The source of the Apple Mac Flashback Trojan was probably a large clutch of compromised US-based WordPress blog websites hijacked to push visitors to malware hosts, Kaspersky Lab research has revealed.
As has previously been established by various sources, between September 2011 and February of this year, the malware was distributed using social engineering attacks that asked users to download a bogus Adobe Flash Player plugin.
By late February this strategy changed thanks to a new partner program which distributed the malware as a drive-by attack hitting three common Java vulnerabilities via compromised websites.
The change in tack paid off handsomely, infecting 744,000 OS X users according to Kaspersky numbers culled from individual IP addresses connecting to its Flashback (or ‘Flashflake’) sinkhole.
Websense has estimated the number of infected WordPress sites to be 30,000, with others putting the number as high as 100,000 but what matters is that the overwhelming majority – 85 percent – were based in the US.
Some of the sites used to host the attack could have become infected after naïve admins installed a rogue WordPress utility, ToolsPack. This inserted a simple script on the site capable of redirecting vulnerable users to a malware host.
Kaspersky reports that 205,622 Mac users have checked for infection on the flashbackcheck.com website it set up, with 3,624 of these turning out to be infected, a malware rate under 2 percent. The overall infection numbers have declined rapidly since last week.
“Apple is not used to reacting to these kinds of attack,” said Kaspersky researcher, Vincente Diaz.
The company was in the habit of writing its own patches for Java vulnerabilities instead of simply applying those coming from Java overseer, Oracle. In the case of Flashback, this had introduced delays to those patches being applied, he said.
“Mac OS invulnerability is a myth.”
Criminals were now able to attack OS X systems using cross-platform (i.e Java) malware re-purposed from the PC world. Mac users were an attractive target and its user base should expect more attacks during 2012 despite the appearance of Apple’s GateKeeper security in Mountain Lion.