A lot has been going on with the whole Flashback (or “Flashfake”) malware fiasco, so I’ll do my best to sum everything up…
Conflicting Reports on # of Macs Infected with Flashback Malware
For a short period of time, it appeared that things were improving as Symantec had reported that the number of Macs infected with Flashback malware had dropped from 600,000+ to 140,000.
Kaspersky Lab also reported a decrease in the number of infections, stating that only 30,000 Macs were still under the influence of Flashback (aka Flashfake) malware.
However, these numbers didn’t match up with the latest report from Dr. Web, which still reflected an army of zombie Macs that was still over 500,000 machines strong.
Confused? Good, so was the rest of the world, which lead some to question on whether or not security firms were attempting to scare users into purchasing antivirus software.
So, what’s with the discrepancy?
Apparently, sinkholes setup by Symantec (and other companies) were receiving limited infection counts for Flashback.
Dr. Web reported that a server registered at IP address 18.104.22.168 (and controlled by an unidentified third-party) would communicate with the infected Macs, but never close the TCP connection. This was causing bots to switch to ‘standby’ mode as they wanted for a reply from the server, preventing them from communicating with other command and control servers (or sinkholes setup by various security companies tracking the malware).
That changed the number of infected machines observed by researchers, which ultimately lead to contradicting reports.
Researchers at Intego agreed with Dr. Web’s claims and went on to say that there are likely infected Macs that are not being accounted for and that there was a possibility that more Macs are being infected on a daily basis.
Fueling the fire of uncertainty, Intego also reported that some of the specific domains that Flashback malware attempts to contact resolve to 127.0.0.1 (or localhost), keeping the Mac from reaching the command & control servers and knocking the stats even further off-track.
There’s a New Flashback Variant Out There…
As if that weren’t aggravating enough, Intego also reported yesterday that they’d spotted a new variant of Flashback (Flashback.S) that continues to exploit Java vulnerability CVE-2012-0507, which was patched by Apple around two weeks ago.
Intego warns this latest Flashback variant is actively being distributed in the wild (likely via drive-by-downloads) and does not require a password to be installed.
During installation, Flashback.S will place its files in the user’s home folder, at the following locations:
Once the installation is complete, Flashback deletes all of the files and folders in ~/Library/Caches/Java/cache to remove the applet from the infected Mac and avoid detection or sample recovery.
Protect Yourself from Flashback Malware
If you haven’t done so already, I strongly recommend that you:
- Apply all of the security updates issued by Apple to remove common variants of Flashback, patch the Java vulnerabilities exploited by the Flashback malware, and disable Java browser plug-ins if they go unused for an extended period of time (Lion only).
- Consider disabling Java on your machine or toggle Java browser plug-ins as needed.
- Install antivirus software on your Mac. Sophos offers a free Mac antivirus solution, so you really don’t have an excuse for not doing it.
- Keep all software up-to-date and be careful of what files you download or websites you visit. Remember, you don’t have to visit a “shady” site to be infected by malware. Cybercriminals often use compromised sites to deliver malware via drive-by-downloads, including Flashback.
What measures are you taking to protect your Mac?