Tuesday, April 24, 2012

Flashback Still Plagues Macs

from pcworld.com

Contrary to reports by several security companies, the Flashback botnet is not shrinking, the Russian antivirus firm that first reported the massive infection three weeks ago claims.

Dr. Web, which earlier this month was the first to report the largest-ever successful malware attack against Apple's OS X, said Friday that the pool of Flashback-infected Macs still hovers around the 650,000 mark, and that infections are continuing.
Also on Friday, Liam O Murchu, director of operations at Symantec's security response center, confirmed that Dr. Web's numbers were correct.

Optimism Refuted

Both Dr. Web's tally and its contention that infections are ongoing flew in the face of other antivirus companies' assertions. Kaspersky Lab and Symantec, which have each "sinkholed" select domains -- hijacked them before the hackers could use them to issue orders to compromised machines -- used those domains to count the Macs that try to communicate with the malware's command-and-control centers.

Earlier this week, Symantec said the Flashback botnet had shrunk by 60 percent and was down to 142,000 machines. Kaspersky claimed that its count registered only 30,000 infected Macs.
Not even close, said Dr. Web in a Friday blog post.
"The number is still around 650,000," said Dr. Web.
On April 16, the company continued, it said 595,000 different Macs were registered on the botnet, while the next day, April 17, the count was over 582,000.
Symantec's O Murchu said Dr. Web is right.
"We've been talking with them about the discrepancies in our numbers and theirs," said O Murchu in an interview Friday. "We now believe that their analysis is accurate, and that it explains the discrepancies."
When asked for comment, Kaspersky Lab said it was looking into the matter.

Malware Outsmarts Monitors

According to Dr. Web, counts by others were incorrect because of how the malware calculates the locations of command-and-control (C&C) servers, and how it communicates, or tries to, with those domains.
Dr. Web said it had sinkholed the primary Flashback C&C domains at the beginning of the month, and that after an infected Mac asks those servers -- controlled by Dr. Web -- for instructions, they then reach out to another domain.

Dr. Web said it did not know who controlled that follow-up domain, but O Murchu suspected it is another security company or researcher.
But Dr. Web did know what happens next in Flashback's complex communication scheme.
"This server communicates with bots but doesn't close a TCP connection," wrote Dr. Web. "As [a] result, bots switch to the stand-by mode and wait for the server's reply and no longer respond to further commands. As a consequence, they do not communicate with other command centers, many of which have been registered by information security specialists [including Kaspersky and Symantec].
"This is the cause of controversial statistics," said Dr. Web.
Firms that reported a decrease in the Flashback botnet attributed the decline to the Java update that Apple distributed April 3, the detect-and-delete tool it shipped on April 12, similar tools issued by several antivirus vendors and the intense media attention paid to the outbreak.
Dr. Web's numbers hint that all of that was in vain.
Flashback's primary attack vector has been a Java vulnerability that Oracle patched in February, but Apple fixed only seven weeks later. Apple maintains its own version of Java for Mac OS X.
The French security company Intego first spotted the Flashback variant that exploited the then-unpatched Java bug in late March.


  1. Rixstep (a site that seems to be a run by a bunch of ex-NeXtie ubergeeks) has dished out plenty of anti-Apple criticism of its own, but even they think this is a load of crap.


  2. LOL where the hell did you find that? I like how his entire argument is an opinion with no facts to support it. Are you sure YOU didn't write that Brett?

  3. Yeah you idiot. What do you back up your arguments with? Macs can and have been infected more than you know.


  4. In order to inflate stats to FUDtacular proportions, the security software companies count any email message with a Windows Word Trojan enclosure as an "infection".

    I receive crap spam like this all the time. So what? They go straight to my junk mail folder. As a Mac user I could care less. I never open 'em. But more importantly, even if I did, they don't execute.

    I'm sorry If I refuse to panic on schedule for these companies that would like nothing more then for me to buy their security software.

  5. Where did you see that? Infections are only reported on computers (or in this case Macs) that actually show signs of an infection. The Macs in this case were reporting to a remote server. Stop making stuff up a-hole.

  6. Ooooh, he called me an a-hole! I'm telling.

    I was referring to the Washington Post article (linked to in the message preceding mine), where the headline is "One on five Macs carry malware". This is misleading, and clearly intended to drive Sophos' security software sales.

    The article states: "The [Sophos] study asserts that one in every five Macs has Windows malware, which can be passed on to other computers."

    In order to pass it on to a Windows users, the Mac user would have to manually forward his spam email with bogus enclosures to them. If anything, this is a Windows problem not a Mac problem.

    Also from the article:

    "According to the study, only one in 36 Mac users were found to be carrying viruses, spyware or Trojans intended for Mac OS X."

    That's a far cry from one in five (20%)

  7. A more balanced appraisal is here:


    You'll be pleased to note that the author recommends installing security software as a curtesy to Windows users.

  8. "Sophos admits bad update slamming its anti-virus software customers
    Sophos apologizes for faulty update to its anti-virus software which is causing disruptions for customers"