Flashback Trojan – A Big Wake Up Call For Mac IT Pros


Macs in business that don't include centrally managed antivirus protection maybe time bombs waiting to go off
Business Macs that don't include centrally managed antivirus protection may be ticking time bombs

The after effects of the Flashback Trojan are going to be felt for a long time to come. Although there’s been the occasional Mac malware announcement over the past few years, none was ever found to be rampant in the wilds of the Internet. Most were easily avoided by Apple’s basic security elements or by simple user actions like telling Safari not to immediately open so-called “safe” files after downloading them.

As a result, the Flashback Trojan caught a lot of people off guard – including individual Mac owners and some IT professionals who ought to have known better. It also highlighted deficiencies on the part of Apple when it comes to security.

First, let’s start with the basics. If you aren’t already aware, the Flashback trojan is a form of malware that can be installed on a Mac using vulnerabilities in an older version of Java. Apple has updated Java implementations for Macs running Lion and Snow Leopard and you can get these through Software Update . As we covered last week, you can check for evidence of infection pretty easily.

Note: Apple’s update doesn’t remove an existing infection – so you should check even if you’ve installed the updates.

The entire scenario proves that Macs aren’t immune to malware. It also proves that any illusions of “security by obscurity” – the idea that malware authors won’t target Macs because there are many more Windows PCs (and Android phones) to target – is nothing more than hopeful thinking. As John Martellaro from Mac Observer pointed out last week, this is a wake up call for Apple in terms of building real security into its products more than it has to date.

For businesses, this should be a simple challenge. Centralized antivirus software should have alerted IT staff to the presence of the malware. Whether through automated actions or IT-initiated processes, the virus should have been removed immediately. The process shouldn’t be any different than what occurs on as daily basis with Windows malware infections.

Yet, in many organizations, including many small businesses, that probably isn’t how the scenario has played out. The sense that Macs don’t get viruses often leads to IT departments – including those with techs specializing in Apple technologies – to take a somewhat lax approach to these issues compared to the effort and expense dedicated to combatting Windows malware.

Sometimes that means not installing antivirus software at all. More commonly, it means installing it but not setting an aggressive scan or update strategy. One common and rather dangerous approach is installing antivirus software that doesn’t connect to a centralized antivirus management console for an organization – the attitude being that it’s easier and cheaper to just install the consumer-oriented antivirus options, which “should be good enough.” As an IT professional and consultant, I’ve seen all of these attitudes in action over the years.

I actually once saw a Mac IT staffer uninstall an antivirus tool (a sorely out of of date one, I might add) thatkept alerting staff to Office macro viruses dragged over from documents created on infected PCs because  “they can’t do much of anything on OS X.”

Those attitudes are outdated and they’re dangerous. Not only do Macs in businesses need antivirus software, they need software that can be centrally managed, which is widely available from both Mac-specific vendors like Intego as well as from the more common enterprise vendors. Centrally managed tools are the only way to be sure an organization Macs, PCs, and network are safe. They also ensure tools and virus definitions are up to date and can make it a relatively quick matter to both prevent and deal with infections.

This event is a wake up call to Mac usersand to IT departments that antivirus software is a need for a Mac as much as it is for any PC.  It also raises the point that security can’t stop at company-owned Macs. If Macs come in through BYOD programs they also need to be included in an anti-malware effort.

Apple needs to be more forceful in suggesting antivirus software to its customers – or it needs to take over that responsibility itself. The company does build significant security capabilities into OS X – but they aren’t can’t replace antivirus software.

  • Andrew_H

    macs were never ever “more secure” than windows machines, the disparity in the amount of malware between the operating systems has to do with one simple factor; economics. Why bother coding a virus for an operating system few people used – when i can code a virus for an operating system that everybody uses and is even used by businesses! In short because they could make more money off windows users they coded for windows users only in the last few years has there been a surge mac malware because of the popularity of the mac increased from the ipod iphone and other devices that normal windows users got comfortable with the apple brand and decided to buy a computer from them.

  • Aaron

    Macs have ALWAYS been more secure than Windows machines. The argument that no one would code a virus for an operating system “few” people used is invalid. Even at its worst, Macs comprised 3% of computers on the Internet. More than enough to spread a virus. Stop spreading FUD from 1995.

    The primary reason Macs (and Linux and other *nix operating systems) are more secure is that they don’t open ports without the user opening them. They also have a “super user” that you have to authenticate to make changes to the system. The Flashback virus worked because of the human factor: People blindly put in their admin password.

    That being said, Windows is doing a good job with Windows 7. Their authentication method does a decent job of approximating the security of a “super user” in a *nix operating system.

    Finally, this is the user’s fault for not keeping their systems up-to-date. How many people to you know that hit “cancel” when the Software Update window appears? My wife is bad about this… but I think I’ve broken her of that habit.

    If the systems are managed, the IT administrator is to blame. It’s their job to keep these systems up-to-date. An out-of-date Java extension is what caused the security breach, along with users who blindly put their admin password into the system.

  • Shootist321

    And why are these IT admins giving their users admin rights? /smh.

  • Erich Menge

    @Aaron: This is incorrect. You did not need to enter your password at all. It was able to infect the user account without any indication whatsoever. I unfortunately discovered I had it today. It has been a real eye opener for me as I’ve shared your view in the past (you’re usually safe as long as you don’t install any software you don’t know the origin of). Unfortunately in this case, the Java exploit was able to bypass any of those safe guards. It did prompt you for your administrator password, so it could infect the entire machine and all user accounts, but if you escaped out of it, your account still got nailed.

    I vaguely remember a authentication window popping up, but I think I was in the middle of something at the time and just hit escape. Distracted I didn’t even think about it. I figured some app was trying to update and I would deal with it later.

    I uninstalled the Java plugin, as well as Flash, and installed little snitch, and won’t be taking anymore chances with Java or Flash.

  • DannySax

    Thats all great to tell us we need anti virus on our Macs…..Which one? at least recommend a couple that won’t A) break the bank and B) cripple Mac memory and CPU

  • sault

    A Mac is combination of hardware and OS X. The vulnerability is for Java, not for Mac.

  • zzzzzZZZZ

    Symantec estimates the number of infected macs worldwide to about 50! Thread low, easy to remove…
    Actually, it looks like that the trojan is not working at all – it does only add itself (or an evil lib) to DYLD_INSERT_LIBRARIES. BUT: this cannot be used to overwrite existing functionalities as OSX binaries usually use a TWO level namespace. Hence, this is ignored…
    I found a german post describing it a bit deeper: http://macmark.de/blog/osx_blog_2012-04-a.php?PHPSESSID=396496ebfa54ded1ce12cb5738c552fd