And so, with Flashback, Mac users finally have a significant piece of malware to worry about. From the tech news sites, you’d think that the sky is falling for users of Apple’s OS X. And, as usual, they’ve completely missed a more significant point – about how malware is changing.
I’ve seen one estimate that puts the number of Flashback infections at 1% of the Macs in use. That’s pretty paltry by PC standards where the proportion of infected machines is way up in double digits, even reaching 90%-plus in some parts of the world (largely due to the widespread use of pirated versions of Windows).
The most recent estimate I’ve read from Kaspersky, which has sinkholed a number of the Command & Control (C&C) server domains, is 660,000 machines. Again, that’s small beer compared to the Windows world. On the other hand, it’s a pretty impressive performance for a single trojan. After all, when it comes to malware, the Windows world has millions of samples to choose from, and new ones are appearing every few seconds.
Flashback is fairly trivial to detect and remove. F-Secure has instructions for detection and removal. Kaspersky has one too, and is also offering an online check at http://flashbackcheck.com to see if your Mac’s Universal Unique Identifier (UUID) has been communicating with the C&C servers and if you have a vulnerable version of Java. Apple has announced it is working both on a removal tool and with ISPs to disable the botnet’s C&C servers.
The people who’ve been shouting the loudest about Flashback are, predictably, the anti-malware vendors. Of course, they’re not entirely disinterested parties. Sophos has been banging on about Mac malware for some time now, even though, when it talked about the subject last year, it was able to enumerate every piece of Mac malware ever known, in detail, in a single blog post. It also goes to great pains to point out that its Mac anti-malware package is free to individual users. Of course, it’s not free to corporate and organisational users, and we all know what inroads Apple is making there.
According to a story from Computerworld, sales/downloads of Mac anti-malware packages have really taken off since the Flashback story broke.
But let’s not be too cynical. Does Flashback herald a new era for Mac users? Probably. Some would say that Apple is now so successful that it’s worthwhile for malware writers to target the platform. But that’s where the whole ‘missing the point’ thing comes in.
Flashback doesn’t target OS X, per se. It targets Java.
What is significant about this outbreak is that it’s the best example we’ve had so far about how malware has moved up the software stack. By targeting third-party frameworks or applications, the malware writers get the best bang for their buck (which is why Linux users should also stop looking so smug).
The take-away here isn’t that complacent Mac users are finally getting their come-uppance. It’s that we all need to pay more attention to what software is on our machines. Apple’s advice to ditch Java if you don’t need it looks sensible to me. But it doesn’t go far enough. Even those end users who’ve got the message about regular and timely patching often think it just refers to the OS.
We need to get into the habit of regularly reviewing what’s on our computers. Delete what you don’t use, and make sure the rest is fully patched.
Personally, I don’t think I’ll be bothering with anti-malware software on this MacBook Pro for the foreseeable future. (I’m even a little dubious about its value on my Win7 laptop, frankly.) But then I’m obsessive about patching…