Flashback the largest Mac malware threat yet, experts say

Congratulations, Apple. The Mac is now popular enough to attract major attention from the bad guys.

Josh Lowensohn Seth Rosenblatt
Josh Lowensohn Former Senior Writer
Josh Lowensohn joined CNET in 2006 and now covers Apple. Before that, Josh wrote about everything from new Web start-ups, to remote-controlled robots that watch your house. Prior to joining CNET, Josh covered breaking video game news, as well as reviewing game software. His current console favorite is the Xbox 360.
Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
5 min read

Unless you've been living under a rock for the past week, you've probably heard about Flashback, a piece of malware targeting users of Apple's Mac OS X that's now estimated to be quietly running on more than 600,000 machines around the world.

That number, which came from Russian antivirus company Dr. Web earlier this week, was confirmed today by security firm Kaspersky. More than 98 percent of the affected computers were running Mac OS X, the firm said.

That's certainly a big number, but how does it stack up to past threats?

"It's the biggest, by far," Mikko Hypponen, chief research officer at antivirus and computer security firm F-Secure, told CNET in an e-mail. "I'm afraid the malware-free times of Mac users are behind us permanently."

Separately, Catalin Cosoi, chief security researcher for antivirus-software maker Bitdefender, said the infection was likely the largest for the Mac so far this decade, but that there's no precise way to measure how many Mac OS computers have been compromised.

"600,000 represents around 12 percent of the Mac OS computers sold in Q4 2011," Cosoi said, "which means that if we count the number of Mac OS devices sold in the past three years, we can estimate that less than 1 percent of the Mac OS computers are possibly infected. On the other hand, if we look at the actual numbers and not at the percentages, the numbers look pretty scary."

Why now?
The consensus among security researchers is that a threat this size has been long overdue for the Mac, in no small part because of the platform's growing popularity.

Apple has outpaced the growth of the PC industry for 23 straight quarters, according to data from IDC. While the company's iOS devices, like the iPhone and iPad, have not surprisingly seen much faster growth and overall sales in recent years, Apple also broke a Mac sales record in its last quarter, selling more than 5 million computers -- all of which were, of course, running the company's proprietary operating system.

That kind of growth, which as of February put Apple's installed base of Mac OS X users at 63 million, has not gone unnoticed by attackers, according to security researchers.

"As more people buy and use Macs, we'll see more malware," Charlie Miller, a principal research consultant for Accuvant Labs, told CNET by telephone. "Part of it too is that it's a Java vulnerability, and the actual exploit is OS independent, so (malware writers) didn't have to know how to write an OS X exploit."

In this particular instance, the weak point that malware writers were targeting was Java, a technology Apple hasn't included out of the box on its computers since 2010, but that it supports with its own releases. The runtime is used from anything from enterprise applications to popular 3D games like Minecraft. In November 2010, when announcing plans for the OpenJDK project, Apple said it would continue to maintain these versions through Lion, but that Java SE 7 and beyond would be handled and distributed by Oracle.

Java or no, Paul Ferguson, a senior threat researcher at Trend Micro, suggested that HTML5 -- a Web standard in progress that Apple, Microsoft, and other browser makers are helping to build -- holds the same type of threat for future attacks.

"Wait until HTML5 becomes more ubiquitous for similar types of threat vulnerabilities, and you can have a botnet that runs in your browser," Ferguson cautioned. "The more ubiquitous these platforms are, it won't matter if it's a mobile device or a computer. It it's running Java or any other cross-platform technology, the threat is there."

Not the first mainstream threat to the Mac
Malware programs are designed to harvest user information that can be sold to third parties, or used for fraudulent activities. Infected machines can also be used as botnets, which can be rented for use in distributed denial of service attacks. Flashback is the latest in a series of attacks against Mac users through malware -- though it turns out not to be so new.

"Flashback's come back around a few times now," said Steve Bono, principal security analyst for Independent Security Evaluators. "It's possible that these computers have been infected since the beginning -- sometime last fall. These things go unpatched, and once a vulnerability is known, it can take months to make the patch."

That's exactly what happened with Flashback. While earlier versions that relied on a piece of software meant to look like Adobe's Flash installer were squashed as part of security updates, this latest variant went through Java instead. Oracle updated Java to patch the vulnerability the attackers were going through in February, though Apple took longer to patch the version it maintains and delivers to users through its software update tool.

MacDefender, last year's big malware scare, pretended to be an antivirus program.
MacDefender, last year's big malware scare, pretended to be an antivirus program. Intego

Prior to Flashback, the malware of interest was a piece of software called MacDefender, which also went by the name of Mac Security and Mac Protector. The fake antivirus program preyed on users by pretending to be a legitimate antivirus program that would find things on a computer then get rid of them in return for users acquiring a full license to the software. As it turned out, the viruses it was pretending to find were actually coming from MacDefender itself.

"The fake antivirus epidemic from last year was the real turning point," Roel Schouwenberg, a senior researcher at Kaspersky Labs, told CNET. "With all the media attention, malware authors realized they could make money off Macs."

Schouwenberg noted that besides the initial wave from Flashback, and the Mac Defender infections, there was an attack from malware that actually changed your Mac's DNS settings.

Apple's response to the MacDefender issue was to first issue a way for users to identify the malware when coming across it on the Web, then to release a series of updates to its own built-in malware scanner in OS X called XProtect, all in order to protect users from accidentally installing it. Those tools were also able to remove it from machines on which it had already been installed.

Patching the future
One aspect of Apple's internal culture that frustrates security experts is that the company's stance on fixing vulnerabilities has been inconsistent. Experts note that while Apple's mobile iOS platform has been patched in a timely manner, and there are even some at the company who "beat the security drum" (according to Schoewenberg), Flashback is an example of the process not working.

"Flashback was patched by Adobe for all major platforms back in February, but Apple only patched it this week," Schoewenberg said. "Waiting two months is not acceptable, and we see OS X threats evolving."

Apple's Gatekeeper technology coming in the next version of OS X promises to tighten down OS security.
Apple's Gatekeeper technology coming in the next version of OS X promises to tighten down OS security. Apple

Apple, which declined to comment on the Flashback malware, announced plans to tighten up security in the next major version of Mac OS X, due for release this summer, with a feature called Gatekeeper. The new protection tool offers to keep users safe by requiring that developers register with Apple to have their applications signed and verified by Apple. Users can then choose whether they want to keep their computers from installing software that hasn't been signed by a registered developer.

"The approach they're taking is two-pronged: Gatekeeper to make you download stuff that has at least some checking for malicious code, and antivirus [XProtect] baked into the OS for when you happen to get hit," Miller said. "On the grand scheme, they have the right ideas, they just haven't been keeping up on things like they should."