Security Beat: More Flashback, Busting of Myths, and Other Related News

Welcome, again, to the Security Beat! Last month, this column was devoted to the “Flashback” trojan – a particularly nasty piece of software unpleasantness that has, according to numerous reports, found a home in over 500,000 (that’s half a million!) Macs, most of them in the US. I hope you will indulge me for one more month, as I go over some items of interest related to this trojan, and some of the underlying “conventional wisdom” about security on Macs that it has busted:

Macs are “immune” to viruses. True, Flashback isn’t a virus (technically, it is a trojan). Also true, Flashback targeted vulnerabilities in Java, a 3rd-party application. However, Java is bundled with and (until Lion) installed as part of the OS X standard installation, and (until just recently) Apple provided all updates (patches) for Java, instead of Oracle. But, let’s not mince words here: while this may not be the Macpocalypse many were fearing/looking forward to, it is definitely a wake up call. Macs can be taken over by the bad guys, and if we want to keep them out, we are going to have to take steps toward that end.

The bad guys have no reason to target Macs: Windows PCs are their preferred target. OK, admittedly, there are still a lot more Windows machines out there, which translates to a larger attack surface. However, analysis of the botnet created by the Flashback trojan found that it potentially generated over $10,000 per day in revenue for its owners. It did this by hijacking Google searches, and under certain circumstances redirected the user to a different page, where the botnet operator received revenue for the click. Yes, Virginia, the purpose of this malware was criminal click fraud.

“Safe online behavior” is enough. Once upon a time, you could keep your PC (or Mac) safe by staying away from the seedier parts of the ‘Net. Avoid the hacker hangouts, warez downloads, gambling and pr0n sites – this was the mantra of the day. Did you know, however, that a recent report shows that church sites are more likely to infect computer than porn? According to a report from Symantec, “websites with religious or ideological themes were three times more likely to carry viruses than those with pornography or other adult content. Oftentimes, they’ve been “booby-trapped” with malicious code inserted by hackers.”  This was, if I recall, the method used to infect Macs with Flashback (and I recall correctly: the sources of the infection were actually booby-trapped WordPress pages. Many non-profit sites run on WordPress: and, in fact, we are working to migrate the HAAUG site over to this platform.)

Macs “don’t need no stinkin’ CPU-sucking security software”. While some Mac old-timers may hang on to this belief, there are valid reasons for Mac users to have security software running. Flashback proved the business case for making malware targeting Macs. One would presume that other bad guys took notice, and will soon be looking to worm their way into your Apple. In addition, while Macs may not be infected as often (or to the same extent) as their Windows brethren, they can (and do) act as carriers and “safe harbors” for Windows malware. Security firm Sophos recently studied 100,000 Macs, and found that 20% of them were carrying one or more instances of Windows malware. I will tell you right now that I have been running the free Sophos Anti-Virus for Mac* for some time now, and it is not uncommon for it to find Windows malware in my incoming email. Were I to somehow forward one of those, and it ended up starting an outbreak at somebody’s company, the impact could be severe (and I should know this: as an IT Security professional, I have had to deal with virus outbreaks caused when someone opened an email and clicked something they shouldn’t. Despite all the user awareness training, and despite our considerable investment in security systems, it happens.) Let’s face it: Macs these days are much more powerful than they used to be, and they are attracting a lot of “converts” from the Windows world. These new users, alas, sometimes bring their computing habits from their previous life with them, and these folks especially need the additional layer of protection that security software provides.

In other Mac-related security news: it has been reported that Lion Security Update 10.7.3, released in February, contains a flaw which causes users’ FileVault passwords to be exposed in plain text. This flaw affects those who upgraded to Lion from Snow Leopard, and who were using FileVault to encrypt their home directories: it does not affect those who are using FileVault 2 and full disk encryption, nor does it affect those who haven’t upgraded from Snow Leopard. The best course of action is to implement a full disk encryption solution like Apple’s FileVault 2. And, of course, change the encryption password – after all, it may have been backed up by Time Machine or whatever solution you are using (you are backing up your Mac, right?), which means that it should be considered to be compromised.

OK, rant over. Hopefully, next month I’ll be in a position to report on something more positive in the Mac security space (there is an app I am testing, and should be ready to review by June.) Until then: keep ‘em safe, and keep ‘em secure!


*Disclosure: I support Sophos Anti-Virus on the Windows platform as part of my paid employment. However, I received no compensation or other consideration for mentioning the product here.
Digiprove sealCopyright secured by Digiprove © 2012 Ed Truitt
This entry was posted in InfoSec and tagged , , , , , , . Bookmark the permalink.