Flashback Mac Trojan Gets Second Patch

Apple is continuing to fight back against a Trojan that has infected more than 600,000 Mac computers, reportedly issuing a second patch this week.

The latest update, issued on 6 April and called Java for OS X 2012-002, is substantially the same as the first one issued for the Flashback Trojan, though it appears to apply only to OS X Lion, officials with security software maker Intego said in a post on the company’s blog.

Essential update

“It is possible that Apple discovered a minor glitch in the first update, necessitating a new release,” the blog post read. “It seems that this update is only available for Lion, whereas the first update was for both Snow Leopard and Lion. In any case, it is essential that all Mac users apply this update. The Flashback malware has been very active in the wild, and can install with no user interaction, if Java is not patched.”

The Flashback exploit first surfaced last year, and has resurfaced in past weeks, with Russian security software company Doctor Web saying on 4 April that as many as 550,000 Macs – more than half of them in the United States – have been infected. They later upped that number to more than 600,000.

Apple issued its first patch on 3 April, then followed up with the second three days later.

“Systems get infected with BackDoor.Flashback.39 after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system,” Doctor Web officials said in an April 4 blog post. “JavaScript code is used to load a Java-applet containing an exploit. Doctor Web’s virus analysts discovered a large number of websites containing the code.”

Cyber-criminals began exploiting two vulnerabilities in February, then switched to another after March 16, they said. That last vulnerability was closed by Apple’s patch on 3 April, according to Doctor Web.

Macs in the spotlight

Flashback and a growing number of other malware incidents targeting Macs over the past have shaken Apple’s reputation for security in their products. Last year saw the Tsunami Trojan and Revier/Imuler Trojan, as well as Mac Defender, a fake antivirus program that tried to steal credit card data from Mac users.

With the growing popularity of Mac and other Apple devices, security experts say Apple and its customers can expect more attention from cyber-criminals. In the last calendar quarter of 2011, Apple sold more than 37 million iPhones, 15.43 million iPads and 5.2 million Macs, the company reported in January.

“This latest wave of infections is a wake-up call to Mac users that their system is not immune to threats,” Mike Geide, senior security research at Zscaler ThreatLabZ, said in an email after the 3 April patch was released. “And the need to follow best security practices, such as remaining current with patches, is ubiquitous – it doesn’t matter if you’re using Windows, Mac, or even [a] mobile phone.”

‘Sinkholing’

The first version of Flashback was designed to look like an update to Adobe Flash – giving the Trojan its name. However, the subsequent variants hit Mac users who had visited websites that were harbouring the malware.

Doctor Web officials said in their blog that the company was able to redirect some of the Flashback traffic to their own servers in an operation known as “sinkholing”.

In a 3 April blog post, Intego officials said they had been finding new variants of the Flashback Trojan since 23 March, and that they were not all identical to what other security companies were finding. Still, there are steps Mac users can take to protect themselves, they said.

“In any case, the safest thing that users can do is turn off Java in their web browser,” Intego said in its blog post. “If you use Safari, choose Safari > Preferences, then click on Security. Uncheck Enable Java, to ensure that no Java applet can run. For other browsers, check in their security preferences as well.”

How well do you know Internet security? Try our quiz and find out!