Where did Flashback start? Blame the blogosphere

The Flashback outbreak has been one of the largest to hit the Mac platform to date, and while some estimates claim the number of Flashback-infected OS X systems has been swiftly dropping since its peak of 600,000 systems on around April 9, others suggest this may not be the case and the infection rate remains relatively high.

This development along with several other recent malware scams in the past few years has been a wake-up call for Mac users to mind their security; however, the security of the Mac platform and even others extends beyond the computer itself.

When this malware was first announced it became apparent that the problem largely rested on Apple's avoidance of attending to Java updates. By not pushing the latest Java updates to OS X users, Apple left a large window of opportunity open for known vulnerabilities in the software on OS X systems to be exploited.

As a result of this, much of the blame for this attack falls on Apple's shoulders, but even with blame directed to Apple, we cannot overlook how the attack was spread in the first place. Contemporary malware attacks have been known to spread through underground Web sites, illegal file-sharing services, warez distribution, and other behaviors for which the end-user is responsible; however, recent malware attacks have happened outside of these means.

Analysis of the Flashback infection by Kaspersky labs suggests that the malware started in compromised WordPress blogs, so instead of illicit or underground activity resulting in attacks, people have been infected by visiting legitimate Web sites without even realizing these sites had been made part of a malware distribution network.

Kaspersky found that between September 2011 and February 2012, the criminals behind the Flashback malware worked in tandem with a cyber crime hosting program that supplied the malware. The hosts in this program were then accessed by injecting redirect scripts into personal Web blogs that were running vulnerable versions of the WordPress software. The specific vulnerabilities that were exploited for this are unknown, but may have been in the main WordPress package itself or in one of the numerous add-ons for the software, such as the ToolsPack plug-in.

With the compromised blog sites active, users visiting them would be redirected to the cyber crime network that would host variants of the malware. As a result, the criminals only had to update the malware versions on the cyber crime network in order to spread new variants of the attack.

Over the months between September 2011 and February 2012, the criminals used these means to evolve the attack from being downloadable Flash updates to those that exploited Java vulnerabilities and installed without user intervention. Therefore, people visiting their favorite blogs might have suddenly found their browser offering a new Flash Player update, or perhaps quickly showing a blank window that they didn't expect, but which had run the Java-based variant of the malware.

Often those who were infected with early variants would revisit the compromised blogs and be subsequently reinfected with more-advanced variants as the crime network evolved its software. This was evident by later variants of the malware checking for and removing the components of early versions before installing on the system.

By February 2012, estimates of the affected Web sites have been at between 30,000 and 100,000, with approximately 85 percent being located in the United States.

This development shows that while the end-user's system is the ultimate barrier to malware attacks, the responsibility also falls to those who are running their own personal blogs and other software on hosting services that may be hijacked and used to spread malware.

While the WordPress organization offers hosted services that are kept up-to-date with the latest WordPress releases, only about half of the roughly 73 million WordPress blogs worldwide are hosted and managed by WordPress. The others are managed on secondary hosting services using the free WordPress software, and which require maintenance and update management by the administrators of these hosts.

Unfortunately as with the lag in Java being updated on Apple's systems, if an administrator of one of these sites omits an update, then the site may be left vulnerable to security holes, and potentially taken advantage of by hackers who can use it to spread malware to PC systems that visit the site.

Therefore, while the Flashback malware was ultimately enabled by the poor maintenance and support of Java in OS X, its spread was enabled by numerous well-meaning sites whose administrators have been oblivious to the changes made that have been helping distribute the malware.

To help stem the use of personal sites to spread malware, if you have your own Web blog for which you manage the blog software, be sure you keep your software up-to-date and configured with proper security settings to prevent exploitation of it and the users who visit it. You can also regularly use a test computer or virtual machine with various installations of OS X and Windows to view your site and ensure it behaves as it should without redirecting users to different sites or performing other unwanted behavior.

If you suspect your blog has been compromised, then be sure to contact your blog's support resources to see what can be done. Often as is instructed in WordPress' security FAQ, the easiest way to remove hacks is to reinstall the blog software on your server, which should remove injected code from the files that the blog uses, but the specifics of what should be done will depend on what aspects of your site have been compromised.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.