As many as 100,000 WordPress blogs infected 700,000 Macs with malware
If computer security is your thing -- it really should be everyone's -- and you own a Mac, Kaspersky's analysis of Flashfake malware, also called Flashback, is a must-read. Gasp, this is only part one. There's more to come from the security software developer.
Flashfake's success -- Kaspersky raises the number of infected Macs to 700,000 from previous 600,000 estimates -- is bigger than the obvious conclusion Apple computers aren't safe havens from cybercriminals. Late last week, Apple released a Flashfake removal tool that contrary to earlier reports failed to substantially reduce the botnet. But as many as 100,000 infected WordPress blogs, the majority in the United States, lay in wait for unpatched Macs or even a Flashfake variant that unleashes another outbreak. Like last year's MacDefender outbreak, cybercriminals used tactics tried and proven against Windows users.
Before March, Flashfake bothered few Mac users because the attack vector was largely social engineering. All that changed thanks in part to current Apple security policies. Flashback exploits a Java vulnerability that Apple could have patched sooner but didn't.
Last week I praised Apple for disabling the Java plug-in with the most recent update. Now I'm not so sure, since in context of Alexander Gostev's analysis Apple really covers its ass more than protects Mac users. That's because "Apple never uses patches from Oracle and creates its own patches to close Java vulnerabilities", he explains. Oracle patched the vulnerability in February, while Apple got round to it in April. "This practice of releasing patches with delays of about two months is traditional for Apple".
Apple's Lion security page claims: "OS X has you covered...With virtually no effort on your part, OS X offers a multilayered system of defenses against viruses and other malicious applications, or malware". OS X hasn't got you covered, if Apple doesn't take readily available Java patches, waiting to produce its own instead. The adage Apple's way or the highway will get you run down.
Gostev, who heads Kaspersky's Global Research and Analysis Team, explains what happened next:
In order to spread Flashfake in March 2012, its authors made use of a cybercriminal partner program that appears to be of Russian origin. The partner program was based on script redirects from huge numbers of legitimate websites all over the world. Around the end of February/early March 2012, tens of thousands of sites powered by WordPress were compromised. How this happened is unclear. The main theories are that bloggers were using vulnerable versions of WordPress or they had installed the ToolsPack plugin. Websense put the number of affected sites at 30,000, while other companies say the figure could be as high as 100,000. Approximately 85 percent of the compromised blogs are located in the US.
Code was injected into the main pages when the blogs were hacked...As a result, when any of the compromised sites were visited, a partner program TDS was contacted. Depending on the operating system and browser version, the browser then performed a hidden redirect to sites in the rr.nu domain zone that had the appropriate set of exploits installed on them to carry out an infection.
He goes on to describe in detail the process of infection, which I encourage reading over your late-morning coffee and bagel (breakfast sandwich or cinnamon roll). But the main point is this: Drive-by download spread malicious code -- something users of older Windows versions see but is much, much less common on Vista or 7. Mac Defender, which largely spread by SEO poisoning, used similar infection tactic.
There has been much buzz this week about there being more Mac malware or increasing vulnerabilities in OS X. That's BS. OS X and Windows 7 are both fairly hardened operating systems. Flashback's success spotlights people problems instead:
1. Apple's response is inadequate. The company doesn't patch vulnerabilities fast enough, as both Flashback and Mac Defender demonstrate. Meanwhile Apple doesn't disclose enough information to end users. To both outbreaks, Apple either failed to acknowledge a security problem existed or waited too long doing so.
2. OS X marketing creates a false sense of security among Mac users. Apple propagates the myth Macs are safe from malware with statements like "OS X has you covered" or "OS X doesn't get PC viruses". Better security is one reason many people switch to the Mac, where they're lulled into believing they're safe. Meanwhile long-time Mac users already are believers.
3. Most Mac users don't use anti-malware. That's the finding of BetaNews polls conducted in May 2011 and earlier this month. Seventy-four precent of respondents say they do not have anti-malware software installed on their primary Mac. Ninety-two percent of Windows users do. If Apple isn't adequately protecting Mac users, they need to look after themselves. They don't.
4. Half of new Mac users come from Windows. From where is the Mac install base growing? Windows users. Apple executives consistently say that half of Mac buyers are Windows users. As both malware outbreaks demonstrate, the same social engineering techniques common to Windows PCs are used. Windows users bring bad habits to the Mac, which Flashback and Mac Defender show can be exploited as easily on Apple computers as Windows PCs. Those habits are deadly for users lulled into a sense of safety and not using anti-malware.
Editors Note: After posting, Dr. Web released startling new data that shows Flashback still infects more than 500,000 Macs. That following release of Apple's tool for removing the Trojan.