About Flashback

Dr.Web anti-virus
for macOS

When did Doctor Web discover BackDoor.Flashback.39?

BackDoor.Flashback malware have been known for quite a while, since October 2011. The BackDoor.Flashback.39 modification was added to the Dr.Web virus databases on March 27, 2012.

How does a system get infected with BackDoor.Flashback.39?

Two simple conditions must be met for a system to get infected with BackDoor.Flashback.39: Java Virtual Machine must be installed in the system, and a user must load a compromised web-page in the browser. It can be a specifically designed malicious web page or a compromised resources which virus writers have access to. The embedded malicious code loads a Java applet. The applet exploits a Java vulnerability and saves an executable and a .plist file responsible for its launching on the hard drive of the Apple computer After that, the applet transfers the saved configuration file to the launchd service that allows it to run the Trojan without user intervention. In fact, the user does not notice anything—they are viewing a web page in the browser while their Mac is already infected with malware.

A system can be infected regardless of the browser one uses?

Yes, it does not matter which browser you use. If you have the Java Virtual Machine installed and you have not downloaded the Apple security update, your system is at risk.

Does one need to enter a password to let the Trojan in?

No, there is no need to enter a password. A system is infected automatically without user intervention.

And if I never use macOS under an administrator account?

It is irrelevant. BackDoor.Flashback.39 doesn't require administrative privileges under macOS to perform its malicious tasks.

Is BackDoor.Flashback.39 a virus or a Trojan horse?

Unlike Trojan horses, viruses can replicate. Trojans can not replicate. BackDoor.Flashback.39 is a Trojan horse. It gets into a system and infects it without user intervention but a user needs to to visit a malicious website to enable the program to compromise the system. However, despite this fact, do not underestimate the severity of this threat.

How did Doctor Web discover the Trojan horse in the first place?

The vulnerability used by BackDoor.Flashback.39 has been known for quite some time, not only under macOS, it was discovered under Windows and other operating systems. At the end of March 2012 Doctor Web's anti-virus laboratory has been informed that attackers exploited this vulnerability to spread malicious software under macOS rather than under Windows. A malicious sample was analysed and added to the virus databases on March 27. However, shortly afterwards another Java exploit-based attack under macOS was reported, more followed. The information allowed analysts to assume that a bot net comprised of Mac machines could exist. But given the high security of the operating system and its architecture, the botnet was believed to be small. Doctor Web's analysts decided to test this hypothesis. Reality has surpassed all expectations.

How were infected computers counted?

To calculate the number of hosts in the botnet, virus analysts employed sinkhole technology. BackDoor.Flashback.39 like many other Trojans, does not contain control server addresses in its code. Instead it uses a special routine to generate them as domain names. It enables criminals to quickly register a new control server if anti-virus companies block available ones if they learn the routine employed by the Trojan horse to select such names. In addition, this approach allows intruders to balance the load between several control servers. If a botnet becomes large enough, one command server can simply be unable to cope with the network management. Therefore, the Trojan consistently queries all control servers it can find. The rest was easy: Doctor Web's analysts reverse-engineered the routine used by BackDoor.Flashback.39 to generate domain names, registered several such names and ran a control program of their own at these addresses. At first, it was suggested that some Trojan horses communicating with the control server, run by Doctor Web's analysts, could run under Windows but Doctor Web's analysts found evidence that it was not the case. All the bots identified by the anti-virus laboratory were running under macOS.

What is the danger of BackDoor.Flashback.39 for a user?

BackDoor.Flashback.39 can download from the Internet and run any other executable files on an infected machine. It can be any program selected by attackers. Thus, the Mac may be the part of a DDoS-network, intruders can steal passwords used to access various sites, install a sniffer or keylogger in the system or mount a phishing attack. The options are basically limited only by virus writers' imagination.

If I have installed Apple Java updates, does this mean that my Mac is protected from the Trojan BackDoor.Flashback.39?

No. Installing the update will eliminate the infection risk, but if the malware has already penetrated into your computer, the update will not help.


How do I learn if my computer is infected with Trojan BackDoor.Flashback.39?

Doctor Web has created a special online service that lets you check whether your computer is infected: https://www.drweb-av.de/flashback. In order to use this service, you need to enter the UUID of your Apple-computer into the special field. This service is provided free of charge.

My computer is infected! How do I remove BackDoor.Flashback.39?

You can download Dr.Web for macOS Light free of charge from the App Store link and perform a full scan of your system. If the threat is detected, it will be removed automatically.

Who benefits from the spread of BackDoor.Flashback.39?

The vulnerability exploited by the Trojan BackDoor.Flashback.39 has been well known to the public for a long time. It would be surprising if attackers did not take advantage of this unique opportunity.

Do I need to use anti-virus software under macOS?

It's up to you. Of course, the operating system manufactured by Apple is much better protected against malware than Windows, but it is still not hundred percent safe and the BackDoor.Flashback.39 outbreak prooves it. The anti-virus program Dr.Web for macOS Light is free. Mac users can download it from the App Store and use it without any restrictions or to removeit, if they for some reason they do not like it.