X

Flashback malware for OS X appears to be going extinct

One of the largest malware attacks in OS X history has fallen into obscurity.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
See full bio
Topher Kessler
3 min read

Just over a year after the Flashback malware began making its appearance on OS X systems, its prevalence has dwindled to the point where, according to ESET, it appears to be going extinct.

In September 2011, Flashback debuted as a fake installer for Adobe's popular Flash plug-in, which was propagated using search-engine optimization to popularize compromised personal blogs and Web sites. While at first the malware did not gain much traction, the criminals behind it began changing their modes of attack, and in in taking advantage of an unpatched Java vulnerability it turned into a widespread drive-by download that at its peak was estimated to have infected about 600,000 Mac systems worldwide.

Following the development of this malware threat, Apple and third-party security companies began releasing methods of detecting and removing Flashback, along with instating preventative measures such as patching Java, implementing automatic disabling of the Java runtime, and recommending its removal for users who do not use it. In addition, the Flashback outbreak outlined the regular use of OS X Launch Agents as a means of keeping malware active on an OS X system, resulting in recommendations for people to monitor the system's LaunchAgents folders for any unwarranted changes.

Flashback infection rates
After its peak, the Flashback malware continued to decline at a steady pace, though the accuracy of these numbers and the exact rate of decline was debatable. Topher Kessler/CNET

These efforts along with persistence at uncovering and stemming the command and control servers for Flashback resulted in a steady diminishing of the malware. While some analysis claimed the continuing malware infection levels were higher than reported because of faults with how infection rates were measured, overall the malware began declining at a steady rate, to the point where it currently appears the criminals behind it have given up on developing it.

Overall, the Flashback malware timeline shows a rapid onset, quick tackling, and steady diminishing of the threat in its year-long lifetime:

  • September 2011: First flashback malware surfaces using fake Adobe Flash installers.
  • October 2011 to January 2012: Flashback variants surface, disabling XProtect and changing its targeted system components, and a cat-and-mouse game ensues between the criminals and Apple's XProtect system.
  • February 2012: Flashback begins using alternative modes of attack, using social engineering and false certificates to fool victims.
  • February 2012: Oracle outlines the CVE-2012-0507 vulnerability and offers a Java SE 6 update (Apple does not update its Java runtime).
  • March 2012: Flashback evolves to use CVE-2012-0507, resulting in infecting 600,000 Macs.
  • Late March 2012 to April 2012: Instructions for manual Flashback removal begin to surface.
  • Late March 2012: Security companies begin tracking infections through sinkholes to determine the extent of the infection.
  • April 3, 2012: Apple updates Java SE 6.
  • April 4, 2012: Security company Dr. Web releases first infection rate numbers, revealing that over 1 percent of Mac users have been affected.
  • April 6, 2012: Apple releases another Java update, including options to automatically disable the plug-in.
  • April 13, 2012: Apple issues a security update to scan OS X systems for Flashback.
  • April 19, 2012: Flashback infection rate drops, though the extent is debatable.
  • May 1, 2012: The Flashback C&C servers stop responding.
  • May 14, 2012: Apple issues Flashback removal tools for OS X 10.5.
  • June 12, 2012: Apple issues more Java updates to immediately tackle vulnerabilities outlined by Oracle, leaving no room for exploitation.
  • June 2012 to September 2012: Flashback infection rates continue to decline.
  • September 20, 2012: ESET releases wrap-up report of the Flashback infection.

Following this malware's rise and fall into obscurity, security company ESET has released a wrap-up analysis (PDF) of the Flashback malware that looks in detail at every component of the latest variant of the malware, and reveals how it attacks the system and the means by which it communicates with external servers.


Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

Computing Guides

Laptops
Desktops & Monitors
Computer Accessories
Photography
Tablets & E-Readers
3D Printers