Flashback-trojan infects 600.000 MacOS X computers including 274 from Cupertino


This is not a real email based threat but at MX Lab we thought to share the information to the public to warn about this.

Several news sites have published an article related to the Flashback-trojan that is infecting MacOS X computers. So far, 600.000 computers,according to the latest intel from DrWeb, have been identified as infected and are transformed into a bonnet. According to 274 computers from Apple at Cupertino are also infected.

The virus itself is called Trojan BackDoor.Flashback.39 and can be present on a computer after visiting a bogus site or via a traffic distribution system. Javascript is embedded in the HTML to load a Java-applet containg the exploit.

Compromised sites:

  • godofwar3.rr.nu
  • ironmanvideo.rr.nu
  • killaoftime.rr.nu
  • gangstasparadise.rr.nu
  • mystreamvideo.rr.nu
  • bestustreamtv.rr.nu
  • ustreambesttv.rr.nu
  • ustreamtvonline.rr.nu
  • ustream-tv.rr.nu
  • ustream.rr.nu
The Java exploit will save an executable to the hard drive. This application is used to download malware from a remote server.
You can quickly check if your Mac is infected with the trojan BackDoor.Flashback.39. Here is how:
  • Open Terminal (found in /Applications/Utilities/)
  • Type the command: defaults read /Applications/Safari.app/Contents/Info LSEnvironment
  • Terminal should return: The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
  • Type the command: defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
  • Terminal should return: The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

If Terminal returns both messages above after given the command, your Mac is not infected.

In the past, I also had discussions with people on blogs or forums regarding the statement “Get a Mac and you have no viruses or trojans”. I have always said in those discussions that an operating system, wether it is MacOS X, Windows, Unix or Linux, is not a guarantee that you are safe. Each system is vulnerable and MacOS X was in the past not a real target. This is now different because more people have a Mac and it is more tempting and rewarding to write a virus or trojan for MacOS X these days.

Recommendation:

  • get a security application for your Mac and keep it up to date
  • disable Java on your Mac if you do not need it (also recommended for Windows users)

More information regarding the threat:

DrWeb

More information regarding removal of the trojan:

Apple Support: About the security content of Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7
F-Secure Trojan-Downloader:OSX/Flashback.I removal instrustions