Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

Malware Makes Manifold Mac Attacks That Infect 600,000 Macs – Now That’s Nothing to Sneeze At

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

Doctor Web, a Russian antivirus company, reports that 600,000 Macs have installed malware that makes them susceptible to being hijacked and used as a “botnet.” Adding insult to injury, 274 of the infected computers appear to be located in Apple’s backyard, Cupertino, California, where the company’s headquarters are located.

According to Lucian Constantin in IDG News, “Over 300,000 of the …infected Macs, or 56 percent of the total, are located in the United States, while over 100,000 are located in Canada….The U.K. and Australia are next, with 68,000 and 32,000 infected Macs, respectively.” Therefore, it appears that English-speaking users were the primary targets.

Infecting the Macs is the Flashback Trojan, which was detected last September masquerading as a Flash Player update. It had to be downloaded by the user before it could deactivate some of the Mac’s security software. The current new and improved version takes advantage of Java programming language weaknesses which allow the code to be installed from fake sites without any user interaction. Once the Trojan is installed, it sends a message to the cybercriminal’s control server with a unique ID to identify the infected machine.

The way Doctor Web discovered how many machines were infected was by hijacking part of the Flashback botnet through sinkholing, the method where the “good guys” take control of a domain name associated with a particular threat. Once in control, they intercept traffic that was intended for the cybercriminal’s original server and redirect it to their own. Instead of the bad guy receiving the victim’s stolen personal information or issuing new commands to bot-infected devices, the good guys have control.

Oracle, which developed Java, issued a fix in February, which didn’t work on Macs because Apple manages Java updates to its computers. More than eight weeks after the Oracle fix, Apple released its own security update, which can be triggered by clicking the software update icon in the system preferences panel. Mac users have a choice of downloading the fix or uninstalling Java completely.

By ThreatMetrix Posted