The H-Online: A Russian AV company, Dr. Web, says it has conducted research to determine the spread of the Flashback trojan on systems running Mac OS X and says that 550,000 systems are infected, mostly in the US and Canada. A later update raised that number to 600,000 and claimed 274 infected systems in Cupertino, California.
Dr. Web says it employed a sinkhole technique to intercept the bot installed by the newest Flashback trojan, and directed the bots to its own servers where it could analyse the traffic. Each bot includes a unique ID of the machine it has infected in the query string it sends to the command and control server; it is these unique IDs that Dr. Web has used to calculate the infection count. According to its estimates, of the original 550,000 estimate, 56.6% of the systems were in the United States, 19.8% in Canada, 12.8% in the United Kingdom and 6.1% in Australia.
The latest generations of Flashback are different from previous Flashback trojans. According to an F-Secure advisory the newest version attempts to use old vulnerabilities in the Java implementation on Mac OS X to install its payload silently unless it detects security applications such as Little Snitch, VirusBarrier X6, iAntiVirus, ClamXav, HTTPScoop and Packet Peeper, or XCode, the Mac OS X development environment, in which case it deletes itself. If the Java vulnerabilities fail to allow installation it will then prompt for an administrator password and, if it gets a valid administrator password, inject malware into the system’s installation of Safari or Firefox. If it doesn’t get a valid administrator password, it attempts to use a different infection technique, but checks for Microsoft Word and Skype first and deletes itself if they are present, as it is known that this alternative infection method causes those applications to crash.
Users are recommended to install the recent Apple Java update to close the hole which allows malicious web pages to drop the trojan onto a system and to always check which application is actually asking for your password when requested.
To detect if a system is infected with Flashback, run each of the following commands in the Mac OS X Terminal:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info LSEnvironment
If all these commands respond with “The domain/default pair of … does not exist”, then there is no Flashback infection. Otherwise consult the F-Secure advisory for manual removal instructions.