{{Short description|Malware targeting Mac OS X systems}} '''OSX.FlashBack''',<ref>This is the name used in Apple's built-in anti-malware software XProtect. Other antivirus software vendors may use different names.</ref> also known as the '''Flashback''' Trojan, '''Fakeflash''', or '''Trojan BackDoor.Flashback''', is a Trojan horse affecting personal computer systems running Mac OS X.<ref>5 April 2012, [http://www.siliconrepublic.com/strategy/item/26580-flashback-trojan-botnet/ Flashback Trojan botnet infects 600,000 Macs], Siliconrepublic</ref><ref>5 April 2012, [https://web.archive.org/web/20120407022616/http://www.theinquirer.net/inquirer/news/2166228/600-infected-macs-botnet 600,000 infected Macs are found in a botnet], The Inquirer</ref> The first variant of Flashback was discovered by antivirus company Intego in September 2011.<ref name=intego >September 26, 2011, [http://www.intego.com/mac-security-blog/intego-security-memo-september-26-2011-mac-flashback-trojan-horse-masquerades-as-flash-player-installer-package/ Mac Flashback Trojan Horse Masquerades as Flash Player Installer Package], Intego Security</ref>
==Infection== According to the Russian antivirus company Dr. Web, a modified version of the "BackDoor.Flashback.39" variant of the Flashback Trojan had infected over 600,000 Mac computers, forming a botnet that included 274 bots located in Cupertino, California.<ref name=arstechnica>Jacqui Cheng, 4 April 2012, [https://arstechnica.com/apple/news/2012/04/flashback-trojan-reportedly-controls-half-a-million-macs-and-counting.ars Flashback Trojan reportedly controls half a million Macs and counting], Ars Technica</ref><ref name=drweb>4 April 2012, [http://news.drweb.com/show/?i=2341&lng=en&c=14 Doctor Web exposes 550 000 strong Mac botnet] Dr. Web</ref> The findings were confirmed one day later by another computer security firm, Kaspersky Lab.<ref>Chloe Albanesius, 6 April 2012, [https://www.pcmag.com/article2/0,2817,2402715,00.asp Kaspersky Confirms Widespread Mac Infections Via Flashback Trojan], PCMag</ref> This variant of the malware was first detected in April 2012<ref name="bbc infected" /> by Finland-based computer security firm F-Secure.<ref>April 2, 2012, [http://www.f-secure.com/weblog/archives/00002341.html Mac Flashback Exploiting Unpatched Java Vulnerability] F-Secure's News from the Lab</ref><ref>11 April 2012, [http://m.smh.com.au/digital-life/consumer-security/apple-crafting-weapon-to-vanquish-flashback-virus-20120411-1wpwl.html Apple crafting weapon to vanquish Flashback virus], Sydney Morning Herald</ref> Dr. Web estimated that in early April 2012, 56.6% of infected computers were located within the United States, 19.8% in Canada, 12.8% in the United Kingdom and 6.1% in Australia.<ref name=drweb/>
==Details== The original variant used a fake installer of Adobe Flash Player to install the malware, hence the name "Flashback".<ref name=intego />
A later variant targeted a Java vulnerability on Mac OS X. The system was infected after the user was redirected to a compromised bogus site, where JavaScript code caused an applet containing an exploit to load. An executable file was saved on the local machine, which was used to download and run malicious code from a remote location. The malware also switched between various servers for optimized load balancing. Each bot was given a unique ID that was sent to the control server.<ref name=drweb/> The trojan, however, would only infect the user visiting the infected web page, meaning other users on the computer were not infected unless their user accounts had been infected separately.<ref>{{Cite web|url=https://www.cnet.com/how-to/how-to-remove-the-flashback-malware-from-os-x/|title=How to remove the Flashback malware from OS X|first=Topher|last=Kessler|website=CNET}}</ref>
==Resolution== Oracle, the company that develops Java, fixed the vulnerability exploited to install Flashback on February 14, 2012.<ref name="bbc infected">{{cite news | url=https://www.bbc.co.uk/news/science-environment-17623422 | title=Half a million Mac computers 'infected with malware' | work=BBC | date=April 5, 2012 | accessdate=April 5, 2012}}</ref> However, at the time of Flashback's release, Apple maintained the Mac OS X version of Java and did not release an update containing the fix until April 3, 2012,<ref name="Apple About Flashback malware">{{cite web | url=https://support.apple.com/kb/HT5244 | title=About Flashback malware | publisher=Apple | date=April 10, 2012 | accessdate=April 12, 2012}}</ref> after the flaw had already been exploited to install Flashback on 600,000 Macs.<ref name=flashbackcheck>{{cite web | url=http://flashbackcheck.com/ | title=flashbackcheck.com | publisher=Kaspersky | date=April 9, 2012 | accessdate=April 12, 2012 | archive-date=August 15, 2012 | archive-url=http://webarchive.loc.gov/all/20120815110027/http%3A//flashbackcheck.com/ | url-status=dead }}</ref> On April 12, 2015, the company issued a further update to remove the most common Flashback variants.<ref name="Apple Java 2012-003">{{cite web | url=https://support.apple.com/kb/HT5242 | title=About Java for OS X Lion 2012-003 | publisher=Apple | date=April 12, 2012 | accessdate=April 12, 2012}}</ref> The updated Java release was only made available for Mac OS X Lion and Mac OS X Snow Leopard; the removal utility was released for Intel versions of Mac OS X Leopard in addition to the two newer operating systems. Users of older operating systems were advised to disable Java.<ref name="Apple About Flashback malware"/> There are also some third party programs to detect and remove the Flashback trojan.<ref name=flashbackcheck/> Apple worked on a new process that would eventually lead to a release of a Java Runtime Environment (JRE) for Mac OS X at the same time it would be available for Windows, Linux, and Solaris users.<ref name="Mac Security: A Myth?">{{cite web | url=http://www.esecurityplanet.com/mac-os-security/mac-security-a-myth-flashback-trojan-java-malware.html | title=Mac Security: A Myth? | publisher=eSecurity Planet | date=April 13, 2012 | accessdate=April 16, 2012 | archive-date=April 17, 2012 | archive-url=https://web.archive.org/web/20120417021221/http://www.esecurityplanet.com/mac-os-security/mac-security-a-myth-flashback-trojan-java-malware.html | url-status=dead }}</ref> As of January 9, 2014, about 22,000 Macs were still infected with the Flashback trojan.<ref name="It's alive! Once-prolific Flashback trojan still infecting 22,000 Macs">{{cite web | url=https://arstechnica.com/security/2014/01/its-alive-once-prolific-flashback-trojan-still-infecting-22000-macs/ | title=It's alive! Once-prolific Flashback trojan still infecting 22,000 Macs | date=January 9, 2014 | accessdate=January 9, 2014}}</ref>
==See also== *Mac Defender *Leap (computer worm)
==References== {{reflist}}
==External links== *[https://web.archive.org/web/20120413031436/http://www.businessweek.com/articles/2012-04-12/apple-delays-hackers-play Apple Delays, Hackers Play] April 12, 2012
Category:MacOS malware Category:Trojan horses