Russian anti-virus vendor, Doctor Web has found that a trojan disguised as a flash installer has infected at least 600,000 Apple Mac computers, including 274 machines from Cupertino where Apple is headquartered.
Most of the machines infected by the BackDoor.Flashback trojan are located in the US (56.6%) and Canada (19.8%), with Doctor Web reporting that the UK is in third place (12.8%) and Australia in fourth with 6.1%.
According to Doctor Web, attackers began using two different Java vulnerabilities to spread the malware in February 2012, but switched to another exploit after March 16.
Oracle reportedly patched the vulnerability in February already, but Apple only issued the fix to close the hole on April 3 2012.
The exploit saves an executable file onto the hard drive of the infected Mac machine, Doctor Web explained. The file is used to download malicious payload from a remote server and to launch it.
Doctor Web said the launched malware first searches the hard drive for the following components:
- /Library/Little Snitch
- /Applications/VirusBarrier X6.app
- /Applications/Packet Peeper.app
Only if the files are not found, does the Trojan execute a special routine to generate a list of control servers to which it sends an installation success notification.
Each bot includes a unique ID for the infected machine in the query string it sends to a control server. Doctor Web said its analysts used sinkhole technology to redirect the botnet traffic to its own servers and thus were able to count infected hosts.
F-Secure has published a step-by-step guide to detect and remove the malware on its site. An uninfected machine should display the following results:
Doctor Web advised Mac users to download and install the security patch recently released by Apple.