Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Apple Mac Attack Began With Infected WordPress Sites

Security researchers watch for a possible Flashback comeback by the botnet operators.

The massive Flashback botnet of Mac machines originated from hacked and malware-rigged WordPress blog sites, researchers revealed Thursday.

There were between 30,000 and 100,000 WordPress sites infected in late February and early March, 85% of which are in the United States, said Vicente Diaz, senior security analyst for Kaspersky Lab, in a briefing.

Kaspersky Lab researchers say the infected WordPress blog sites were rigged with code that silently redirected visitors to a malicious server. "When the connection was made to the malicious server, that server would determine which OS was running and serve exploits accordingly," says Roel Schouwenberg, senior researcher for Kaspersky. It was a pay-per-install scheme to spread malware, including the Flashback Trojan.

Most researchers say a gradual decline in machines infected by the Trojan is still underway: As of Thursday, there were about 140,000 infected Macs still out there, according to Symantec, and Kaspersky says it sees only about 30,629 Flashback-infected bots in its sinkhole.

Still on the horizon, too, is the possibility of a Flashback comeback, with the command-and-control servers sending their bots updates. "We are watching the command-and-control domains used to control this botnet for any updates ... We haven't seen any new updates being delivered," said Liam O Murchu, manager of operations for Symantec Security Response. "Flashback generates new domains every day, which shows us the attackers have probably written malicious code before. They are aware that their botnet could be taken down with a single domain, so they generate a new one every day."

Flashback may be the largest known botnet made up of Apple Macintosh computers, and the outbreak of infections, mainly in the United States, appears to have ushered in the beginning of the end of the age of innocence for Mac users. While attacks on the Mac aren't new, this one was high-profile and widespread.

Word spread rapidly earlier this month that a massive botnet of Mac OS X machines was building, and it reached more than 700,000 machines before antivirus vendors, including Kaspersky Lab, F-Secure, and Symantec, issued their own detection and removal tools. Apple issued an update to patch for the exploited vulnerability over the weekend. The Flashback malware exploits a known vulnerability in Java that had been patched by Oracle.

Apple did not respond to an inquiry for this article. Its updates for OS X Lion and Mac OS X v10.6 patch the Java implementation hole and remove Flashback, and Apple also provided an update for OS X Lion that removes Flashback from Macs that don't run Java.

Read the rest of this article on Dark Reading.

Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
//Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
4/25/2012 | 12:41:00 AM
re: Apple Mac Attack Began With Infected WordPress Sites
If it takes something like this (the infection) and the media covering it, as another poster says, in a manner such like gloating to get Mac users to wise up and actually think about security on their systems - Good!

Any and every system with an active network connection and the capability of connecting to the Internet is vulnerable. Period, end of story.

I've heard many users of "alternative" platforms (i.e. Mac, Linux, etc.) claim that their systems are basically invulnerable. That is FAR from true and the more exposure, education and understanding that can be derived from situations like this, the better. Right?

Andrew Hornback
InformationWeek Contributor
MyW0r1d
MyW0r1d,
User Rank: Apprentice
4/23/2012 | 8:03:12 PM
re: Apple Mac Attack Began With Infected WordPress Sites
It's you. Look at like this, when a champ stumbles every publication is going to rush to analyze it, how could it happen and is the end of the era over? History is full of them, they did it with M. Ali, M. Jordan, S. Oneil, nothing special about it. On the other hand, can't remember an article from a Window's user stating they didn't need AV or antimalware of some sort and I do remember a few from MAC users. It's not gloating, it's simple fact. So from this article, is it WordPress security that should be of more concern.
Aden11
Aden11,
User Rank: Apprentice
4/23/2012 | 2:37:59 PM
re: Apple Mac Attack Began With Infected WordPress Sites
It is amusing to see the way 'WINDOWS' users are reacting.
tuckbodi
tuckbodi,
User Rank: Apprentice
4/20/2012 | 4:53:33 PM
re: Apple Mac Attack Began With Infected WordPress Sites
Is it just me or is Info Week (and the other PC mag's) just jumping up & down gloating about this malware?!!? Kinda cracks me up....one versus a million on the other platform! AND on the Mac, you have to give it permission and any idiot who logs in as an admin is, well, an idiot!
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-36030
PUBLISHED: 2022-08-20
Project-nexus is a general-purpose blog website framework. Affected versions are subject to SQL injection due to a lack of sensitization of user input. This issue has not yet been patched. Users are advised to restrict user input and to upgrade when a new release becomes available.
CVE-2022-2789
PUBLISHED: 2022-08-19
Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulnerable to CWE-345 Insufficient Verification of Data Authenticity, and can display logic that is different than the compiled logic.
CVE-2022-2790
PUBLISHED: 2022-08-19
Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-347 Improper Verification of Cryptographic Signature, and does not properly verify compiled logic (PDT files) and data blocks data (BLD/BLK files).
CVE-2022-2792
PUBLISHED: 2022-08-19
Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-284 Improper Access Control, and stores project data in a directory with improper access control lists.
CVE-2022-2793
PUBLISHED: 2022-08-19
Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-353 Missing Support for Integrity Check, and has no authentication or authorization of data packets after establishing a connection for the SRTP protocol.