Mac Flashback Malware Still Going Strong, Security Experts Say - eWeek

Security experts looking at the Flashback malware that had infected hundreds of thousands of Apple Macs worldwide are trying to come to an agreement over how many of these systems are still compromised by the exploit.

Earlier this month, Internet security companies Kaskpersky Lab and Dr. Web, a smaller Russian firm that first reported on the extent of the Flashback infection, estimated that that the Flashback malware had infected more than 600,000 Macs globally, or more than 1 percent of all the Macs in use. The number represented what many security experts said was the largest Mac infection in history.

Last week, after a host of security software vendors and Apple itself had rolled out free tools designed to detect and remove the malware, several firms said the number of Macs was shrinking. Security software vendor Symantec said that based on its ?sinkhole? operation, the number of infected Macs had dropped to about 140,000, though that number seemed to be stabilizing. Kaspersky?which had dubbed the malware ?Flashfake??tagged that number at a little more than 30,000.

However, the security experts at Dr. Webb disagreed, arguing that the Flashback malware was still going strong.

?The botnet statistics acquired by Doctor Web contradicts recently published reports indicating a decrease in the number of Macs infected by BackDoor.Flashback.39,? the company said in an April 20 blog post. ?The number is still around 650,000.?

And other security experts may be coming around to Dr. Web?s way of thinking. Speaking to ComputerWorld April 20, Liam O Murchu, manager of operations at Symantec's security response center, said that after a discussion with the Dr. Web experts, it appeared the Russian antivirus firm was correct. For its part, Kaspersky experts reportedly are looking into the matter.

Officials at Mac security software vendor Intego argued in a pair of April 20 posts on its Mac Security Blog that they also believed the numbers of compromised Macs were still high.

?Intego has analyzed the malware, and, following discussions with other security companies, has determined that not only are these numbers incorrect, they are underestimating the number of infected Macs,? the officials wrote. ?[W]e conclude that not only are a larger number of Macs infected than what is being reported, but it is very likely that infections are continuing.?

Dr. Web and Intego officials said that the discrepancies in the numbers of infected Macs were caused by how the malware finds and communicates with command-and-control (C&C) servers, which sends out instructions to the compromised Macs.

?The Flashback malware has a system by which it looks for a specific domain name on a specific day,? according to Intego officials. ?For example, the domain used on April 19 was lequkvmlratgsm.com. But, the malware does not only seek out a .com domain; it also looks for domains ending with .net, .info, .in and .kz. When the malware connects to one of these domains, it does not seek out other domains. Since multiple companies are running sinkhole servers, each one is only reporting on the numbers of infected Macs that they see, but not the aggregate of all the different servers for a given day. In addition, the samples that Intego analyzes using virtual machines do not contact the daily servers that certain companies have claimed are active.?

Security firms like Symantec, Kaspersky and Dr. Web have been using sinkhole operations?essentially a server created by the companies to hijack information from compromised systems, which not only interferes with the communication with the C&C servers, but also enables the companies to monitor the malware?to gain visibility into the extent of the infections.

Dr. Web officials in their blog post said they found that infected Macs would ask the sinkhole servers for instructions, then communicate with another domain controlled by another party. After that, this ?server communicates with bots but doesn't close a TCP connection. As the result, bots switch to the stand-by mode and wait for the server's reply and no longer respond to further commands. As a consequence, they do not communicate with other command centers, many of which have been registered by information security specialists [such as Symantec and Kaspersky]. This is the cause of controversial statistics.?

Intego officials agreed.

?It looks as though action has been taken with companies responsible for root nameservers to block the domains that the Flashback malware attempts to contact, and redirects these requests to the users? Macs,? the company said in a second blog post. ?The effect here is that the Macs are still infected, but they will not be able to contact the command and control servers, and, especially, cannot be counted by sinkholes. However, we cannot have any idea of the real scope of the Flashback malware infection.?

The Flashback malware was first detected last fall, and at the time was a classic Trojan horse that disguised itself as an update to Adobe Flash. It has since evolved into a drive-by exploit, which infects Macs when users visit a compromised or malicious site. Kaspersky experts discovered that the Flashback attack probably started with tens of thousands of infected WordPress blog sites.

The attack also shook the theory of Macs? invulnerability to malware and exposed Apple?s weaknesses in the area of security. The malware exploited a flaw in Java, which is owned by Oracle. In February, Oracle had issued a patch for the vulnerability for Windows PCs and other systems. However, Apple, which does not let third parties patch their operating systems, didn?t issue its own fix for the problem until April 3, about the same time Dr. Web firs announced that more than 600,000 Macs had been compromised.

Security experts also have warned that as Macs and other Apple products, including iPads and iPhones become more popular with consumer and businesses, they also will become more popular targets for scammers.