UPDATED 09:05 EST / APRIL 05 2012

Got a Mac? You’re Probably Infected. Here’s What You Need

On Wednesday, Russian anti-virus vendor Doctor Web published an article stating that 550,000 Macs were infected with BackDoor.Flashback.39 –  a Trojan that targets an unpatched JavaScript codes (CVE-2011-3544, CVE-2008-5353 and CVE-2012-0507) vulnerabilities within Mac operating system.  The report was later updated in Dr. Web’s Twitter account stating that more than 600,000 Macs were compromised and the majority of which can be found in the United States.

Where it all began

Ars Technica had been keeping tabs on the Flashback Trojan since it appeared in 2011.  The Trojan posed as a Flash player installer, easily tricking some Mac users into installing the malicious program.  The threat was marked as “low” since not many Mac users use Flash.

Later, a more potent variation of the Flashback Trojan, Flashback C, surfaced, still posing  as a Flash installer.  The new variation disables Apple’s automatic updating mechanism for its system-wide malware application, rendering infected Macs doomed to never receive security updates needed for the removal of the malware.

Mode of transmission

The infection starts when a user gets redirected to a bogus site from a compromised resource, or via a traffic distribution system.  A JavaScript code is then used to load a Java-applet containing an exploit.  Analysts at Dr. Web discovered a large number of web-sites containing the code, and below are just some of the recently discovered:

  • godofwar3.rr.nu
  • ironmanvideo.rr.nu
  • killaoftime.rr.nu
  • gangstasparadise.rr.nu
  • mystreamvideo.rr.nu
  • bestustreamtv.rr.nu
  • ustreambesttv.rr.nu
  • ustreamtvonline.rr.nu
  • ustream-tv.rr.nu
  • ustream.rr.nu

The exploit then saves an executable file on the hard drive of the infected Mac, which downloads a malicious payload from a remote server and then launches it.
According to Dr. Web, attackers started exploiting the vulnerabilities in February of this year, but it wasn’t until April 3 that Apple closed the hole.

Am I infected?

If you’re using a Mac and are fond of visiting various websites, there’s a high probability that your machine is already infected.

Dr. Web strongly recommends Mac users to download and install the security update released by Apple, found here.

F-Secure, an anti-virus and computer security and computer software company, offers instructions on how to determine if your Mac had been compromised and how you can remove the Trojan.  Click here to learn more about it.


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU