Apple Offers Support While Kaspersky Gives Free Detection and Removal For Flashback (Flashfake) Trojan

After an estimated 670 million Macs were infected with the Flashback (Flashfake) Trojan-Downloader, Apple finally published a support page for preventing Java Trojan downloads. This is the largest Mac Trojan breach ever reported and likely a sign of more to come. Anti-virus company Kaspersky identified a new mutation of the Flashback botnet and gave it the codename FlashFake. Flashback was flagged as a Java Trojan-Downloader as early as September last year.

Apple says it's still working on a removal tool, but Kaspersky is offering detection and removal for free

Apple says it's still working on the Trojan removal tool, but Kaspersky is offering detection and removal for free (Image: Shutterstock)

Preventing Flashback (Flashfake) Infection

Apple advised OS X v10.7 and Mac OS X v10.6 users to update their software and take advantage of the latest Java security fix. This will at least stem the tide on additional Trojan-Download infections, but Apple did not say when they will release a cleaning or removal tool for infected machines — they’re still working on it. They also advised users with Mac OS X v10.5 or earlier to disable Java from their web browsers.

Apple is developing software that will detect and remove the Flashback malware. In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions. Apple is working with ISPs worldwide to disable this command and control network.

Detecting, Removing Flashback (Flashfake)

Kaspersky on the other hand, offered a free online detection and downloadable removal tool this Monday. Users can scan their Macs online to check for infection and then download the removal tool to wipe the Trojan from their computers.

Users have to find and copy their Mac’s universally unique identifier  (UUID) by selecting About this Mac in Finder, then clicking  More info …, clicking on System Report, then finding Hardware UUID in Hardware Overview. Kaspersky will ask for this UUID and check its database for a match. If the ID is in the database, that Mac has been compromised.

Tracking Down the Trojan-Downloader

They Kaspersky team reverse-engineered the Trojan, registered a domain name for logging bot requests and found out what the botnets were sending from infected Macs, according to Kaspersky Lab Expert, Igor Soumenkov.

Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots. Our logs indicate that a total of 600 000+ unique bots connected to our server in less than 24 hours. They used a total of 620 000+ external IP addresses. More than 50% of the bots connected from the United States.

Soumenkov also gave a table listing the distribution of active Flashback (Flashfake) bots:

Trojan-Downloader Mission

The Flashback (Flashfake) Trojan-Downloader infects computers by pretending to be an Adobe FlashPlayer update and requests user permission to proceed with the download. Once the user continues with the update, the Trojan gets into their system and establishes a connection with its botnet command and control (C&C) server.

The botnet can then open the door to additional component downloads as well as upload user information from the infected machine. This includes the IP address, the UUID of the machine, passwords, credit card information — among other vital data. Hackers who are controlling the botnet can virtually take control of an infected Mac, given enough time.

Prevalent Threat to Macs Everywhere

In 2009, the iWork Trojan infected 20,000 Macs whose owners downloaded a pirated copy of iWork ’09. This was also another botnet that connected to its C&C, allowing upload of valuable data and download of additional components.

For this latest (and biggest) attack, Apple was slow to respond to the news of the Java update vulnerability. Windows released a couple of patches to curtail this Java flaw last year. But even though there were reports of Mac infections as early as January, Apple did not act fast enough.

With thousands of infected websites carrying this Java update Trojan, the best thing to do is to disallow any Java updates on your browsers until you get the latest patch.

The increased volume in sales of Apple products now makes it a juicy target for hackers, who were previously busy hacking Windows-based PCs. Windows OS is a favorite hacker hunting ground because of its many vulnerabilities. With great exposure comes great opportunities for intrusion — and Apple will be wise to learn from the oft-battered Windows OS defensive playbook.