Attacks/Breaches
4/20/2012
10:23 AM
50%
50%

Apple Mac Attack Began With Infected WordPress Sites

Security researchers watch for a possible Flashback comeback by the botnet operators.

The massive Flashback botnet of Mac machines originated from hacked and malware-rigged WordPress blog sites, researchers revealed Thursday.

There were between 30,000 and 100,000 WordPress sites infected in late February and early March, 85% of which are in the United States, said Vicente Diaz, senior security analyst for Kaspersky Lab, in a briefing.

Kaspersky Lab researchers say the infected WordPress blog sites were rigged with code that silently redirected visitors to a malicious server. "When the connection was made to the malicious server, that server would determine which OS was running and serve exploits accordingly," says Roel Schouwenberg, senior researcher for Kaspersky. It was a pay-per-install scheme to spread malware, including the Flashback Trojan.

Most researchers say a gradual decline in machines infected by the Trojan is still underway: As of Thursday, there were about 140,000 infected Macs still out there, according to Symantec, and Kaspersky says it sees only about 30,629 Flashback-infected bots in its sinkhole.

Still on the horizon, too, is the possibility of a Flashback comeback, with the command-and-control servers sending their bots updates. "We are watching the command-and-control domains used to control this botnet for any updates ... We haven't seen any new updates being delivered," said Liam O Murchu, manager of operations for Symantec Security Response. "Flashback generates new domains every day, which shows us the attackers have probably written malicious code before. They are aware that their botnet could be taken down with a single domain, so they generate a new one every day."

Flashback may be the largest known botnet made up of Apple Macintosh computers, and the outbreak of infections, mainly in the United States, appears to have ushered in the beginning of the end of the age of innocence for Mac users. While attacks on the Mac aren't new, this one was high-profile and widespread.

Word spread rapidly earlier this month that a massive botnet of Mac OS X machines was building, and it reached more than 700,000 machines before antivirus vendors, including Kaspersky Lab, F-Secure, and Symantec, issued their own detection and removal tools. Apple issued an update to patch for the exploited vulnerability over the weekend. The Flashback malware exploits a known vulnerability in Java that had been patched by Oracle.

Apple did not respond to an inquiry for this article. Its updates for OS X Lion and Mac OS X v10.6 patch the Java implementation hole and remove Flashback, and Apple also provided an update for OS X Lion that removes Flashback from Macs that don't run Java.

Read the rest of this article on Dark Reading.

Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/25/2012 | 12:41:00 AM
re: Apple Mac Attack Began With Infected WordPress Sites
If it takes something like this (the infection) and the media covering it, as another poster says, in a manner such like gloating to get Mac users to wise up and actually think about security on their systems - Good!

Any and every system with an active network connection and the capability of connecting to the Internet is vulnerable. Period, end of story.

I've heard many users of "alternative" platforms (i.e. Mac, Linux, etc.) claim that their systems are basically invulnerable. That is FAR from true and the more exposure, education and understanding that can be derived from situations like this, the better. Right?

Andrew Hornback
InformationWeek Contributor
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
4/23/2012 | 8:03:12 PM
re: Apple Mac Attack Began With Infected WordPress Sites
It's you. Look at like this, when a champ stumbles every publication is going to rush to analyze it, how could it happen and is the end of the era over? History is full of them, they did it with M. Ali, M. Jordan, S. Oneil, nothing special about it. On the other hand, can't remember an article from a Window's user stating they didn't need AV or antimalware of some sort and I do remember a few from MAC users. It's not gloating, it's simple fact. So from this article, is it WordPress security that should be of more concern.
Aden11
50%
50%
Aden11,
User Rank: Apprentice
4/23/2012 | 2:37:59 PM
re: Apple Mac Attack Began With Infected WordPress Sites
It is amusing to see the way 'WINDOWS' users are reacting.
tuckbodi
50%
50%
tuckbodi,
User Rank: Apprentice
4/20/2012 | 4:53:33 PM
re: Apple Mac Attack Began With Infected WordPress Sites
Is it just me or is Info Week (and the other PC mag's) just jumping up & down gloating about this malware?!!? Kinda cracks me up....one versus a million on the other platform! AND on the Mac, you have to give it permission and any idiot who logs in as an admin is, well, an idiot!
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Mobile Malware Incidents Hit 100% of Businesses
Dawn Kawamoto, Associate Editor, Dark Reading,  11/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.