BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Flashback Mac Botnet Shrinking, But Researchers Disagree Wildly On How Much

This article is more than 10 years old.

Depending on which researcher you ask, Apple's Flashback malware infection is either a nasty two week flu from which 95% of users have already recovered, or an interminable plague that still  infects nearly half a million Macs despite Apple's best efforts to kill it.

Tuesday evening, antivirus firm Symantec released statistics showing a steady dropoff in the number of computers infected with Flashback over the last week. According to the firm's count, 140,000 machines are now infected with the malicious software compared with 600,000 on April 9th. But on Wednesday, other researchers who have spent the last month tracking the botnet's size gave me vastly different estimates, from as little as tens of thousands of machines to 460,000.

Boris Sharov, the chief executive of Dr. Web, the Russian security firm that first discovered the unprecedented Apple botnet, says his researchers counted 600,000 infected machines Tuesday and 460,000 Wednesday, and he expects that by the end of Wednesday the number will climb close to Tuesday's total.

Those numbers offer a far less optimistic picture of Apple users' recovery from Flashback, which has been reported to have peaked at around 650,000 infections, and call into question the effectiveness of Apple's fix for the malware--an update to Java that both removes existing infections and patches a vulnerability Flashback uses to install itself from websites.  "There are millions of people who still believe Mac is safe," says Sharov. "They don’t care. Plenty of people are not updating their Java. They say 'I’m too busy, let’s wait until I have time.'"

The antivirus firm Kaspersky, on the other hand, counted a mere 45,000 active machines on Tuesday and just over 30,000 so far Wednesday, numbers that imply that Apple's first major malware infection is all but over.

What's especially vexing about the numbers' disagreement is that all three firms are using the same technique to measure the botnet's size: creating false "command and control" servers at domains from which the malware is programmed to receive orders and then counting how many infected machines phone home to those spoofed command servers. But every company is using different domains for their measurements, and Dr. Web's Sharov claims that neither Symantec nor Kaspersky is controlling as many as his company. On Monday, he says that Dr. Web began tracking a new set of command and control domains that were previously undetected and which communicated with 128,000 previously uncounted machines. (By Dr. Web's new count, 800,000 machines were at some point infected with Flashback.)

Flashback has been spreading since late last year, in later incarnations using a Java vulnerability that Apple was slow to patch, despite a fix from Oracle becoming available in February. So far, the botnet has been used only for click fraud, although it could still be updated and used for other purposes at any time. Over the last weekend, another variant of Mac malware was also detected, using the same Java vulnerability as well as another bug that affects Microsoft Word.

Symantec's Liam O Murchu says he can't account for the discrepancy in measuring Flashback's size, and is contacting Dr. Web's researchers to share information. But he didn't accept Sharov's explanation that Symantec was missing part of the picture. He says that Flashback is currently set to cycle through about 70 domain names looking for updates from a command and control server until it finds one. Since none of the command and control servers are currently active, O Murchu says that the infected machines are now cycling through every domain, so it's unlikely infected machines would be pinging some domains and not others. "From our analysis, which domain you're looking at shouldn't matter," he says.

But O Murchu agrees with Sharov that cleaning up a massive malware outbreak like Flashback isn't as simple as releasing an update or a cleanup tool. He says Symantec still counts hundreds of thousands of Windows machines infected with Conficker, for instance, years after that 8-million strong botnet was detected. "The drop in numbers is positive," he says with regard to Flashback, "But there will always be computers you can never reach or clean up."