Beware: Mac malware – have you been infected?

Trojan already built a 600,000-strong botnet, according to Doctor Web

April 5, 2012
Apple with electric arcs behind the logo

Russian anti-virus vendor, Doctor Web has found that a trojan disguised as a flash installer has infected at least 600,000 Apple Mac computers, including 274 machines from Cupertino where Apple is headquartered.

Most of the machines infected by the BackDoor.Flashback trojan are located in the US (56.6%) and Canada (19.8%), with Doctor Web reporting that the UK is in third place (12.8%) and Australia in fourth with 6.1%.

According to Doctor Web, attackers began using two different Java vulnerabilities to spread the malware in February 2012, but switched to another exploit after March 16.

Oracle reportedly patched the vulnerability in February already, but Apple only issued the fix to close the hole on April 3 2012.

The exploit saves an executable file onto the hard drive of the infected Mac machine, Doctor Web explained. The file is used to download malicious payload from a remote server and to launch it.

Flashback - Dr Web 600k tweet

Dr Web analyst tweets new numbers, Cupertino and Finland stats

Doctor Web said the launched malware first searches the hard drive for the following components:

  • /Library/Little Snitch
  • /Developer/Applications/Xcode.app/Contents/MacOS/Xcode
  • /Applications/VirusBarrier X6.app
  • /Applications/iAntiVirus/iAntiVirus.app
  • /Applications/avast!.app
  • /Applications/ClamXav.app
  • /Applications/HTTPScoop.app
  • /Applications/Packet Peeper.app

Only if the files are not found, does the Trojan execute a special routine to generate a list of control servers to which it sends an installation success notification.

Each bot includes a unique ID for the infected machine in the query string it sends to a control server. Doctor Web said its analysts used sinkhole technology to redirect the botnet traffic to its own servers and thus were able to count infected hosts.

F-Secure has published a step-by-step guide to detect and remove the malware on its site. An uninfected machine should display the following results:

Flashback - F-Secure manual detection and removal

F-Secure manual detection and removal of BackDoor.Flashback

Doctor Web advised Mac users to download and install the security patch recently released by Apple.

Forum DebateBeware: Mac malware - have you been infe… << Click for more

Tags: Active, Apple, BackDoor.Flashback, Dr Web, Flashback, Mac, malware, Sorokin Ivan, trojan

Related News

LulzSec

LulzSec hackers jailed in UK

LulzSec

LulzSec hackers “at cutting edge” of cyber crime, court told

Hacker spyware virus

Spyware servers in South Africa: the plot thickens

Electronics Security Digital Cyber background

How will cyber-heist banks get their money back?

A cyber security analyst works in a watch and warning center at a Department of Homeland Security cyber security defense lab at the Idaho National Laboratory

US charges eight in $45 million cyber crime scheme

Fraud binary data

SA bank card fraudster jailed

SIM swap fraud fix

SIM swap fraud suspect caught: MTN

Seecrypt

Seecrypt Mobile: unlimited calls and texts in complete privacy

Join the conversation

Connect with MyBB

twitterfacebookandroidappleblackberrynewsletterfeed

Poll

Which broadband provider do you respect the most?

View Results

Loading ... Loading ...

More News

MeeGo OS basis for new Jolla smartphone

Jolla Smartphone

A group of ex-Nokia software developers unveiled its first smartphone, running on the MeeGo-based Sailfish OS and supporting Android applications

Sonnet Project app brings Shakespeare to life

William Shakespeare

The Sonnet Project is a free iOS app that showcases the bard’s poetry through films of up to two minutes

Apple using loopholes to avoid taxes: US senate

Apple iPhone 4 logo silhouette

Apple avoided paying taxes on tens of billions of dollars in profits through a complex network of subsidiaries

Google must play fair on tax: British PM

British PM Cameron speaks during a news conference at the U.N. headquarters in New York

British Prime Minister David Cameron told Google and other businesses that he expected their companies to pay their taxes in exchange for benefiting from low tax rates

bool(true)