Apple Mac Attack Began With Infected WordPress Sites
Security researchers watch for a possible Flashback comeback by the botnet operators.
The massive Flashback botnet of Mac machines originated from hacked and malware-rigged WordPress blog sites, researchers revealed Thursday.
There were between 30,000 and 100,000 WordPress sites infected in late February and early March, 85% of which are in the United States, said Vicente Diaz, senior security analyst for Kaspersky Lab, in a briefing.
Kaspersky Lab researchers say the infected WordPress blog sites were rigged with code that silently redirected visitors to a malicious server. "When the connection was made to the malicious server, that server would determine which OS was running and serve exploits accordingly," says Roel Schouwenberg, senior researcher for Kaspersky. It was a pay-per-install scheme to spread malware, including the Flashback Trojan.
Most researchers say a gradual decline in machines infected by the Trojan is still underway: As of Thursday, there were about 140,000 infected Macs still out there, according to Symantec, and Kaspersky says it sees only about 30,629 Flashback-infected bots in its sinkhole.
Still on the horizon, too, is the possibility of a Flashback comeback, with the command-and-control servers sending their bots updates. "We are watching the command-and-control domains used to control this botnet for any updates ... We haven't seen any new updates being delivered," said Liam O Murchu, manager of operations for Symantec Security Response. "Flashback generates new domains every day, which shows us the attackers have probably written malicious code before. They are aware that their botnet could be taken down with a single domain, so they generate a new one every day."
Flashback may be the largest known botnet made up of Apple Macintosh computers, and the outbreak of infections, mainly in the United States, appears to have ushered in the beginning of the end of the age of innocence for Mac users. While attacks on the Mac aren't new, this one was high-profile and widespread.
Word spread rapidly earlier this month that a massive botnet of Mac OS X machines was building, and it reached more than 700,000 machines before antivirus vendors, including Kaspersky Lab, F-Secure, and Symantec, issued their own detection and removal tools.
Apple issued an update to patch for the exploited vulnerability over the weekend. The Flashback malware exploits a known vulnerability in Java that had been patched by Oracle.
Apple did not respond to an inquiry for this article. Its updates for OS X Lion and Mac OS X v10.6 patch the Java implementation hole and remove Flashback, and Apple also provided an update for OS X Lion that removes Flashback from Macs that don't run Java.
Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)
Published: 2015-10-15 The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...
Published: 2015-10-15 Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.
Published: 2015-10-15 Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.
The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.
So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?
Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?
Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.