
Flashback trojan reportedly controls half a million Macs and counting - iProject
http://arstechnica.com/apple/news/2012/04/flashback-trojan-reportedly-controls-half-a-million-macs-and-counting.ars
======
philaquilina
As someone who used to sell Mac computers, I used to get asked the question
"Is it true macs never get viruses?", to which I replied "No that's not true."
(It was just an apple reseller store afterall so I was never compelled to bend
the facts.) I'd try to explain the caveats a bit: a smaller market share and
the unix based operating system requiring more permissions, yada yada, being
"prohibitive" to an attack but still vulnerable. Still, for 3 years that
question came up a few times a week, even as apple started taking off
(2006-2009 ish) and grabbing more and more of the market.

I guess it was just amazing to me how disinformation like that flows so
freely. It probably started out with the caveats but eventually got boiled
down to "Macs never get viruses". And what computer company is going to
publicly correct that statement?

~~~
superuser2
Yes, it is correct that Macs _can_ get viruses. Where people get upset is when
you generalize this to say that because >1 virus exists, OSX presents no
significant advantage over Windows.

Viruses are not a fact of life for Mac users. Talk to anyone who uses or
services Macs; you'll be hard-pressed to find anyone who's even seen an OSX
virus. Whereas for Windows power-users, cleaning viruses for friends/parents
is practically a rite of passage.

OSX is still dramatically safer in terms of your _actual_ risk of a random
remote attack. Whether this is economics or superior engineering, or how
Windows and OSX stand up to deliberate attackers, I will not pretend to know.

~~~
vectorpush
_Viruses are not a fact of life for Mac users._

Neither are trojans, and that is exactly why this trojan has manifested so
successfully. Windows users are mostly hardened to the basic threats of the
internet (don't open a random exe etc), and are cognizant of the reality that
malicious software _does_ target them. Non-technical Mac users have been
lulled into a false sense of security that will eventually make them a more
vulnerable target than a Windows user (as Win7 and OSX pretty much stand
shoulder to shoulder in terms of security).

 _OSX is still dramatically safer in terms of your actual risk of a random
remote attack._

What is your evidence for this?

~~~
superuser2
I've done ~15 Windows reinstalls in the last few years, and every single one
of them was malware masquerading as anti-virus software. OSX's reputation may
make Mac users feel invincible, but Windows users' knowledge of their
vulnerability opens them to pretty effective scare tactics.

In fact, it hit my house twice, and I'm not exactly incompetent: Win7,
Security Essentials, kept on top of Windows Update, no admin privileges for
little brother or mom, updated Firefox, etc. The last time, it turned out we
were behind on Java updates - it popped up in the systray 5 or 6 times a day
for a few months and the few times my dad tried to allow the update, it
failed. I didn't know about that until I was in the room while my brother was
using the machine and I saw a dialog that looked an awful lot like Windows
reminding you to install AV but not quite right. No way anyone else would have
noticed that the background gradient was just a bit off. Did a scan... MSE was
showing me 20 different Java exploits and "Anti"virus 2012 wouldn't let me
open Firefox again outside of safe mode. Not something my parents would be
able to deal with when I'm not there; they would have had to pay somebody. Its
replacement will be a Mac; they like OSX better anyway.

I worked for a small-business IT firm for 3 summers and have never seen or
heard of OSX malware except from the blogosphere/HN/media. We took our
clients' security pretty seriously - corporate domains, enforced Automatic
Updates, no idiots with local admin, corporate endpoint antivirus, antivirus
in the spam filter, Sonicwalls, Firefox wherever possible, etc. Still, we got
virus calls pretty frequently. I would usually babysit the reinstalls at a
reduced rate, but when I wasn't interning, businesses were shelling out
$150/hour for that. To be fair, most were XP, but there were a few virus calls
for Win7.

I don't have statistics, but if you're going to claim OSX has fallen as far as
Windows in terms of infection rate, I think the burden is on you to show some
data. Again, just as many family friends running OSX as Windows; I've had Macs
die (my MBP's motherboard gave out right after 4 years), I've had Macs run out
of disk space, I've had the PowerPC/Intel switch lose my family a lot of money
because perfectly good ~2006 machines can't run a modern OS or
Flash/Firefox/iTunes, but I've never seen malware for OSX.

~~~
vectorpush
_I've done ~15 Windows reinstalls in the last few years_

So what? I've reinstalled Windows three times since Windows 7, and it's
_never_ been due to a virus. The last company I worked at was a Windows shop
that also had 0 malware problems. Anecdotes are pointless in this discussion.

 _I didn't know about that until I was in the room while my brother was using
the machine and I saw a dialog that looked an awful lot like Windows reminding
you to install AV but not quite right. No way anyone else would have noticed
that the background gradient was just a bit off._

Yes, your brother was the victim of a social engineering attack, the exact
technique used to infect these Mac users. Windows systems _aren't_ inherently
less secure, and every terrible ailment described in your post is the result
of voluntary action taken by the user.

 _I don't have statistics, but if you're going to claim OSX has fallen as far
as Windows in terms of infection rate, I think the burden is on you to show
some data._

No. The onus is on you to demonstrate how Windows 7 is inherently less secure
than OSX. You're making vague assertions about how Windows is less secure but
you haven't given specific examples of why that is true, only anecdotes that
anyone can counter (or bolster) with personal exeprience.

The bottom line is, short of 0-days, both systems are equally secure.

~~~
superuser2
You are constraining your discussing to Windows 7. I am not. XP may have
disappeared from the life of a non-corporate programmer, it's still everywhere
for me. Hence the impedance mismatch. Most of our shop's customers did not see
a business need to upgrade, and acquaintances that can afford to buy new
computers while their old ones are still running (however poorly) tend to be
Mac users anyway.

>every terrible ailment described in your post is the result of voluntary
action taken by the user.

No, it was a remote Java exploit. The dialog was to get you to pay for it
after it had already installed.

The point is that despite all this talk about OSX viruses, malware is still
not a part of day-to-day life with Macs to anywhere near the extent it is with
Windows (when you include XP).

~~~
vectorpush
_You are constraining your discussing to Windows 7. I am not. XP may have
disappeared from the life of a non-corporate programmer_

Well what version of OSX are you using to make your comparison? SP3 to 10.8?
Either way, there isn't some nebulous security gap between OSX and Windows,
vulnerabilities exist in all systems and a responsible vendor patches them
when they're discovered.

Please show me how to remotely compromise an up to date SP3 machine. Yes,
there are exploits that exist at points in time, but the same is true of OSX,
just google "OSX exploit".

 _malware is still not a part of day-to-day life with Macs to anywhere near
the extent it is with Windows_

All that proves is that there is more malware targeting Windows, it speaks
_nothing_ to the inherent security of the system since _malware can't install
itself_.

~~~
echo-unity
|vulnerabilities exist in all systems

Couldn't disagree with you more.

------
dinedal
Whoa, it aborts infection if you have XCode installed?

Is this just to prevent itself from infecting someone's computer that might be
able to study it?

~~~
ImprovedSilence
That would be my guess. Perhaps it wanted to stay un-detected, and un-reverse
engineered as long as possible? It just played the numbers game in terms of
time until discovery, and gave Xcode users some respect? Hence deleting itself
in the presence of anti-virus software as well?

~~~
stcredzero
_It just played the numbers game in terms of time until discovery, and gave
Xcode users some respect?_

I guess false negative was ok in this case. ;)

~~~
ImprovedSilence
Haha, yeah, I wrote the sentence as it appeared in my head, realized it was
incomplete and would make no sense to anyone, then just kinda slid the rest
in....

------
deet
Apple includes a lot of third-party software in OS X, and if they don't start
patching those packages as promptly as the software maintainers do, exploiting
these non-Apple or open source packages could become a common strategy.
Attackers can watch other platforms roll out updates before Apple and then
target the same software in OS X. Not that the same vulnerabilites will always
work, but it's certainly a worry.

This particular exploit is not a great example, since they removed Java by
default. But all the other cross-platform software that is included is
worrisome if not prompty updated.

~~~
pagekalisedown
That's a good observation. Avoiding GPL3 software, like newer versions of bash
and gcc, might have the unintended consequence of putting their users at risk.

~~~
rmc
I highly highly doubt we'll see a day when there are significant exploits for
Joe Soap Mac User from a bug in bash or gcc. Those are not software that Joe
Soap is likely to have install (e.g. gcc), or will be hard for a website to
run.

~~~
el_presidente
I think they install bash by default, not sure if they use gcc's libstdc++.

------
pooriaazimi
I seriously doubt that 600,000 macs were infected... How do we know this
number is correct? Because a completely unknown security firm that sells Mac
antivirus software ("Dr. Web", a russian antivirus company) tweeted about it!

~~~
kokoge
> completely unknown security firm

Completely unknown? It's on the market almost for 20 years.

------
joejohnson
At least it is easy to check if you're infected. According to this tutorial,
it's also not difficult to remove the trojan:
[http://www.f-secure.com/v-descs/trojan-
downloader_osx_flashb...](http://www.f-secure.com/v-descs/trojan-
downloader_osx_flashback_i.shtml)

------
alanh
Of note — if Java is the attack vector, _new Macs were not vulnerable by
default_ as they don’t ship with Java installed anymore a/o 10.7 Lion. AFAIK,
the biggest reason anyone would have Java is if you’re running Adobe products.

~~~
cookiecaper
Or LibreOffice, or Eclipse, or...

Java is plenty widespread. It's a good bet that most systems are going to end
up with a JVM on disk somewhere after 6 mo - 1 yr of usage.

~~~
alanh
I don’t know — those aren’t apps normal people install.

(And: The same people who install Eclipse, Minecraft, LibreOffice, or
Photoshop are also more likely to have one of the apps that Flashback avoids
co-habitating with: Little Snitch, Xcode, etc.)

~~~
shelfu
Minecraft is _hugely_ popular with anybody under 14. To the point that it's no
longer only nerdy parents that showed their kids it, it's kids hearing about
it from other kids.

It's simple to buy and install and get working. There is no reason to assume
that Mac users running Minecraft are going to also have Xcode or Little
Snitch.

------
feefie
I have XCode installed, so I guess I'm safe from this. Do you have any
standard advice for how a regular MacOS user should configure their system to
be safe? I don't even have anti-virus software installed like I do on my
Windows machine, I assumed the Mac OS took care of that (but not if 1/2
million Macs are infected with this thing =/). I do keep the built-in firewall
turned on. Is there a website or something that I can go to that will teach me
what steps I should take on my MacBook Pro to keep it clean?

~~~
jacktoole1
I personally run chrome and block all plugins by default, and enable them when
I think I have a good idea what the plugin is doing. You can then set specific
sites that may always run plugins, so it's not overly annoying when on a few
flash-heavy sotes. Presumably Safari has a similar option.

Unfortunately Chrome only allows you to "run all plug-ins" on a site or "block
all plug-ins", so there's still a possibility of enabling Java when you meant
to enable flash to view a video. However, it's probably a good first step
against attacks like these.

I also run under a regular user account without direct sudo access, so any
action that modifies system files should request an admin password. Jeff
Atwood (codinghorror.com) had a good post about this for Windows:
[http://www.codinghorror.com/blog/2007/06/the-windows-
securit...](http://www.codinghorror.com/blog/2007/06/the-windows-security-
epidemic-dont-run-as-an-administrator.html)

------
alanh
I can’t seem to /newpoll — but I would like to see, out of those who run the
instructions to check for the virus, how many of us actually had it. (I
didn’t.)

~~~
johnpowell
I didn't, and I installed the JAVA stuff to install CS5.

------
Tichy
What annoys me is that I just found Java to be enabled in Firefox again, when
I was pretty sure that I had disabled it before. I suspect that yesterdays
update reinstalled it into Firefox. (I could be wrong, though - but I
definitely remember starting Safari just for the sake of trying Minecraft,
because it was the only one of my Browsers with Java enabled).

~~~
TazeTSchnitzel
IIRC Mozilla are going to blacklist out-of-date Java versions in FF.

------
sliverstorm
It's actually kind of fun when I occasionally get a virus. I always remove
them by hand, piece by piece, and tracking them down is a learning experience.
It's also amusing seeing some of the clever tricks they pull.

Maybe it's time to get a Mac?

~~~
btipling
What do you learn? What have you ever done with that knowledge?

~~~
sliverstorm
It teaches about the structure of the registry, and gets your hands in some of
the low-level hooks of the system. It mostly teaches you how to remove
viruses. I didn't mean to say it was truly practical knowledge; I just enjoy
discovery.

------
jklp
This both saddens and delights me, as it proves that Macs are now at a large
enough market share that malware writers are willing to target that platform
...

~~~
rimantas
Did not pre X versions of Mac OS have more viruses in the wild with much
smaller market share?

~~~
smackfu
From Apple, Mac OS 9: How to Check For Viruses:
<http://docs.info.apple.com/article.html?artnum=50569>

