There has been a lot of press going around lately about a Mac Trojan named Flashback, especially now that two security firms (F-Secure and Kaspersky) have recently claimed it has infected more than a half million Macs.
I originally posted about this Trojan on 10/26/2011. The Flashback Trojan masquerades itself as a Flash updater. The unique thing to know about some variants of this Trojan is that a Mac can get infected simply by visiting a fraudulent/compromised website (no authentication or user intervention required).
When one of these fraudulent/compromised websites is opened, a Java applet launches that is disguised as an update for Adobe Flash Player. This Java applet exploits a security vulnerability in Java, allowing it to install the Trojan without the user being prompted for their password.
Links to websites containing the Flashback Trojan installer are being spread via SPAM email. It’s also possible to stumble across one by browsing adult themed or hacking/pirating sites.
Apple released Java updates for OS X 10.6/10.7 last week to patch these vulnerabilities.
If you are an All Covered Chicago client, and we manage your Macs, you don’t need to worry about being infected by this Trojan. In addition to automatically pushing out Apple security updates to Macs, we have also begun running proactive scripts daily that check for the Flashback Trojan.
To date, we have not discovered this (or any) Trojan on the Macs managed by All Covered Chicago. This doesn’t surprise me, as the odds for getting infected by a Trojan like this are minimal, but it can happen. “Over half a million infected Macs” sounds like a lot, until you take into consideration that Apple sold 4 million new Macs just last quarter… And there are an estimated 45-50 million Macs currently in use. Plus many security experts are doubting these claims that so many Macs are infected, and even Kaspersky admits they are using a “rough estimate” with passive OS detecting technology that “can’t be completely trusted”.
This recent scare is simply a Java exploit (Lion doesn’t even install Java by default), and Apple has patched it for OS X 10.6/10.7. If you haven’t been clicking links in SPAM emails, and you haven’t been surfing the darker side of the web, you’re more than likely safe.
If you have a Mac running OS X 10.6 or 10.7 that isn’t managed by All Covered Chicago, I’d recommend running Software Update now, and applying any available Java updates.
Unfortunately there are no Java updates for older Macs running OS X 10.5 or 10.4, so they will always be susceptible to this and future Java security vulnerabilities. The only way to fully protect an older Mac running OS X 10.5 or 10.4 from Java exploits is to either upgrade to OS X 10.6 (if supported), or disable Java in your web browser’s preferences.
If you want to check to see if a Mac (any version of OS X) has been infected by the Flashback Trojan, I’d recommend you run the freeware utility FlashbackChecker, available here: https://github.com/jils/FlashbackChecker/wiki
So is it time that all Macs should have antivirus/antimalware apps installed on them?… My answer is still no. I think this is just a blip on the radar, that will blow over just like with the iWorkServices Trojan (which infected enough Macs to be considered a botnet, but no one remembers it now because it was squashed by updates from Apple).