Flashback botnet not shrinking, huge numbers of Macs still infected
Russian AV firm says rivals got the numbers wrong, botnet still controls 650,000 Macs
Computerworld - Contrary to reports by several security companies, the Flashback botnet is not shrinking, the Russian antivirus firm that first reported the massive infection three weeks ago claimed today.
Dr. Web, which earlier this month was the first to report the largest-ever successful malware attack against Apple's OS X, said Friday that the pool of Flashback-infected Macs still hovers around the 650,000 mark, and that infections are continuing.
Also on Friday, Liam O Murchu, manager of operations at Symantec's security response center, confirmed that Dr. Web's numbers were correct.
Both Dr. Web's tally and its contention that infections are ongoing flew in the face of other antivirus companies' assertions. Kaspersky Lab and Symantec, which have each "sinkholed" select domains -- hijacked them before the hackers could use them to issue orders to compromised machines -- used those domains to count the Macs that try to communicate with the malware's command-and-control centers.
Earlier this week, Symantec said the Flashback botnet had shrunk by 60% and was down to 142,000 machines. Yesterday, Kaspersky claimed that its count registered only 30,000 infected Macs.
Not even close, said Dr. Web in a Friday blog post.
"The number is still around 650,000," said Dr. Web.
On April 16, the company continued, it said 595,000 different Macs were registered on the botnet, while the next day, April 17, the count was over 582,000.
Symantec's O Murchu said Dr. Web is right.
"We've been talking with them about the discrepancies in our numbers and theirs," said O Murchu in an interview Friday. "We now believe that their analysis is accurate, and that it explains the discrepancies."
When asked for comment, Kaspersky Lab said it was looking into the matter.
According to Dr. Web, counts by others were incorrect because of how the malware calculates the locations of command-and-control (C&C) servers, and how it communicates, or tries to, with those domains.
Dr. Web said it had sinkholed the primary Flashback C&C domains at the beginning of the month, and that after an infected Mac asks those servers -- controlled by Dr. Web -- for instructions, they then reach out to another domain.
Dr. Web said it did not know who controlled that follow-up domain, but O Murchu suspected it is another security company or researcher.
But Dr. Web did know what happens next in Flashback's complex communication scheme.
"This server communicates with bots but doesn't close a TCP connection," wrote Dr. Web. "As [a] result, bots switch to the stand-by mode and wait for the server's reply and no longer respond to further commands. As a consequence, they do not communicate with other command centers, many of which have been registered by information security specialists [including Kaspersky and Symantec].
"This is the cause of controversial statistics," said Dr. Web.
Firms that reported a decrease in the Flashback botnet attributed the decline to the Java update that Apple distributed April 3, the detect-and-delete tool it shipped on April 12, similar tools issued by several antivirus vendors and the intense media attention paid to the outbreak.
Dr. Web's numbers hint that all of that was in vain.
Flashback's primary attack vector has been a Java vulnerability that Oracle patched in February, but Apple fixed only seven weeks later. Apple maintains its own version of Java for Mac OS X.
The French security company Intego first spotted the Flashback variant that exploited the then-unpatched Java bug in late March.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
- Hands on: Apple's Mac Pro is the fastest Mac ever
- Apple CFO to retire in September after he cashes in $53M stock award
- Apple's CarPlay to spark mobile apps war in your car
- Apple retires Snow Leopard from support, leaves 1 in 5 Macs vulnerable to attacks
- Apple patches critical 'gotofail' bug with Mavericks update
- Why Apple needs a $700 MacBook Air
- Apple takes top spot in brand value computation
- Apple gets a patent for health-monitoring ear buds
- Apple shifts to hardware-first TV strategy with revamped set-top box
- iTunes is almost as big a biz as OEM Windows
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts