Flashback Mac botnet shrinks, says Symantec
Number of infected Macs falls by 60%, probably because users are scrubbing malware from systems
Computerworld - The number of Macs infected with the Flashback malware has plummeted in the last few days, antivirus vendor Symantec said today.
As of Wednesday, Symantec estimated that approximately 270,000 Macs were infected with Flashback, down from a peak of more than 600,000 systems on April 6.
Liam O Murchu, the manager of operations with Symantec's security response team, attributed the decline to the "sinkholing" operations conducted by it and other security firms, and to the widespread news of the malware's reach.
"I think what's probably contributing to the decrease in numbers is the awareness of the malware," said O Murchu, referring to the scores of news stories and blog posts that have run since April 4, when a Russian security company announced Flashback had infected more than half a million Macs.
Even so, O Murchu said Symantec had no definitive proof of why the botnet was shrinking, only suspicions.
Symantec tracked the decline of the Flashback botnet -- from 600,000 Macs last week to 380,000 as of Tuesday to 270,000 yesterday -- by using the same intelligence-gathering tactic as the one deployed by two Russian security companies who came up with separate estimates of the Flashback infection.
Flashback includes a domain-generation algorithm that tells the malware where to look for commands each day, a common technique by bot makers. Symantec cracked the algorithm to determine those domains -- they're essentially a jumble of letters -- and registered a week's worth of them. It then set up its own servers on the domains and waited for infected Macs to reach them for orders.
The process, called sinkholing, was also used by Dr. Web and Kaspersky Lab, the two Russian antivirus firms that last week put a number on the size of the Flashback botnet.
Sinkholing also prevents any newly-infected Macs from communicating with the hackers' command-and-control servers, stymying the installation of additional attack code on the machines.
"It prevents new infections," asserted O Murchu.
The criminals responsible for Flashback have also stopped serving malicious content from a number of domains they registered late last month and in early April, Symantec reported.
Kaspersky's sinkhole also reported a drop in the number of Flashback-infected systems connecting to its servers. Earlier this week, Kaspersky said the botnet had gone into free fall, dropping from a high of 650,000 on Friday, April 6 to 237,000 on Sunday.
Other botnets have been suppressed using the sinkholing tactic, most recently last month when four security companies and organizations crippled the resurgent Kelihos botnet.
O Murchu was open to a coordinated effort to do the same with the Flashback botnet, even though that wasn't Symantec's original purpose for grabbing the communication domains.
"That's definitely a possibility, if it was done in a coordinated way," O Murchu said.
Flashback can be removed with one of several tools now available on the Internet, including scrubbing utilities created by Kaspersky and F-Secure. Apple this week also promised it would release its own detect-delete tool, but has not disclosed a delivery date.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
- Hands on: Apple's Mac Pro is the fastest Mac ever
- Apple CFO to retire in September after he cashes in $53M stock award
- Apple's CarPlay to spark mobile apps war in your car
- Apple retires Snow Leopard from support, leaves 1 in 5 Macs vulnerable to attacks
- Apple patches critical 'gotofail' bug with Mavericks update
- Why Apple needs a $700 MacBook Air
- Apple takes top spot in brand value computation
- Apple gets a patent for health-monitoring ear buds
- Apple shifts to hardware-first TV strategy with revamped set-top box
- iTunes is almost as big a biz as OEM Windows
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts