April 24, 2012
How Many On The Botnet? Flashback Malware May Still Be A Real Threat
Michael Harper for RedOrbit.com
Dr. Web, the Russian security firm that first discovered the Flashback Botnet affecting thousands of Macs, says Apple´s attempts aren´t yet working. Their report, released on Friday, is contrary to reports from other security firms who claim the botnet is shrinking.
The disagreements began on Friday, as Dr. Web issued a report wherein they said they haven´t seen a decrease in the number of Macs infected with the malware once Apple began to acknowledge and attack the problem. Quite the contrary, as it turns out. When the story broke on April 4, 2012, it had been estimated there were as many as 650,000 infected Macs worldwide. As they write in their report, “According to Doctor Web, 817,879 bots connected to the BackDoor.Flashback.39 botnet at one time or another and average 550,000 infected machines interact with a control server on a 24 hour basis.” Dr. Web also goes on to say there was an initial drop in infected Macs, but the number began to climb, and continues to do so every day.
Symantec, on the other hand, reported a more significant decrease in infected Macs, though they still mentioned the number was too high considering Apple´s attempt to remedy the problem.
"We had originally believed that we would have seen a greater decline in infections at this point in time, but this has proven not to be the case," Symantec wrote in their report.
"Currently, it appears that the number of infected computers has tapered off, but remains around the 140,000 mark.”
Part of what is causing the conflicting reports between these two security firms is the way these infected computers are counted.
Dr. Web has been setting up domains and servers to catch these botnets as they communicate with one another. The Russian security firm says this gives them an accurate count, but also tampers with other security firms´ counts.
According to Dr. Web, “As the result, bots switch to the standby mode and wait for the server's reply and no longer respond to further commands. As a consequence, they do not communicate with other command centers, many of which have been registered by information security specialists."
Symantec, on the other hand, claims Dr. Web is counting so many infected Macs because they are counting all the different variations of the Flashback malware, including new recent OSX.sabpab malware.
Yesterday, a new variant of the Flashback malware was discovered, which could also be inflating Dr. Web´s high numbers. Security Company Intego discovered this new variant, called “Flashback.S,” and says it, too, takes advantage of an Apple Java vulnerability which Apple has already patched. Flashback.S installs itself on the computer´s home folder without requiring a password, then deletes all files and folders from Java´s cache to hide its presence. Intego isn´t yet sure how many computers are infected and what the malware is programmed to do once it installs itself.
The original cautions still apply: Mac users should always be sure to check for and install updates frequently as well as take extreme caution in visiting questionable websites. The best way to completely make yourself immune to these Flashbacks is to completely disable Java. Users won´t notice any difference on the web, as only a few sites who run chat rooms or games still use Java. The Cult of Mac has a handy guide to disabling Java on Safari, Chrome, and Firefox.