12:18 PM

Flashback Malware Eradication Campaign Slower Than Expected

Efforts to remove infection from Apple computers is not as effective as security experts had hoped.

The campaign to eliminate the Flashback malware from Apple OS X devices has seen the number of infected machines decline from more than 600,000 at the peak of the infection. By Monday, Symantec reported that just 140,000 active infections were detected, and on Tuesday fewer than 99,000.

"The statistics from our sinkhole are showing declining numbers on a daily basis. However, we had originally believed that we would have seen a greater decline in infections at this point in time, but this has proven not to be the case," read a blog post from Symantec Security Response.

While infections have already declined by over 80%, why haven't they gone down further and faster? "As there have been tools released by Symantec and other vendors in the past few days concerning this threat, the infection numbers should have seen a dramatic decrease by now," according to Symantec. Indeed, detection and eradication tools have been available for a week, and Apple released an automatic operating system upgrade Friday for OS X 10.6 and 10.7.

[ Read about Mozilla's approach to bolstering Firefox's security. See Firefox To Require Permission For Plug-Ins. ]

Flashback isn't something to take lightly. Notably, Flashback targets a Java vulnerability that was apparently reverse-engineered by attackers after Oracle patched the same flaw in Windows about two months ago. The attackers then used the flaw to facilitate malware drive-by attacks against Macs. Successfully infected computers, or "zombie Macs," get added to a botnet, which could push additional malicious code modules onto the computer. As Symantec noted, "The Flashback payload is considerably larger than the initial stage downloading component."

While security researchers are still unraveling how the malware works, one interesting feature they've found is that the malware can receive command and control (C&C) server contact details--essentially, learn new ways to dial home--via Twitter. According to Symantec, "one of the new features of the Trojan is that it can now retrieve updated C&C locations through Twitter posts by searching for specific hashtags generated by the OSX.Flashback.K hashtag algorithm."

The campaign to eliminate Flashback has moved quickly. After security watchers first spotted the malware, Apple last week broke with tradition--typically it says nothing about any security vulnerability in its products until it's released a fix--by announcing that it was in the process of coding a fix for Flashback. Other companies, including security firm Kaspersky, had already released tools for detecting Flashback (aka Flashfake)--with links to their free antivirus products for infected users to eradicate the malware.

But Apple upped the ante with a novel security strategy: disabling Java. In addition to updating the Java distribution for Apple OS X 10.6 and 10.7 to eliminate the bug exploited by Flashback, for 10.7 Apple also included a feature that disables Java if it hasn't been used for 35 days.

When picking endpoint protection software, step one is to ask users what they think. Also in the new, all-digital Security Software: Listen Up! issue of InformationWeek: CIO Chad Fulgham gives us an exclusive look at the agency's new case management system, Sentinel; and a look at how LTE changes mobility. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
Secure Application Development - New Best Practices
Secure Application Development - New Best Practices
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.