Home » Mac, Security

Mother of all Mac botnets? BackDoor.Flashback.39 spreads

5 April 2012 3,726 views 4 Comments

Hardly. With 600,000 zombie Macs enslaved, doing no one knows what, this is hardly the world’s biggest botnet. However, it’s something of a wake up call for fans of the fairer platform. Are you infected? Here’s how to check.

Russian security site Dr Web is reporting that a botnet created by the BackDoor.Flashback.39 trojan has taken over and enslaved somewhere in the neighborhood of 600,000 Macs, including a number in Cupertino — that’s more than a little embarrassing.

Systems get infected with BackDoor.Flashback.39 after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system. JavaScript code is used to load a Java-applet containing an exploit.

That said, F-Secure has published a method for discovering if a Mac has been taken over. First, fire up Terminal — in your Mac’s Utilities folder — and then paste the following command(s) and hit enter:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

• If you get this result — The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist — you’re good.

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

• If you get this result — The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist — again, you’re good.

If you get any other result, click through to F-Secure for the full removal method.

Additionally, Apple’s latest Java updates for OS X Lion, Snow Leopard patches the vulnerability used by BackDoor.Flashback.39 — get the update and obviate the attack.

For what it’s worth, given that most people don’t use Java daily, it can’t hurt to turn Java off until you actually need it.

Learning from the past

Back in 2009, a 250,000 Mac botnet was created by a pair of trojans — OSX.Trojan.iServices.A and OSX.Trojan.iServices.B — that spread via infected pirate copies of iWork ’09. In that case, users needed to voluntarily install the trojan.

The difference this time around is that BackDoor.Flashback.39 silently installs its botnet payload without any user interaction. That’s more than a little scary.

So, now would be a good time to check to see if you’ve been infected and, yeah, download and install the latest version of Java from Apple…

What’s your take?

Ars Technica

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.