Apple Mac Attack Began With Infected WordPress Sites
The massive Flashback botnet of Mac machines originated from hacked and malware-rigged WordPress blog sites, researchers revealed Thursday.
There were between 30,000 and 100,000 WordPress sites infected in late February and early March, 85% of which are in the United States, said Vicente Diaz, senior security analyst for Kaspersky Lab, in a briefing.
Kaspersky Lab researchers say the infected WordPress blog sites were rigged with code that silently redirected visitors to a malicious server. "When the connection was made to the malicious server, that server would determine which OS was running and serve exploits accordingly," says Roel Schouwenberg, senior researcher for Kaspersky. It was a pay-per-install scheme to spread malware, including the Flashback Trojan.
Most researchers say a gradual decline in machines infected by the Trojan is still underway: As of Thursday, there were about 140,000 infected Macs still out there, according to Symantec, and Kaspersky says it sees only about 30,629 Flashback-infected bots in its sinkhole.
Still on the horizon, too, is the possibility of a Flashback comeback, with the command-and-control servers sending their bots updates. "We are watching the command-and-control domains used to control this botnet for any updates ... We haven't seen any new updates being delivered," said Liam O Murchu, manager of operations for Symantec Security Response. "Flashback generates new domains every day, which shows us the attackers have probably written malicious code before. They are aware that their botnet could be taken down with a single domain, so they generate a new one every day."
Flashback may be the largest known botnet made up of Apple Macintosh computers, and the outbreak of infections, mainly in the United States, appears to have ushered in the beginning of the end of the age of innocence for Mac users. While attacks on the Mac aren't new, this one was high-profile and widespread.
Word spread rapidly earlier this month that a massive botnet of Mac OS X machines was building, and it reached more than 700,000 machines before antivirus vendors, including Kaspersky Lab, F-Secure, and Symantec, issued their own detection and removal tools. Apple issued an update to patch for the exploited vulnerability over the weekend. The Flashback malware exploits a known vulnerability in Java that had been patched by Oracle.
Apple did not respond to an inquiry for this article. Its updates for OS X Lion and Mac OS X v10.6 patch the Java implementation hole and remove Flashback, and Apple also provided an update for OS X Lion that removes Flashback from Macs that don't run Java.
Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)
Comment |
Print |
More Insights
Comments
Newest First | Oldest First | Threaded View
re: Apple Mac Attack Began With Infected WordPress Sites
If it takes something like this (the infection) and the media covering it, as another poster says, in a manner such like gloating to get Mac users to wise up and actually think about security on their systems - Good!
Any and every system with an active network connection and the capability of connecting to the Internet is vulnerable. Period, end of story.
I've heard many users of "alternative" platforms (i.e. Mac, Linux, etc.) claim that their systems are basically invulnerable. That is FAR from true and the more exposure, education and understanding that can be derived from situations like this, the better. Right?
Andrew Hornback
InformationWeek Contributor
Any and every system with an active network connection and the capability of connecting to the Internet is vulnerable. Period, end of story.
I've heard many users of "alternative" platforms (i.e. Mac, Linux, etc.) claim that their systems are basically invulnerable. That is FAR from true and the more exposure, education and understanding that can be derived from situations like this, the better. Right?
Andrew Hornback
InformationWeek Contributor
re: Apple Mac Attack Began With Infected WordPress Sites
It's you. Look at like this, when a champ stumbles every publication is going to rush to analyze it, how could it happen and is the end of the era over? History is full of them, they did it with M. Ali, M. Jordan, S. Oneil, nothing special about it. On the other hand, can't remember an article from a Window's user stating they didn't need AV or antimalware of some sort and I do remember a few from MAC users. It's not gloating, it's simple fact. So from this article, is it WordPress security that should be of more concern.
re: Apple Mac Attack Began With Infected WordPress Sites
It is amusing to see the way 'WINDOWS' users are reacting.
re: Apple Mac Attack Began With Infected WordPress Sites
Is it just me or is Info Week (and the other PC mag's) just jumping up & down gloating about this malware?!!? Kinda cracks me up....one versus a million on the other platform! AND on the Mac, you have to give it permission and any idiot who logs in as an admin is, well, an idiot!
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated. Featured Writers
White Papers
Current Issue
Dark Reading's October Tech DigestFast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
0 Comments
Slideshows
Twitter Feed
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2358
Published: 2014-10-18
Multiple cross-site request forgery (CSRF) vulnerabilities in the administrative web interface in the proxy server on Fox-IT Fox DataDiode appliances before 1.7.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create administrative users, (2) remove admin...
CVE-2014-2647Multiple cross-site request forgery (CSRF) vulnerabilities in the administrative web interface in the proxy server on Fox-IT Fox DataDiode appliances before 1.7.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create administrative users, (2) remove admin...
Published: 2014-10-18
Cross-site scripting (XSS) vulnerability in HP Operations Agent in HP Operations Manager (formerly OpenView Communications Broker) before 11.14 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2014-3021Cross-site scripting (XSS) vulnerability in HP Operations Agent in HP Operations Manager (formerly OpenView Communications Broker) before 11.14 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published: 2014-10-18
IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.35, 8.0 before 8.0.0.10, and 8.5 before 8.5.5.4 does not properly handle HTTP headers, which allows remote attackers to obtain sensitive cookie and authentication data via an unspecified HTTP method.
CVE-2014-3368IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.35, 8.0 before 8.0.0.10, and 8.5 before 8.5.5.4 does not properly handle HTTP headers, which allows remote attackers to obtain sensitive cookie and authentication data via an unspecified HTTP method.
Published: 2014-10-18
Cisco TelePresence Video Communication Server (VCS) and Expressway Software before X8.2 allow remote attackers to cause a denial of service (device reload) via a high rate of crafted packets, aka Bug ID CSCui06507.
CVE-2014-3369Cisco TelePresence Video Communication Server (VCS) and Expressway Software before X8.2 allow remote attackers to cause a denial of service (device reload) via a high rate of crafted packets, aka Bug ID CSCui06507.
Published: 2014-10-18
The SIP IX implementation in Cisco TelePresence Video Communication Server (VCS) and Expressway Software before X8.1.1 allows remote attackers to cause a denial of service (device reload) via crafted SDP packets, aka Bug ID CSCuo42252.
The SIP IX implementation in Cisco TelePresence Video Communication Server (VCS) and Expressway Software before X8.1.1 allows remote attackers to cause a denial of service (device reload) via crafted SDP packets, aka Bug ID CSCuo42252.
In A First, Commerce Department Fines Intel Subsidiary For Exporting EncryptionApple Updates (not just Yosemite)What Microsoft's Agile Development Plans Mean for Application SecurityHacker-hunters finger 'Keyser Soze' of Russian underground card sales 'Malvertising' targets U.S. military firms in new twist on old web threat
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.
- Featured UBM Tech Sites
- InformationWeek |
- Network Computing |
- Dr. Dobbs |
- Dark Reading
- Our Markets:
- Business Technology |
- Electronics |
- Game & App Development
- Working With Us:
- Advertising Contacts |
- Event Calendar |
- Tech Marketing Solutions |
- Corporate Site |
- Contact Us / Feedback
Tweet This