A report from Mac security specialist Intego describes the Mac Flashback trojan as malware that “patches web browsers and network applications essentially to search for user names and passwords.” The assumption is that the target is bank details for immediate use, and passwords for longer term use. “Hint:” says Intego, “don’t use the same password for all websites!” Intego first reported on this Flashback variant earlier this month, but has now seen increasing signs of its success.
If the trojan cannot install itself directly – for example if Java is fully patched – Flashback attempts to trick the user into doing so. An “applet displays a self-signed certificate, claiming to be issued by Apple. Most users won’t understand what this means, and click on Continue to allow the installation to continue.” But the trojan won’t attempt to install itself if the Mac has anti-virus. “It seems that the malware writers feel it is best to avoid Macs where the malware might be detected, and focus on the many that aren’t protected.”
Apart from attempting to steal user credentials, Flashback also introduces instability causing a number of applications such as Safari and Skype to crash, “because the injected code interferes with the program making it unstable.” The two defenses are to install anti-virus and keep applications such as Java fully patched – advice that should be heeded by all computer users all of the time. Mac users, however, should also take this as a warning that Macs are not as secure as their reputation suggests.
“The malware problem on Macs,” comments Graham Cluley of Sophos, “is still much much smaller than it is on Windows – but that doesn't mean it’s non-existent and it isn't going to be much consolation if you're one of the poor folks who gets hit. Mac users should protect their computers from malware, just like their Windows cousins.” Intego has seen evidence “that many Mac users have been infected by this malware;” clearly indicating that anti-virus is not yet considered de rigueur by the Mac community.