Fake antivirus and Flashback: Learning from Windows malware, gaining agility
In 2011, we saw a sustained attack on Mac users by a malware family called MacDefender. This malware, a fake antivirus, was the first significant Mac attack to be distributed via search result pages that attracted users to legitimate sites that had been poisoned with malware.
MacDefender is worth discussing today because it shows how Mac malware often follows in the footsteps of older Windows attacks. One sensible way to anticipate the future of Mac malware is to see what’s happening now to Windows users. For instance, Mac admins might reasonably expect new customized attacks relying on server-side polymorphism.
Borrowing from MacDefender while applying important innovations of their own, the creators of the notorious Flashback botnet (aka, OSX/Flshplyr) infected more than 600,000 Macs in the spring of 2012.
Flashback first surfaced as a fake Adobe Flash installer late in 2011. In April 2012, Flashback began to install itself as a drive-by download, exploiting a Java vulnerability left unpatched on OS X weeks after Microsoft had provided a fix to Windows users. Apple ultimately patched OS X 10.7 and 10.6, but not previous versions. At the infection’s peak, Sophos’ free Mac antivirus product identified Flashback-related malware on approximately 2.1% of the Macs it protected.
While both MacDefender and Flashback have been beaten back, they each show Mac malware authors becoming more agile. We’ve seen the authors changing the delivery mechanisms of existing malware and pursuing new zero-day exploits.
< Back Next >