has infected around a million Macs in the last few months. Yup, that’s right, a Mac virus epidemic. A trojan, you will remember, is a piece of malware that can give full control of a computer to another computer, server, or whatever. Named after the Trojan Horse – and you know how that turned out.

I told ya and I told ya, but did you listen? Well, um, I guess you did because none of my clients or random Mac users visiting my site have reported infestations. Good for you, you anti-virus software users, you! A massive number of users weren’t so lucky; some estimates say up to 3% of all Mac users were infected. That’s a lot of bad Apples.

Smug PC users should follow along here, as there are lessons to be learned for users of both platforms.

Blame Java
Here’s the deal: there is a popular add-on for web browsers that uses Java, a programming language that enables your browser to take advantage of advanced features built into some websites. This involves a Java applet, a small application that does the deed. Java is popular in the developer community as it (supposedly) works in all platforms, is robust and packed with vitamins and minerals, or the digital equivalent of same. (Not to be confused with JavaScript, which is another web programming language totally unrelated to Java.) Properly implemented, it is also supposed to be secure from hackage, but that has become the crux of the biscuit: a flaw in the Mac OSX implementation of Java allowed badGuys to come swarming in via the Internet, and turn your Mac into a member of a botnet.

Mean Beans
A botnet is a collection of computers that have been surreptitiously taken over by a sinister force (the Russian mafia, Chinese computer clubs, East European hackers, etc.) and forced to dance to the badGuy’s tune. Run by a Command and Control (C&C) collection of servers, botnets are used to create spam, overwhelm web servers in a Distributed Denial of Service (DDOS) attack, and various other evil. Oh, and they usually include an effort to suck all the email addresses out of your address book and scan for credit card and Social Security Numbers, sending the results back to the C&C for further mischief.

Example DDOS attack: cyberThugs decide to hold the website of a financial institution for ransom. Their C&C servers send out a command to all the compromised computers under their sway, ordering them to send such and such a web request to a given website every 2 seconds. The victim’s site crumbles under the onslaught of bogus web hits, and customers can’t get in to do their business. The thugs send a note to the company demanding money to stop the attack. Unless the company has deep pockets and can afford expensive counter-measures, they pay up and the crooks move on to the next target.

Because the attack is coming from thousands of computers, authorities have difficulties tracking down the culprits. The C&C servers are well hidden behind layers of address obfuscation, and difficult to find.

Yes, there are efforts underway to stop this. Microsoft has a unit dedicated to taking down botnets, and have had some successes lately. But every time you get a spam, the odds are good it was sent by someone whose computer was hijacked. And by hijacked, I mean the computer was unprotected by anti-virus software, visited a bogus website, and had software injected into it just by looking at a certain page with coded badThings in it. It is just that simple.

Grounds For Concern
Once upon a time, this was a PC problem, as there weren’t enough Macs online to make such attacks profitable, and Macs were inherently harder to hack into, compared to PCs. Now there are enough Macs, they use the same chips PCs use, and they use the same cross-platform Java stuff which has vulnerabilities that criminals can exploit.

The scary part is that you may be infested and not know it. The takeover and sending out of DDOS commands all happens in the background.

Coffee Diem – A wake-Up Call
Hopefully, at this point I’ve terrified you enough to lurch into action and see if you have the bug and initiate the removal procedure. Initially, the removal part involved a bunch of serious code copying into the Unix bowels of your Mac. I did this and found it a bit daunting, and I’m a professional.

Fortunately, a number of entities on the web stepped up and released automated tools that seek out and destroy the problem. The bad news is that it took Apple six weeks to patch the vulnerability in Java, indicating that they still haven’t gotten their anti-virus act together. But the fix is here, and you can install it via the standard Apple Software Update button under the Apple logo in your screen’s upper left corner.

Apple says:

This Java security update removes the most common variants of the Flashback malware.

This update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.

Most people don’t need Java; if you visit a trusted site that uses it, the site will usually ask that you turn it on if it isn’t on already. I have never needed it and keep it turned off (Safari/Preferences/un-check Enable Java). I advise you to do the same. Oh, and there are indications that the criminals behind this are continually altering the trojan to route around anti-virus programs, so stay up to date in your updates.

Previous articles of interest: Basic virus lore: http://mondodyne.com/b2b/smbiznet.17.shtml SirCam virus: http://mondodyne.com/b2b/smbiznet.43.shtml Mac Viruses: http://mondodyne.com/b2b/smbiznet.98.shtml Snakes on a Mac: http://mondodyne.com/b2b/smbiznet.160.shtml

Mike Gould was a mouse wrangler for the U of M for 20 years, runs the MondoDyne Web Works/Macintosh Training/Digital Photography mega-mall, builds laser display devices, performs with the Illuminatus 2.2 Lightshow, and welcomes comments addressed to mgould@mondodyne.com.

MonodoDyne <M> The Sound of One Hand Clicking...
734 904 0659
Entire Site © 2016, Mike Gould - All Rights Reserved