Tech —

Half-million Mac infection estimate backed by new analysis

Researchers from Kaspersky Lab supplied more evidence that there are more than …

This map shows that Macs in the US are the hardest hit by the Flashback malware, followed by Canada, the UK, Australia, France, and Italy.
This map shows that Macs in the US are the hardest hit by the Flashback malware, followed by Canada, the UK, Australia, France, and Italy.

A second security firm took a shot at estimating how many Macs are infected by the Flashback malware and it arrived at the same conclusion as the first—more than half a million machines. That figure, documented in a Kaspersky Lab blog post published on Friday, would mean Flashback has infected slightly more than 1 percent of the 45 million Macs in existence.

Kaspersky Lab Expert Igor Soumenkov said researchers arrived at that number by registering a domain name used as a fallback command and control channel and logging the number of machines that reported to it. In less than 24 hours, a total of 600,000 unique bots connected to their server. Because Flashback shows the universally unique identifier of each bot, he said they're confident they didn't count the same one multiple times, although they couldn't rule out the possibility that some of the machines were running FreeBSD, Linux, Windows, or other operating systems.

Because Kaspersky's analysis used passive OS fingerprinting techniques, however, they estimated that more than 98 percent of the incoming network packets were generated by Macs. By contrast, they estimated that 0.7 percent came from Linux machines, 0.6 percent came from Windows 7 or Windows 8 PCs, 0.3 percent from FreeBSD, and 0.5 percent came from machines running an unidentified OS.

The figures confirm previous estimates from Doctor Web, another security firm based in Russia that on Wednesday also said 600,000 Macs were infected by Flashback. 274 of the infected machines, Doctor Web's researchers said, were observed checking in from Cupertino, California, where Apple's headquarters are located.

Ars has a detailed tutorial here showing how to detect and remove the malware.

A little more than half of the machines observed by Kaspersky—300,917, to be exact—used US-based IP numbers, with Canada, the UK, Australia, France, and Italy ranking second through sixth as the countries with the most infections. This represents a major coup among the Flashback operators: Bots located in the US, Canada, and Europe fetch a premium in underground markets since their owners tend to be more affluent and are therefore more valuable to the crooks preying on them.

Soumenkov said Flashback is distributed on compromised websites as a Java applet that's disguised as an update for the Adobe Flash Player. "The Java applet then executes the first stage downloader that subsequently downloads and installs the main component of the Trojan," he wrote. "The main component is a Trojan-Downloader that continuously connects to one of its command-and control (C&C) servers and waits for new components to download and execute."

Is it a trojan or is it an exploit?

Earlier this week, researchers discovered a Flashback variant that exploited a critical Java vulnerability to install the Mac backdoor even when end users didn't enter an administrator password typically required to make important changes to their machines. In earlier incarnations, Flashback masqueraded as a Flash update that relied on the gullibility of its users to spread. Malware that hides itself in some other piece of software is classified as a trojan, while hacks that rely on a security flaw in an application or OS are known as exploits.

From Soumenkov's description, it's not clear which technique was used to infect the machines he observed. Kaspersky representatives weren't immediately available to clarify.

Channel Ars Technica