Got a Mac? You’re Probably Infected. Here’s What You Need

On Wednesday, Russian anti-virus vendor Doctor Web published an article stating that 550,000 Macs were infected with BackDoor.Flashback.39 –  a Trojan that targets an unpatched JavaScript codes (CVE-2011-3544, CVE-2008-5353 and CVE-2012-0507) vulnerabilities within Mac operating system.  The report was later updated in Dr. Web’s Twitter account stating that more than 600,000 Macs were compromised and the majority of which can be found in the United States.

Where it all began

Ars Technica had been keeping tabs on the Flashback Trojan since it appeared in 2011.  The Trojan posed as a Flash player installer, easily tricking some Mac users into installing the malicious program.  The threat was marked as “low” since not many Mac users use Flash.

Later, a more potent variation of the Flashback Trojan, Flashback C, surfaced, still posing  as a Flash installer.  The new variation disables Apple’s automatic updating mechanism for its system-wide malware application, rendering infected Macs doomed to never receive security updates needed for the removal of the malware.

Mode of transmission

The infection starts when a user gets redirected to a bogus site from a compromised resource, or via a traffic distribution system.  A JavaScript code is then used to load a Java-applet containing an exploit.  Analysts at Dr. Web discovered a large number of web-sites containing the code, and below are just some of the recently discovered:

  • godofwar3.rr.nu
  • ironmanvideo.rr.nu
  • killaoftime.rr.nu
  • gangstasparadise.rr.nu
  • mystreamvideo.rr.nu
  • bestustreamtv.rr.nu
  • ustreambesttv.rr.nu
  • ustreamtvonline.rr.nu
  • ustream-tv.rr.nu
  • ustream.rr.nu

The exploit then saves an executable file on the hard drive of the infected Mac, which downloads a malicious payload from a remote server and then launches it.
According to Dr. Web, attackers started exploiting the vulnerabilities in February of this year, but it wasn’t until April 3 that Apple closed the hole.

Am I infected?

If you’re using a Mac and are fond of visiting various websites, there’s a high probability that your machine is already infected.

Dr. Web strongly recommends Mac users to download and install the security update released by Apple, found here.

F-Secure, an anti-virus and computer security and computer software company, offers instructions on how to determine if your Mac had been compromised and how you can remove the Trojan.  Click here to learn more about it.

About Mellisa Tolentino

Mellisa is a staff writer for SiliconAngle, covering social and mobile news. She is fascinated by technology and loves imparting what she learns through her journey as a writer. Got a news story or tip? Send it to mellisa@siliconangle.com