By Alexandra Burlacu | Apr 21, 2012 01:23 PM EDT
While many security companies reported that the number of Flashback infected Macs is shrinking, Russian antivirus firm Dr. Web tells a different story. Dr. Web was the first to report the malware attack against Apple's OS X in early April. On Friday, April 20, the Web security firm said that the pool of Flashback-infected Macs is still high around the 650,000 mark, and infections continue to occur.
"The botnet statistics acquired by Doctor Web contradict recently published reports indicating a decrease in the number of Macs infected by BackDoor.Flashback.39. The number is still around 650,000," Dr. Web said in its Friday blog post.
American antivirus software company Symantec reported on Tuesday that the Flashback botnet infection has been reduced to just 140,000, a dramatic decrease from the estimated 600,000 in early April.
During a conference call with information-security specialists and journalists on Thursday, Kaspersky Lab, another Russian antivirus company, estimated that the Flashback botnet has dropped to only 30,000 machines. Dr. Web thinks it has found the reason behind such stark discrepancies in numbers.
Reasons for Discrepancy
"Recent publications found in open access report a reduction in the number of BackDoor.Flashback.39 bots. Typically, these materials are based on analysis of statistics acquired from hijacked botnet control servers. Doctor Web's analysts concluded a research to determine the reasons for this discrepancy," reads the company's blog post.
Dr. Web's blog post continues to explain how machines infected by the Flashback malware generate new domain names for command-and-control (C&C) servers. They do this by using pre-arranged algorithms that allow information-security companies to set up "sinkhole" servers, designed to capture and measure botnet traffic.
After running through the list of potential C&C servers, each infected machine then fires a request to a specific server. Instead of using a generated domain name, that server uses a static Internet Protocol (IP) address. The server does reply to the infected machine, but it also keeps the connection open, which means the infected machine cannot communicate with any other C&C servers. According to both Dr. Web and Symantec, a specific sinkhole at IP address 220.127.116.11 was failing to close TCP connections after communicating with infected machines. Dr. Web posted a screenshot to illustrate this. As a result, the infected machine is put in standby.
"Bots switch to the standby mode and wait for the server's reply and no longer respond to further commands," explains the blog post. "As a consequence, they do not communicate with other command centers, many of which have been registered by information security specialists."
Symantec Agrees Dr. Web's Analysis is Accurate
Following the release of Dr. Web's latest estimate, Symantec agreed that Dr. Web's argument was valid, and updated its post. Symantec researchers now believe they "are receiving limited infection counts" for that Flashback Trojan. "We now believe that their analysis is accurate, and that it explains the discrepancies," Liam O Murchu, manager of operations at Symantec's security response center, told Computer World.
Earlier this month, Apple had issued a Flashback removal tool to block the Flashback malware installation and remove any instances of it, but has not commented on the infection. For now, only Apple knows how many Macs have actually applied the software patches. Mac users are advised to apply Apple's software updates and install antivirus software to avoid further infections.
(reported by Alexandra Burlacu, edited by Dave Clark)