Apple taking technical, legal action against Flashback malware
In an update to its support site, the company said that it is “developing software that will detect and remove the Flashback malware.”
The company is also marshaling legal tools for the fight. In its update, the company said: “The Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions. Apple is working with ISPs worldwide to disable this command and control network.” However, at least one of the servers that has already been disabled was reportedly a “sinkhole” developed by researchers at Russian firm Dr. Web, which initially uncovered the malware. That server was being used to intercept traffic from the botnet spawned by Flashback in order to find more details about the malware.
Apple’s update comes a week after the company released security updates to Java in order to defend against Flashback, and suggests that the malware continues to pose one of the biggest challenges to Mac security in recent memory. Flashback first emerged in September, a new Trojan horse that masqueraded as a Flash Player installation package for OS X Lion, and—combined with the MacDefender malware—helped make 2011 the “most active year for Mac malware since Mac OS X was released,” according to security firm Intego.
Flashback has persisted well into 2012; a new variant revealed this month can infect computers with little more than a visit to the wrong website. A vulnerability in Java, identified as CVE-2012-0507, allows the malware to install itself from a malicious website the user visits, without needing the user to enter an administrator’s password. Though the security hole was patched in Java in February, the fix didn’t make its way to Macs until Apple released its own Java update last week.
This isn’t the first time in recent memory that Apple has had to take steps to fight back against malware. Last May the company released a security update to help exorcise the Mac Defender Trojan horse from Macs. That update was also designed to offer further protection in the future by beefing up the malware detection system first included in Snow Leopard, but that File Quarantine system is aimed primarily at apps that a user would unwittingly download—the Java vulnerability allowed Flashback to sidestep the system entirely. In other words, reinforcing your door is a great way to make you safer right up until someone breaks in through a window.
Apple’s forthcoming removal tool will join a number of third-party solutions that have been offered to combat the attacks. As bloggers at Cult of Mac noted, OpenDNS is now blocking Flashback’s attempts to “call home” once it has installed itself on a new host computer. Last week, security firm F-Secure published a set of Terminal commands to uncover the exploit, and on Monday an independent programmer released a Mac app that can check for the infection as well. Security researchers at Kaspersky Labs are offering yet a third approach: a website into which you can paste your Mac’s unique identifier to see if you’re afflicted by Flashback. The site will also check and make sure that you have the latest Java update installed, and are thus safe from further infection—otherwise it will prompt you to run Apple’s Software Update.
If Flashback has descended upon your Mac, Kaspersky also offers a free removal tool and, of course, the company also sells a commercial anti-virus product. For those looking to protect themselves even further, one Kaspersky expert has posted a list of ten steps Mac users can take to reduce their risk of future infections.