Snow Leopard hit hardest by Flashback malware

The finding that Leopard and Snow Leopard users were affected more by the Flashback malware suggests Apple's approach to security on OS X has a notable impact, even if it is an indirect one.

Russian security company Dr. Web recently analyzed one of the latest known variants of the Flashback malware for OS X, and in doing so revealed some interesting statistics regarding the infection rates of the malware -- which, by some perspectives, counters criticism of Apple's lapse in attention to security on OS X.

Since its initial findings of Flashback, Dr. Web has been continually gathering data from infected systems by using sinkhole techniques where its analysts took over the domains used by the malware and were able to intercept communications by the malware on infected systems. As part of the infection, Dr. Web found that the malware issues a communications string to the command and control servers that looks similar to the following:

20|i386|9.8.0|4DE360BE-E79E-5AD6-91CF-D943761B3785|6bbbbfb49b1659ebaaadffa20215bfc787577bd8|001|007|0

In this string, the vertical bar characters separate different aspects of the infection on the given system, which according to Dr. Web are the following:

  1. Malware variant
  2. Computer CPU type
  3. Kernel version of the operating system
  4. System Hardware UUID
  5. SHA1 checksum value of the malware payload
  6. Third-party browser availability bitmask
  7. Constant
  8. Value indicating bot privileges (0 for running as the user, 1 for running as admin)

By parsing these intercepted communications strings over weeks of communication and then compiling them, Dr. Web was able to find several interesting facts. Included in these are some obvious notions such as the latest malware variants that use Java to exploit systems being the most prevalent of the attacks. However, other findings are that most of the attacks have been run with "user privileges," suggesting most people were caught in the drive-by-download attack and refused to enter a password when prompted by the malware, but were nevertheless infected.

The biggest finding by Dr. Web, however, is that those using Snow Leopard and Leopard were hit hardest by this malware, with Snow Leopard systems taking the cake by having about 63.36 percent of those infected, followed by Leopard which constituting about 25.48 percent.

Those running OS X Lion made up just over 10 percent of those infected by the malware.

Some may interpret these numbers as meaning Snow Leopard systems are more vulnerable; however, another interpretation suggests a new perspective on the security advancements of Apple's OS -- an aspect for which the company has taken some heavy criticism with notions like "security through obscurity" being primary points of discussion. While Apple's persistent lag in support for Java in no doubt helped Flashback spread, Dr. Web's findings support an opposite view to the criticism that Apple is years behind in terms of security .

Dr. Web graph showing infections by OS version.
Those running Kernel 9.x (Leopard) were about 25 percent of those infected, with all the versions of Snow Leopard (Kernel 10.x) making up about 64 percent of those infected. (click for larger view) Dr. Web

While the Flashback malware was an issue for those who did have Java on their systems, the biggest prevention in the malware's distribution came with Apple's decision to not include Java in its latest operating system.

Data from a recent ZDNet report suggests that at 16.4 percent and 47.48 percent of the install base, both Leopard and Snow Leopard together are still the most widely used versions of OS X. Following these versions is Lion, which so far has gained about 30.48 percent of the OS X install base.

Despite both Snow Leopard and Leopard together making up about 64 percent of OS X installations, according to Dr. Web they constitute nearly 89 percent of the Flashback malware infections in OS X. On the other hand, OS X Lion is only used by about a third of Mac users, and yet the infections for this OS make up just over a tenth of those being observed.

The reason for the lower numbers of infected systems running Lion comes directly from Apple's decision to, starting with Lion, no longer include Java in OS X. This may seem like an obvious reason why the malware has not affected many Lion users, but it also gives credit to Apple's approach for security in OS X, which is to more and more require extra steps and confirmations for programs to run.

In OS X 10.4 Apple introduced file quarantining, which required users to confirm they wished to open files downloaded from Safari or Mail, and in OS X 10.6 Apple included a rudimentary XProtect malware scanner for these files to further warn people of threats. Apple still furthered these efforts with the removal of Flash and the included Java runtime in OS X 10.7 that requires the runtime's installation before Java programs will work (even though this decision likely was from the blossoming of Apple's Objective-C based Cocoa environment more than for security reasons).

Finally, in the upcoming OS X 10.8 due this summer, Apple has included GateKeeper , which relies on its developer program and application signatures to prevent any unsigned application from running unless given explicit permission.

Despite the obvious benefits to Apple's evolving approach to clamp down on and control the applications allowed to run in OS X, this approach has not been without its faults, especially with regard to retroactively tackling threats. One of the biggest security vulnerabilities in OS X has not only been Apple's lag in support for updates such as the Java runtime, but also its omission of security support for past versions of OS X .

Even at present, users of OS X 10.5 and earlier constitute at least 16 percent of the OS X install base and 25 percent of the Flashback infections, but yet have neither been issued any Java updates to fix the vulnerability, nor been offered any malware removal options by Apple and instead have had to rely on third-parties for their concerns.

Additionally, Apple has received much criticism for its decisions regarding Safari, which as an example has allowed automatic opening of "Safe" downloaded files (PDFs, Images, etc.) to be the a default setting for years. These obviously vulnerable systems and configurations, which are still widely used, are in need of patching.

The traditional approach to tackling these and other security holes is to patch them directly as they arise, both in current and past supported software, and the importance of this still holds today. However, Apple has yet to show its willingness to offer full support in this area and instead has tackled security by moving forward with new technologies and promoting everyone to jump on board.

However, it is also pertinent that even if Apple had kept up-to-date with the latest Java runtimes and issued patches for every configuration problems in past versions of its operating systems, many users (even those running Lion) would not have updated their systems and would still be vulnerable. Apple's approach to instead promote the adoption of its next offerings (especially by making them exceptionally cheap) is understandable, and it is also undeniable that with regard to this Apple has increased the security of those who use newer versions of OS X.



Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

About the author

    Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.

     

    ARTICLE DISCUSSION

    Conversation powered by Livefyre

    Don't Miss
    Hot Products
    Trending on CNET

    Hot on CNET

    The Next Big Thing

    Consoles go wide and far beyond gaming with power and realism.