Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:50 PM
Connect Directly

Apple Mac Attack Began With Infected WordPress Sites

Meanwhile, researchers await a possible Flashback comeback by the botnet operators

The massive Flashback botnet of Mac machines originated from hacked and malware-rigged WordPress blog sites, researchers revealed today.

There were between 30,000 to 100,000 WordPress sites infected in late February and early March, 85 percent of which are in the U.S., said Vicente Diaz, senior security analyst for Kaspersky Lab, in a press briefing today.

Kaspersky Lab researchers say the infected WordPress blog sites were rigged with code that silently redirected visitors to a malicious server. "When the connection was made to the malicious server, that server would determine which OS was running and serve exploits accordingly," says Roel Schouwenberg, senior researcher for Kaspersky. It was a pay-per-install scheme to spread malware, including the Flashback Trojan.

Most researchers say a gradual decline in machines infected by the Trojan is still under way: As of yesterday, there were about 140,000 infected Macs still out there, according to Symantec, and Kaspersky says it sees only about 30,629 Flashback-infected bots in its sinkhole.

Still on the horizon, too, is the possibility of a Flashback comeback, with the command-and-control servers sending their bots updates. "We are watching the command-and-control domains used to control this botnet for any updates ... We haven't seen any new updates being delivered," says Liam O Murchum, manager of operations for Symantec Security Response. "Flashback generates new domains every day, which shows us the attackers have probably written malicious code before. They are aware that their botnet could be taken down with a single domain, so they generate a new one every day."

Flashback may be the largest known botnet made up of Apple Macintosh computers, and the outbreak of infections, mainly in the U.S., appears to have ushered in the beginning of the end of the age of innocence for Mac users. While attacks on the Mac aren't new, this one was high-profile and widespread.

Word spread rapidly earlier this month that a massive botnet of Mac OS X machines was building, and it reached more than 700,000 machines before antivirus vendors including Kaspersky Lab, F-Secure, and Symantec issued their own detection and removal tools. Apple issued an update to patch for the exploited vulnerability over the weekend. The Flashback malware exploits a known vulnerability in Java that had been patched by Oracle.

Apple did not respond to a press inquiry for this article. Its updates for OS X Lion and Mac OS X v10.6 patch the Java implementation hole and remove Flashback, and Apple also provided an update for OS X Lion that removes Flashback from Macs that don't run Java.

Kaspersky's Diaz says the biggest drop in infections came after Apple's update. Apple has been under fire for the late response to the flaw.

Symantec, meanwhile, hasn't seen infected WordPress sites used in the Flashback attack per se, but has seen URL redirections to the Flashback Trojan domains for spreading the malware. "We won't know how it was infected in the first place -- whether it was WordPress [or something else], but it was redirecting to the exploit pages distributing Flashback," Murchu says.

Murchu says the attackers behind Flashback demonstrated the same skills as those who target Windows -- an indication that the shift to the Mac OS X is just another business decision by cybercriminals looking for more ways to make money as the Mac becomes more mainstream.

"The techniques they used were like those who are skilled, or how an experienced virus-writer would use. Clearly, they had previously written malware before and more than likely for Windows," Murchu says. "They know how this works, injecting malware, redirecting users, and making money off that. They have transferred [that knowledge] over to the Mac."

But, wait, there's more: Both Kaspersky and Symantec have been studying targeted attack malware called SabPub written for the Mac OS X.

Costin Raiu, director of global researach and analysis for Kaspersky Lab, says Kaspersky found a single email targeting a pro-Tibetan supporter that contained two attachments that come rigged with the SabPub backdoor Trojan. Raiu says the attacks occurred in February, and that it's related to the LuckyCat APT campaign that targeted entities in Japan and India.

"The C&C server which was used by the SabPub malware is no longer active: It was shut down at the beginning of the week. Hence, infected users will have a 'dormant' malware on their machines, which awaits for C&C to come back to life," Raiu says.

"I presume that is because of the high number of attacks against Tibetan activists. Some of them probably switched to Macs as a way of escaping the attacks and mitigating the risks. The LuckyCat gang probably noticed this shift and decided to implement attacks than can also affect such targets," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/21/2012 | 11:39:28 PM
re: Apple Mac Attack Began With Infected WordPress Sites
As a side note, here is an interesting article on preventing common WordPress vulnerabilities:
Brian Prince, InformationWeek/Dark Reading Comment Moderator
User Rank: Apprentice
4/21/2012 | 4:14:06 AM
re: Apple Mac Attack Began With Infected WordPress Sites
This is the same thing that happened at pown to own.- Any time you integrate the browser into the OS you are open up security vulnerabilities.- Microsoft has had issues like this for years.- Apple sacrificed security for useability.
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Hunny, I looked every where for the dorritos. 
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...