OSX.FlashBack, also known as the Flashback Trojan, Fakeflash, or Trojan BackDoor.Flashback, is a
Trojan horse
In Greek mythology, the Trojan Horse () was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer, Homer's ''Iliad'', with the poem ending ...
affecting personal computer systems running Mac
OS X
macOS, previously OS X and originally Mac OS X, is a Unix, Unix-based operating system developed and marketed by Apple Inc., Apple since 2001. It is the current operating system for Apple's Mac (computer), Mac computers. With ...
. The first variant of Flashback was discovered by antivirus company
Intego
Intego is a Mac and Windows security software company founded in 1997 by Jean-Paul Florencio and Laurent Marteau.
The company creates Internet security software for macOS and Windows, including: antivirus, firewall, anti-spam, backup software ...
in September 2011.
[September 26, 2011]
Mac Flashback Trojan Horse Masquerades as Flash Player Installer Package
Intego Security
Infection
According to the Russian antivirus company
Dr. Web, a modified version of the "BackDoor.Flashback.39" variant of the Flashback Trojan had infected over 600,000 Mac computers, forming a
botnet
A botnet is a group of Internet-connected devices, each of which runs one or more Internet bot, bots. Botnets can be used to perform distributed denial-of-service attack, distributed denial-of-service (DDoS) attacks, steal data, send Spamming, sp ...
that included 274 bots located in
Cupertino, California
Cupertino ( ) is a city in Santa Clara County, California, United States, directly west of San Jose, California, San Jose on the western edge of the Santa Clara Valley with portions extending into the foothills of the Santa Cruz Mountains. The ...
.
[Jacqui Cheng, 4 April 2012]
Flashback Trojan reportedly controls half a million Macs and counting
Ars Technica[4 April 2012]
Doctor Web exposes 550 000 strong Mac botnet
Dr. Web The findings were confirmed one day later by another computer security firm,
Kaspersky Lab
Kaspersky Lab (; ) is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky a ...
. This variant of the
malware
Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...
was first detected in April 2012
by Finland-based computer security firm
F-Secure
F-Secure Corporation is a global cyber security and privacy company, which has its headquarters in Helsinki, Finland.
The company has offices in Denmark, Finland, France, Germany, India, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Swed ...
. Dr. Web estimated that in early April 2012, 56.6% of infected computers were located within the
United States
The United States of America (USA), also known as the United States (U.S.) or America, is a country primarily located in North America. It is a federal republic of 50 U.S. state, states and a federal capital district, Washington, D.C. The 48 ...
, 19.8% in
Canada
Canada is a country in North America. Its Provinces and territories of Canada, ten provinces and three territories extend from the Atlantic Ocean to the Pacific Ocean and northward into the Arctic Ocean, making it the world's List of coun ...
, 12.8% in the
United Kingdom
The United Kingdom of Great Britain and Northern Ireland, commonly known as the United Kingdom (UK) or Britain, is a country in Northwestern Europe, off the coast of European mainland, the continental mainland. It comprises England, Scotlan ...
and 6.1% in
Australia
Australia, officially the Commonwealth of Australia, is a country comprising mainland Australia, the mainland of the Australia (continent), Australian continent, the island of Tasmania and list of islands of Australia, numerous smaller isl ...
.
[
]
Details
The original variant used a fake installer of Adobe Flash Player
Adobe Flash Player (known in Internet Explorer, Firefox, and Google Chrome as Shockwave Flash) is a discontinuedExcept in China, where it continues to be used, as well as Harman for enterprise users. computer program for viewing multimedia ...
to install the malware, hence the name "Flashback".Java
Java is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea (a part of Pacific Ocean) to the north. With a population of 156.9 million people (including Madura) in mid 2024, proje ...
vulnerability on Mac OS X. The system was infected after the user was redirected to a compromised bogus site, where JavaScript
JavaScript (), often abbreviated as JS, is a programming language and core technology of the World Wide Web, alongside HTML and CSS. Ninety-nine percent of websites use JavaScript on the client side for webpage behavior.
Web browsers have ...
code caused an applet
In computing, an applet is any small application that performs one specific task that runs within the scope of a dedicated widget engine or a larger program, often as a plug-in. The term is frequently used to refer to a Java applet, a program ...
containing an exploit to load. An executable file was saved on the local machine, which was used to download and run malicious code from a remote location. The malware also switched between various servers for optimized load balancing. Each bot was given a unique ID that was sent to the control server.[ The trojan, however, would only infect the user visiting the infected web page, meaning other users on the computer were not infected unless their user accounts had been infected separately.]
Resolution
Oracle
An oracle is a person or thing considered to provide insight, wise counsel or prophetic predictions, most notably including precognition of the future, inspired by deities. If done through occultic means, it is a form of divination.
Descript ...
, the company that develops Java, fixed the vulnerability exploited to install Flashback on February 14, 2012.Mac OS X Lion
OS X Lion, also known as Mac OS X Lion, (version 10.7) is the eighth major release of macOS, Apple's desktop and server operating system for Mac computers.
A preview of OS X 10.7 Lion was publicly shown at the "Back to the Mac" Apple Speci ...
and Mac OS X Snow Leopard
Mac OS X Snow Leopard (version 10.6) (also referred to as OS X Snow Leopard) is the seventh major release of macOS, Apple's desktop and server operating system for Macintosh computers.
Snow Leopard was publicly unveiled on June 8, 2009, at A ...
; the removal utility was released for Intel versions of Mac OS X Leopard
Mac OS X Leopard (version 10.5) is the sixth software versioning, major release of macOS, Apple Inc., Apple's desktop and server operating system for Macintosh computers. Leopard was released on October 26, 2007, as the successor of Mac OS X Ti ...
in addition to the two newer operating systems. Users of older operating systems were advised to disable Java.[ Apple worked on a new process that would eventually lead to a release of a Java Runtime Environment (JRE) for Mac OS X at the same time it would be available for Windows, Linux, and Solaris users.]
See also
*Mac Defender
Mac Defender (also known as Mac Protector, Mac Security, Mac Guard, Mac Shield, and FakeMacDef) is an internet rogue security program that targets computers running macOS. The Mac security firm Intego discovered the fake antivirus software on 2 ...
*Leap (computer worm)
The Oompa-Loompa malware, also called OSX/Oomp-A or Leap.A, is an application-infecting, LAN-spreading computer worm, worm for Mac OS X, discovered by the Apple Inc., Apple security firm Intego on February 14, 2006. Leap cannot spread over the I ...
References
{{reflist
External links
Apple Delays, Hackers Play
April 12, 2012
MacOS malware
Trojan horses