Are you a Mac zombie?

Sometimes when dealing with the so-called Mac faithful -- diehard users who relentlessly demean and attack anyone (reporters, particularly) who doesn't share their unquestioning enthusiasm -- I think of the "Walking Dead"; TV show or comic, it's your choice. Nothing stops their relentless, mindless walk. As if there weren't zombies enough, cybercriminals have unleashed another kind that is much worse.

Late last week, I started following progress of a new Trojan injected via rogue Java applet. Flashback is a variant of older malware and Apple issued a patch, so I chose not to write about it. Whoa, that was a mistake. Yesterday, Russian security firm Dr. Web claimed that more than 600,000 Macs are infected and part of a sophisticated botnet. Cybercriminals have amassed a sizable army of zombie Macs. Let me take a moment to welcome Mac users to zombieland -- a place many Windows users have lived for years.

No One is Safe

Trojans are nothing new, they're just not as common on Mac OS as Windows, but they're increasingly common enough for concern. For all the other Mac zombies -- let's call them the Walking Dead for differentiation -- who claim there is no Mac malware, 600,000-plus is nothing, nothing. Close your eyes and wish them away.

Two May 2011 BetaNews polls found that eight out of 10 Mac users don't have anti-malware installed, while as many Windows users do. I've started the polls anew, to see what's changed, if anything, in 11 months. Please respond to them. The Walking Dead aren't only to blame here as I explained last year: "Apple has created, by asserting things like 'Mac OS X doesn't get PC viruses,' a false sense of Mac security".

"Despite what Apple's marketing department would have you believe, Macs are not invulnerable to attacks and malware targeting OS X does exist", security consultant Adrian Sanabria explains. "Our main takeaway from [Flashback] should be that many Mac users have been lured into a false sense of security, and will be, or may already be, in for a rude awakening".

Think about something. From where is the Mac install base growing? Windows users. Apple executives consistently say that half of Mac buyers are Windows users. As Mac Defender showed last year, successful Mac malware uses the same social engineering techniques common to Windows PCs. Windows users bring bad habits to the Mac, which Mac Defender showed can be exploited as easily on Apple computers as Windows PCs.

Then there is the Walking Dead and other long-time Mac users who aren't accustomed to their computers being assaulted. They're naive and leave the windows open and doors unlocked, so to speak. They feel safe when they shouldn't and don't know what behavior creates risk. Yes, I'm generalizing, but the point is valid.

Risks increase with malware success. Botnets this size are self-propogating. Cyberciminals can use a large botnet to attack and infect other computers. Can this one be taken down? We shall see.

Flashback to Terror

Initially, Dr. Web reported 550,000 Macs in the botnet but later updated the number to more than 600,000, get this, with "274 bots from Cupertino" -- the city presumably referring to Apple, as it's common shorthand.

SEO poisoning spread the last big malware outbreak. Similarly, Flashback spreads through compromised websites. Dr. Web explains:

Systems get infected with BackDoor.Flashback.39 after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system. JavaScript code is used to load a Java-applet containing an exploit. Doctor Web's virus analysts discovered a large number of web-sites containing the code.

More than half of the compromised computers are in the United States and more than three quarters in North America.

More specifically, how are Macs infected? Security vendor F-Secure explains:

Trojan-Downloader:OSX/Flashback.I is dropped by malicious Java applets that exploit the known CVE-2011-3544 vulnerability.

On execution, the malware will prompt the unsuspecting user for the administrator password. Whether or not the user inputs the administrator password, the malware will attempt to infect the system, though entering the password will affect how the infection is done.

If infection is successful, the malware will modify the contents of certain webpages displayed by web browsers; the specific webpages targeted and changes made are determined based on configuration information retrieved by the malware from a remote server.

F-Secure also offers detailed instructions to detect and remove Flashback.

Apple has patched the vulnerability but took six weeks doing so. Meanwhile, like Mac Defender, new Flashback variants spread. Will you be a Mac zombie, or are you one already? Now might be a good time to invest in a Mac anti-malware app.