Mac malware attacks traced to hacked WordPress blogs

Hacked WordPress blogs may have been used to initially spread the Flashback/Flashfake malware that infected as many as 600,000 Mac OS X computers earlier this month, a computer security firm said.

 

Kaspersky Labs said that from September 2011 to February 2012, the malware was distributed using social engineering, targeting visitors of the hacked blogs.

 

"From September 2011 to February 2012, Flashfake was distributed using social engineering only: visitors to various websites were asked to download a fake Adobe Flash Player update. It meant the Trojan was being distributed as installation archives named 'FlashPlayer-11-macos.pkg,' 'AdobeFlashUpdate.pkg,' etc.," it said.

 

It was only in February that those behind the malware exploited the vulnerabiltiies in unpatched Java on Apple OS X machines, Kaspersky said.

 

The exploitation of that vulnerability was first reported in March 2012.

 

"At that point, it was a vulnerability in Mac OS X that remained unpatched, despite the fact that Oracle had released a patch for it in February. This was because Apple never uses patches from Oracle and creates its own patches to close Java vulnerabilities. The patch for Mac OS X which closed the CVE2012-0507 vulnerability was released in early April," it noted.

 

On the other hand, Kaspersky said the Flashfake authors used a cybercriminal partner program that appears to be of Russian origin to compromise WordPress sites.

 

By end-February or early March, tens of thousands of sites powered by WordPress were compromised although how it happened is still not clear, Kaspersky said.

 

"The main theories are that bloggers were using vulnerable versions of WordPress or they had installed the ToolsPack plugin. Websense put the number of affected sites at 30,000, while other companies say the figure could be as high as 100,000. Approximately 85 percent of the compromised blogs are located in the US," it said.

 

Kaspersky added code was injected into the main pages when the blogs were hacked.

 

"As a result, when any of the compromised sites were visited, a partner program TDS was contacted. Depending on the operating system and browser version, the browser then performed a hidden redirect to sites in the rr.nu domain zone that had the appropriate set of exploits installed on them to carry out an infection," it said.

 

Once activated, the malware checks for firewall and other security apps. If no app is detected, it connects to a command-and-control server and relays information about the infected system. — TJD, GMA News