Flashback cleanup stalls, 142K Macs still infected

Gang likely ex-Windows malware makers, says Symantec

1 2 Page 2
Page 2 of 2

"We always see [a slowing of cleanup efforts]," said O Murchu. "For example with Conficker, which got a huge amount of attention in the media, we still see people who are infected. There's a certain portion of people you just can't reach."

That may explain the lack of recent progress in pushing down the Flashback numbers.

O Murchu also said Symantec's experts believe that the group responsible for Flashback are ex-Windows malware writers who shifted to target Apple's operating system.

"The coding style used in [Flashback.K] shows us that the authors have written malware before," O Murchu said. Because there has been little to no significant Mac malware on the loose prior to the latest Flashback campaign, that leaves Windows as their probable prior platform.

"The domain name generation they're using [for their command-and-control servers], the signing of their payload so others can't hijack the botnet, those are techniques we've seen by Windows malware authors before, but they're not very common," O Murchu continued. "It's the best sort of guys using those things."

The alternative, he admitted, would be a group that had "done a lot of research" on current first-rate Windows malware strategies, then applied them to the Mac. However, that seems much less likely than a gang of experienced Windows hackers shifting their focus to Macs.

The command-and-control domains that Flashback-infected Macs ping for attack code downloads are being monitored by Symantec, but none are now hosting the group's digitally-signed payloads.

"I think we have this variant somewhat under control," O Murchu said. "There are no new infections [taking place] and we're watching the command-and-control domains very carefully."

More than 600,000 Macs have been infected with a new version of the Flashback Trojan horse that's being installed on people's computers with the help of Java exploits. How does this infection affect Apple's reputation for security?

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Copyright © 2012 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon