Richi Jennings

Biggest Apple botnet discovered: 600K+ Macs infected

April 05, 2012 5:53 AM EDT
Russian researchers have discovered a botnet of more than 600,000 Macs. Yes, Macs -- you know, those things that don't get malware. Apple (NASDAQ:AAPL) is coming under heavy criticism for its slow response to known vulnerabilities and for perpetuating the myth that OS X is malware-free. In IT Blogwatch, bloggers rush to grab the update.
[Update 3: Is the number accurate? Why is this a big deal? What's the botnet doing?]
By Richi Jennings: Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Almost gliding an Airbus into LAX...
Dan Moren reports in measured tones:
It can now infect your computer from...a visit to a website. ... The latest variant...takes advantage of a weakness in Java SE6...CVE-2012-0507, allows the malware to install itself from a malicious website...without needing the user to enter an administrator’s password.
Apple has long been criticized for lagging...when it comes to updating Java for security patches.
[But] there’s no need for widespread panic.    M0RE
Er, Dave Neal says it is time to PANIC:
[A] botnet...has hijacked an impressive 600,000 infected Macs. ... Infected web sites...range from some related to films through streaming television services to something called Gangstasparadise.
[T]here might be four million compromised web pages...and cases of infection when visiting    M0RE

The anonymous Russian gnomes at Dr. Web measured the botnet:
Systems get infected with BackDoor.Flashback.39...JavaScript code is used to load a Java-applet containing an exploit. [We] discovered a large number of web-sites containing the code.
Attackers began to exploit [these] vulnerabilities to spread malware in February 2012. ... The vulnerability has been closed by Apple only on April 3. ... Most infected computers reside in the United States (56.6%)...Canada comes second (19.8%)...the third place is taken by the United Kingdom (12.8%)...and Australia with the fourth.
Mac users [should] download and install a security update released by Apple from    M0RE

Brian Krebs has strongly-worded criticism of Apple:
Apple stopped bundling Java by default in...Lion, [but] it offers instructions for downloading and installing [it] when users access webpages that use it.
I can’t stress this point strongly enough: If you don’t need Java, remove it from your system. ... Apple maintains its own version of Java, and [is] unacceptably far behind Oracle in patching critical flaws. ... [Its] lackadaisical...response to patching dangerous security holes perpetuates the harmful myth that Mac users don’t need to be concerned about malware.    M0RE
And Adrian Sanabria backs him up:
Despite what Apple...would have you believe, Macs are not invulnerable...malware targeting OS X does exist. ... [The] operating system isn't a panacea when it comes to security - only less targeted. Until now.
[If] accurate, such a large infection rate on Macs may change common perception of OS X as "virus-proof."    M0RE

Update: Philip Elmer-DeWitt eats, if not crow, then some sort of dark-colored avian fauna:
Having written several times...about the relative security of Apple's...operating systems...I feel obliged to report that Mac OS X is under...the most serious malware attack to date. M0RE

Meanwhile, Mike Magee's minions mostly mock Macs:
Apple users will be suffering a crisis of faith, as...its faith-based security system failed to prevent [this].
[H]apless Mac users...have mostly been twiddling their thumbs, satisfied with the impenetrable fortress...that Apple's machines are, for some reason, perceived to be. M0RE

Update 2: Dave Schroeder defends against the schadenfreudenistas:
[No] sensible person ever said "Macs don't get infected." ... It's just a lot less likely...even accounting for differences in marketshare.
Macs, as a whole, are indeed "more secure", in that still, to this day, you are far less become impacted with any malware than with Windows. Maybe someday this will change. ... The fact that single instances of Mac malware get so blown out of proportion, still, is ridiculous.
The same advice and best practices for avoiding malware apply to Macs...and Mac users would do well to run current AV software. M0RE

Update 3: Liam Tung wonders how accurate the 600K figure is:
F-Secure’s Mikko Hypponen...had some reservations about the numbers...[but] today said he confirmed...that they did count actual PCs, not IP addresses. ... “Flashback uses a unique hardware-based User-Agent in it's requests.”
Why is FlashBack important? ... Because unlike older Mac malware, it does not require any “user interaction” to infect. ... The key it uses “exploits” as opposed to just “fooling you into typing in the root password.” ... It’s the first mass infection where Mac users are infected...[by] drive-by downloads.
And what does Flashback actually do? ... [It's] hijacking Google search results...the Trojan manipulates Google search results returned to the infected Mac [to] generate cash...through referral programs. M0RE
And Finally...
Almost gliding an Airbus into LAX
Don't miss out on IT Blogwatch:

Richi Jennings, your humble blogwatcherRichi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. He's the creator and main author of Computerworld's IT Blogwatch, for which he has won ASBPE and Neal awards. He also writes The Long View for IDG Enterprise. A cross-functional IT geek since 1985, you can read Richi's full profile and disclosure of his industry affiliations.