The source of the ongoing Apple Mac Flashback Trojan was probably compromised WordPress blog websites hijacked to push visitors to malware hosts, reports Securelist.
“The main theories are that bloggers were using vulnerable versions of WordPress or they had installed the ToolsPack plugin. Websense put the number of affected sites at 30,000 , while other companies say the figure could be as high as 100,000. Approximately 85% of the compromised blogs are located in the US.
From September 2011 to February 2012, Flashfake was distributed using social engineering only: visitors to various websites were asked to download a fake Adobe Flash Player update. It meant the Trojan was being distributed as installation archives named “FlashPlayer-11-macos.pkg”, “AdobeFlashUpdate.pkg”, etc.”
Kaspersky reports that 205,622 Mac users have checked for infection on the flashbackcheck.com website it set up, with 3,624 of these turning out to be infected, a malware rate under 2 percent. The overall infection numbers have declined rapidly since last week.
“Apple is not used to reacting to these kinds of attack,” said Kaspersky researcher, Vincente Diaz.
The company was in the habit of writing its own patches for Java vulnerabilities instead of simply applying those coming from Java overseer, Oracle. In the case of Flashback, this had introduced delays to those patches being applied, he said.
“Mac OS invulnerability is a myth.”
Read more: http://www.securelist.com/en/analysis/204792227/The_anatomy_of_Flashfake_Part_1