04/23/2012

Incredible Analysis of Flashback/Fakeflash OSX Trojan

In one of the finest examples of research into the workings of malware most people are likely to ever see, Alexander Gostev of Kaspersky Antivirus begins a full analysis of Flashback/Flashfake.

According to Alexander's research, it looks like Flashfake began its infections via hacked Wordpress blogs.
From September 2011 to February 2012, Flashfake was distributed using social engineering only: visitors to various websites were asked to download a fake Adobe Flash Player update.
Good ol' social engineering is what duped the first wave of folks into getting infected. (N.B. Typically, these are the types of infections that are blocked by Internet security software.)

Next, it appears actual exploits began being used to spread the Trojan via the hacked Wordpress blogs. How many blogs were infected, but it's at least 30,000 according to a Websense report on the Wordpress infections.

Hats off to Kaspersky and Alexander both for the great research and for sharing it.

04/13/2012

Flashback Checker & Removal Tools (or Why Antivirus Software is a Good Thing)



People sometimes question why antivirus software that's not a part of the operating system is a must.

With Windows 8 for instance, Microsoft has announced they're including their own antivirus software right in the operating system itself.

To be blunt: this is meaningless, particularly in the way of making a PC safer. The first antivirus software the virus writers will make sure their software evades will be that which is built into Windows! And so, this A/V software means nothing more than a false sense of security for most people and some delays for the bad guys.

Having good third-party antivirus software means you have another layer of protection the bad guys don't necessarily know about. Sure, they may try to avoid detection by independent antivirus programs, especially the most common ones, but if they're at least beating the baked-in antivirus software, their battle is largely done.

Yes, it might make it harder to find ways to infect PCs to begin with, but all that does is slow them down a bit.

Now, let's bring Apple into the picture.

Apple was first criticized for its slowness first in applying the patches to Java that Oracle made months ago (they delays which caused the Flashback Trojan to hit Macs as virulently as it did to begin with), then a second time for not working with the antivirus community that was eager to help, and then a third time for not releasing detection and removal tools.

Luckily, the antivirus companies entered the picture. First was Dr. Web with its disclosure of the trojan (and "sinkholing" of the botnet's command-and-control domain names).

Then F-Secure came into the picture with manual instructions for determining if your Mac had been compromised. On the heels of that was Kaspersky with free, automated Flashback detection and removal tools.

All of these companies beat Apple--by a LONG shot--at protecting their customers (and non-customers alike) with their steps and tools they each respectively made.

Oh, and lest it go unsaid, Apple did release an update to Java that patches the hole and removes the most common variants of the Flashback malware.

Here's what the update looks like in Software Update: