Antivirus vendor ESET has published a technical analysis of the OSX/Flashback threat. Fully operational six months...
ago, an expert at ESET said the threat is now "extinct."
We have witnessed [Flashback's] operator abandoning control of the botnet by shutting down its latest command-and-control server.
security intelligence program manager, ESET
"We have witnessed [Flashback's] operator abandoning control of the botnet by shutting down its latest command-and-control server," wrote Pierre-Marc Bureau, security intelligence program manager at ESET, in a blog post. "It appears that the operators of Flashback did not release any new binary to avoid detection, and continue their operation with a new infrastructure."
Flashback was first detected in the fall of 2011, and gained widespread attention in April when it infected over 500,000 Mac computers. The ESET technical analysis, OSX/Flashback: The first malware to infect hundreds of thousands of Apple Mac, (.pdf) describes how Flashback infected computers with Mac OSX, and analyzes the installation component and the library. The malware infected victims in a number of different ways, the first as a fake update of Adobe Flash player. Flashback also used a Java-signed applet and exploited two different flaws in Java, CVE-2012-0507 or CVE-2011-3544, to infect users.
The Bratislava Slovakia-based antivirus vendor also notes that Mac users often do not take security of their machines seriously, and chronicles the relationship between Apple and Java in the wake of Flashback.
"Some Mac users believe themselves to be immune to malicious software because they are using OS X. Certainly, the malware threats to OS X are less numerous than to Windows, but they are not nonexistent," the report read. Flashback has not been the only issue for Macs either. Lamadai, MacControl and Crisis have also created issues for Mac users this year. Experts attribute the growing threat of malware for Macs to an increasing payout for attacking the machines.
When Flashback first appeared, Apple had to validate and distribute updates via its updating system, which meant Oracle could not update Java for Macs at the same time as PCs. Often, including in the case of Flashback, the updates for Macs occurred much later.
Flashback triggered another change in the Apple-Java relationship.
"[Apple] registered all the names of the available domains connected to Flashback, including those generated dynamically. Shortly after that, Apple created an update to OS X that detected the presence of Flashback and uninstalled it from the system," the ESET report said.
With the debut of Mac OS X Lion (10.7), Apple stopped installing Java interpreters by default on its operating system. The report called this "a move that can be seen as reducing avenues of attack. This might also be interpreted as an attempt to avoid the burden of updating software that is beyond its control."