Two independent sources have now confirmed that at least 600,000 Macs worldwide have been infected with the malware downloader called Flashback.
That number is not just an estimate. It’s a count of unique hardware IDs reporting in to a command-and-control server.
If you're concerned that you might be infected, or if you want to remove the Flashback infection from a Mac under your control, see this post from our sister site CNET: Mac Flashback malware: What it is and how to get rid of it (FAQ)
First Dr. Web, a Russian security company, published its findings. The company’s analysts cleverly redirected the botnet traffic to their own servers and thus were able to count infected hosts. The initial report was 550,000 infected machines running Mac OS X on April 4. Later that day, the analyst responsible for the original research reported that the count had increased to 600,000.
That report inspired some skepticism among readers of my initial post, who wondered whether the numbers were accurate.
Apparently, other security researchers were equally skeptical, leading Kaspersky Labs to replicate the research:
We reverse engineered the first domain generation algorithm and used the current date, 06.04.2012, to generate and register a domain name, "krymbrjasnof.com". After domain registration, we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots. Our logs indicate that a total of 600 000+ unique bots connected to our server in less than 24 hours. They used a total of 620 000+ external IP addresses. More than 50% of the bots connected from the United States.
The Kaspersky researchers also used "passive heuristics" to try to sort out which platforms the infected machines were using:
More than 98% of incoming network packets were most likely sent from Mac OS X hosts. Although this technique is based on heuristics and can’t be completely trusted, it can be used for making order-of-magnitude estimates. So, it is very likely that most of the machines running the Flashfake bot are Macs.
Based on that same research, Kaspersky concluded that approximately 1% of the 600,000 machines in the botnet were running FreeBSD or Linux, and 0.06% were running Windows 7 or Windows 8.
Amusingly, within moments after reading that article, I found confirmation of that research in a post on Apple’s support forums from a user whose infected Mac had been lured to Kaspersky’s domain.
Six hundred thousand.
So what percent of Apple’s installed base does that represent?
At Apple’s “Back to the Mac” event in October 2010, Steve Jobs announced that the worldwide installed base of Macs had reached 50 million. Apple sold 16.7 million Macs of all types in 2011 (source: Apple 2012 SEC form 10-K, PDF). Add another 4-5 million for Q1 2012, subtract a few million that have been retired in the past 18 months, and you get a number somewhere between 60 million and 70 million.
With 600,000 infections in a user base of 60-70 million, that means roughly 1% of all Macs worldwide have been hit by this thing, which is capable of downloading additional malware at will.
What’s remarkable about that number is that it represents infections from a single downloader. The infections happened over a total of about seven months, but critical mass didn’t occur until the last few weeks, when the malware distributors began using an unpatched Java exploit to automate the infections.
By comparison, the single largest Windows-based infection ever was Conficker. At its peak in 2009, it infected 7 million PCs, or about 0.7% of the total Windows installed base.
So now the question is, What’s next? Apple has yet to acknowledge this issue at all, except in antiseptic terms in its security update bulletins. Will they accelerate their time to deliver patches for the next critical Java security vulnerability?
The gang running the network of infected websites that delivered this round of infections has to be feeling pretty good about their success rate. Do they race Apple to market when the next unpatched Java vulnerability appears? Do they put together a Mac-focused exploit kit like the Windows-centric BlackHole? Or does their success doom them to a fate like the Mac Defender gang, which was broken up last summer by Russian authorities?