Got a Mac? You’re Probably Infected. Here’s What You Need

On Wednesday, Russian anti-virus vendor Doctor Web published an article stating that 550,000 Macs were infected with BackDoor.Flashback.39 –  a Trojan that targets an unpatched JavaScript codes (CVE-2011-3544, CVE-2008-5353 and CVE-2012-0507) vulnerabilities within Mac operating system.  The report was later updated in Dr. Web’s Twitter account stating that more than 600,000 Macs were compromised and the majority of which can be found in the United States.

Where it all began

Ars Technica had been keeping tabs on the Flashback Trojan since it appeared in 2011.  The Trojan posed as a Flash player installer, easily tricking some Mac users into installing the malicious program.  The threat was marked as “low” since not many Mac users use Flash.

Later, a more potent variation of the Flashback Trojan, Flashback C, surfaced, still posing  as a Flash installer.  The new variation disables Apple’s automatic updating mechanism for its system-wide malware application, rendering infected Macs doomed to never receive security updates needed for the removal of the malware.

Mode of transmission

The infection starts when a user gets redirected to a bogus site from a compromised resource, or via a traffic distribution system.  A JavaScript code is then used to load a Java-applet containing an exploit.  Analysts at Dr. Web discovered a large number of web-sites containing the code, and below are just some of the recently discovered:

  • godofwar3.rr.nu
  • ironmanvideo.rr.nu
  • killaoftime.rr.nu
  • gangstasparadise.rr.nu
  • mystreamvideo.rr.nu
  • bestustreamtv.rr.nu
  • ustreambesttv.rr.nu
  • ustreamtvonline.rr.nu
  • ustream-tv.rr.nu
  • ustream.rr.nu

The exploit then saves an executable file on the hard drive of the infected Mac, which downloads a malicious payload from a remote server and then launches it.
According to Dr. Web, attackers started exploiting the vulnerabilities in February of this year, but it wasn’t until April 3 that Apple closed the hole.

Am I infected?

If you’re using a Mac and are fond of visiting various websites, there’s a high probability that your machine is already infected.

Dr. Web strongly recommends Mac users to download and install the security update released by Apple, found here.

F-Secure, an anti-virus and computer security and computer software company, offers instructions on how to determine if your Mac had been compromised and how you can remove the Trojan.  Click here to learn more about it.

About Mellisa Tolentino

Mellisa Tolentino started at SiliconANGLE covering the mobile and social scene. Over the years, her scope expanded to Bitcoin as well as the Internet of Things. SiliconANGLE gave Mellisa her break in writing and it has been an adventure ever since. She’s from the sunny country of Philippines where people always greet you with the warmest smile. If she’s not busy writing, she loves reading, watching TV series and movies, but what she enjoys the most is playing or just chilling on the couch with with her three dogs Ceecee, Ginger, and Rocky.