Flashback Trojan Infection Bad as Ever: Is Apple Losing the Malware War?

By Alexandra Burlacu | Apr 21, 2012 01:23 PM EDT

Share This Story

  • Print
  • Email

While many security companies reported that the number of Flashback infected Macs is shrinking, Russian antivirus firm Dr. Web tells a different story. Dr. Web was the first to report the malware attack against Apple's OS X in early April. On Friday, April 20, the Web security firm said that the pool of Flashback-infected Macs is still high around the 650,000 mark, and infections continue to occur.

Follow us

"The botnet statistics acquired by Doctor Web contradict recently published reports indicating a decrease in the number of Macs infected by BackDoor.Flashback.39. The number is still around 650,000," Dr. Web said in its Friday blog post.

American antivirus software company Symantec reported on Tuesday that the Flashback botnet infection has been reduced to just 140,000, a dramatic decrease from the estimated 600,000 in early April.

During a conference call with information-security specialists and journalists on Thursday, Kaspersky Lab, another Russian antivirus company, estimated that the Flashback botnet has dropped to only 30,000 machines. Dr. Web thinks it has found the reason behind such stark discrepancies in numbers.

Reasons for Discrepancy

"Recent publications found in open access report a reduction in the number of BackDoor.Flashback.39 bots. Typically, these materials are based on analysis of statistics acquired from hijacked botnet control servers. Doctor Web's analysts concluded a research to determine the reasons for this discrepancy," reads the company's blog post.

Dr. Web's blog post continues to explain how machines infected by the Flashback malware generate new domain names for command-and-control (C&C) servers. They do this by using pre-arranged algorithms that allow information-security companies to set up "sinkhole" servers, designed to capture and measure botnet traffic.

After running through the list of potential C&C servers, each infected machine then fires a request to a specific server. Instead of using a generated domain name, that server uses a static Internet Protocol (IP) address. The server does reply to the infected machine, but it also keeps the connection open, which means the infected machine cannot communicate with any other C&C servers. According to both Dr. Web and Symantec, a specific sinkhole at IP address 74.207.249.7 was failing to close TCP connections after communicating with infected machines. Dr. Web posted a screenshot to illustrate this. As a result, the infected machine is put in standby.

"Bots switch to the standby mode and wait for the server's reply and no longer respond to further commands," explains the blog post. "As a consequence, they do not communicate with other command centers, many of which have been registered by information security specialists."

Symantec Agrees Dr. Web's Analysis is Accurate

Following the release of Dr. Web's latest estimate, Symantec agreed that Dr. Web's argument was valid, and updated its post. Symantec researchers now believe they "are receiving limited infection counts" for that Flashback Trojan. "We now believe that their analysis is accurate, and that it explains the discrepancies," Liam O Murchu, manager of operations at Symantec's security response center, told Computer World.

Earlier this month, Apple had issued a Flashback removal tool to block the Flashback malware installation and remove any instances of it, but has not commented on the infection. For now, only Apple knows how many Macs have actually applied the software patches. Mac users are advised to apply Apple's software updates and install antivirus software to avoid further infections.

(reported by Alexandra Burlacu, edited by Dave Clark)

 

Get the Most Popular Mobile&Apps Stories in a Weekly Newsletter

© 2014 Mobile & Apps All rights reserved. Do not reproduce without permission.

Join Our Conversation

Smartphones
LG Google Nexus 5 LG Google Nexus 5 back on sale from Google Play
Here’s the new ‘Microsoft Lumia’ brand, and what will happen to existing Nokia Lumia devices
LG G Watch R starts global rollout, hitting Europe first
Google Nexus 6 UK launch reportedly delayed until December
Tablet / Laptop / PC
Dell Venue 7 and Venue 8 Dell unveils Venue 7 and Venue 8 Android 4.3 Jelly Bean tablets
Retina iPad Mini facing delays, may not launch until early next year
Refurbished 128GB iPad with Retina Display now available on the Apple Online Store
Samsung Galaxy Note 10.1 – 2014 Edition: Pricing and availability now official
Gadgets
Amazon Logo Amazon reportedly to launch ‘Firetube’ set-top box before 2013 holidays
Samsung Galaxy Note 3 and Galaxy Gear India launch: Pricing and availability
Samsung Galaxy Gear Android smartwatch now up for pre-order in Canada
Samsung Galaxy Gear 2 reportedly in the works already, may debut at CES or MWC 2014
OS / Software
HTC Logo HTC reportedly considering Android/Windows Phone dual-booting smartphone as Microsoft pushes for deeper Windows mobile integration
iOS 7 Chrome Incognito mode leaks private searches due to bug
Sprint HTC One Android 4.3 Jelly Bean already rolling out, AT&T, T-Mobile & Verizon to follow
Microsoft Windows 8.1 now available for pre-order
Internet / Social Media
Google Downtime Google blacks out for two minutes, causes 40 percent drop in world’s Internet traffic
Xbox Music web player is live and ready for Xbox Music Pass subscribers
Facebook Android app collected phone numbers even if users never logged in
Firefox 22 brings support for web video calls, 3D gaming, and Unreal Engine 3
What's App
Flipboard for Windows Phone Flipboard for Windows Phone finally available, but requires 1GB of RAM (VIDEO)
Vine gets major update, lets you upload previously-shot videos & more (VIDEO)
BlackBerry Messenger (BBM) finally hits Windows Phone – Available as a free download now
Instagram releases Bolt ephemeral messaging app in select markets to challenge Snapchat
Copyright © 2014 Mobile & Apps All rights reserved. mobilenapps
Real Time Analytics