Flashback infections on the rise: Intego

Summary:Further analysis of Flashback has postulated that even after the release of patches and the media attention devoted to the malware, the number of infections could be increasing, rather than decreasing.

Further analysis of Flashback has postulated that even after the release of patches and the media attention devoted to the malware, the number of infections could be increasing, rather than decreasing.

Infection rates for the now highly prolific trojan have been met with scepticism since its initial discovery, with many not believing that upwards of 650,000 Macs could be infected. Unfortunately, this was exacerbated by confusion around infection rates caused by the botnet not communicating with all security researchers' sinkholes. This led to researchers believing that Apple's patches and malware-removal tools were causing a reduction in infection numbers, when actually that may not be the case.

There is still no consensus on what the actual infection numbers are, with Dr.Web counting about 650,000 mid-last month — a number that is larger than that estimated by other researchers, as the company's work uses the greatest number of sinkholes — while Symantec only found 185,000 infections across its own sinkholes. While the overall number of infections may never be known, an idea of the general trend of infections can be determined if a single sinkhole is examined over a period of time, and is considered to represent a fair sample of total infections — especially if the same trend is independently observed across multiple sinkholes.

This is exactly what Intego has been doing since the end of April. It has found that not only is it recording 100,000 infections from observations of its single sinkhole, but that the number is also on the rise, even taking into account fluctuations, which it explains as being due to weekends and the observance of the May Day public holiday in many parts of the world.

Flashback infections observed by Intego

  • 102769
    30 April
  • 96948
    1 May
  • 103779
    2 May
  • 121826
    3 May
  • 102375
    4 May
  • 118593
    5 May
  • 113909
    6 May

(Credit: Intego)

"The number of infected Macs is not decreasing, but is actually increasing. Even though Apple has provided an update, which patches the Java vulnerability that this malware is exploiting, it seems that many Mac users are simply not updating their Macs," security researcher Peter James wrote on Intego's Mac Security Blog.

A cruder trend can also be seen by looking at Symantec's results.

At the time of its analysis, using its own sinkhole observations, Symantec saw 140,000 infections and made the prediction that by 17 April the number of infections would drop to about 99,000. This was because Symantec thought that the number of infections had already dropped from Dr.Web's 650,000 infections, not having yet discovered that infection numbers were varying from sinkhole to sinkhole. However, on 20 April, it observed on its own sinkhole that some 185,000 Macs were still infected — marking an increase, rather than a decrease. This would mean that the company has actually seen 45,000 more Macs become infected, providing further fuel to Intego's argument that the Mac infections are on the rise.

Dr.Web would have the largest sample for tracking infection rates; however, at the time of writing, the company has only published observations up to 25 April, which were showing a downward trend.

(Credit: Dr.Web)

Topics: Apple, Enterprise Software, Security


A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.