Security experts: 600,000+ estimate of Mac botnet likely on target
Researchers from several security firms say the unparalleled Mac infection is real
Computerworld - Security experts today could not confirm claims by Doctor Web, a little-known Russian antivirus company, that more than 600,000 Macs have been infected with a zero-day-exploiting Trojan, but they said the number was within reason.
"Even though the number is very, very large, it seems correct," said Roel Schouwenberg, a senior researcher with Moscow-based antivirus company Kaspersky Lab. He added that Doctor Web's methodology looked spot-on.
Wednesday, Doctor Web estimated that more than half a million Macs had been infected with Flashback, a Trojan horse installed through drive-by attacks when users surf to compromised websites, making the ensuing collection of computers -- a "botnet" in security vernacular -- the largest ever for Apple's machine.
Doctor Web's researchers were able to "sinkhole" part of the Flashback botnet -- hijack some of the domains used to issue commands to infected computers -- and calculated the size of the botnet by counting the UUIDs (universally unique identifiers) presented by OS X to the controlling servers.
Thursday, Doctor Web upped its estimate to just over 613,000.
While some botnets composed of Windows PCs have been much larger -- Conficker, for instance, hijacked millions of machines -- the size of the Flashback infection is unprecedented for Mac OS X.
Skepticism about the number of infected Macs is probably unwarranted, said several security professionals interviewed today by Computerworld, citing circumstantial evidence that Flashback could have been this successful.
Among the clues, they said, were the Flashback gang's use of a zero-day Java vulnerability that Apple patched only this week, the tactic the cybercriminals used to infect unwary Mac owners and the availability of operating-system-independent, Web-based exploit kits.
"A lot of things happened at the same time," said Mike Geide, senior security researcher at Zscaler ThreatLabZ. "There have been mass compromises of WordPress sites, and the controllers [for those hijacked websites] match the domain structure Doctor Web described. That's been ongoing since at least early March."
WordPress is a popular open-source blogging and content management platform used by about one in seven websites.
Those usurped WordPress sites have been redirecting users to malicious URLs, where hackers have hosted the Blackhole exploit kit. Blackhole tries multiple exploits, including several aimed at Java bugs on Macs, to compromise machines.
The sheer size of the WordPress installed base and the scope of the WordPress injection campaign means that it would not have been impossible for hackers to poison more than 600,000 Macs.
"The number is entirely feasible," said Brett Stone-Gross, a security researcher with the Counter Threat Unit of Dell SecureWorks. Atlanta-based SecureWorks is well-known for its botnet research.
"In fact, I'm actually kind of surprised that Macs aren't targeted more frequently," added Stone-Gross. "[Exploit] toolkits include exploits that could be easily modified to run on any OS, especially those for vulnerabilities in Java, Flash Player and other software that runs on any operating system. They're all vulnerable to the same exploits."
None of the researchers or companies contacted by Computerworld were able to definitively confirm Doctor Web's numbers, however. That would require the same kind of access to the Flashback command-and-control infrastructure that the Russian firm claimed to have obtained.
But several companies said they were working on the problem, including Kaspersky, SecureWorks and Symantec.
"If you had a sinkhole, you could get a more granular idea of the size [of the botnet]," said Liam O Murchu, manager of operations at Symantec's security response team, discussing the duplication of Doctor Web's work. "But there are other ways we can use to see similarly large botnets."
Not every researcher bought into Doctor Web's numbers.
"We are not sure that all 500K [of the Flashback bots] are Mac users," said Aleks Gostov, a chief security expert with Kaspersky, in a message on Twitter on Thursday. "I have some suspicions that probably bots for Windows [are] also present."
Gostov seemed to base his opinion on the fact that Windows machines provide a GUID (globally unique identifier), Microsoft's implementation of the UUID standard. If Doctor Web wasn't able to correctly parse the hexadecimal string that represents the GUID/UUID, the Russian firm may have counted Windows PCs among the 600,000-plus it thinks are Mac machines.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts