Research from Intego, the famed Mac antimalware company, shows that the botnet comprised of OSX/Flashback infections, probably the most significant Mac malware ever, still has a pulse, with "...at least 22,000 infected machines."
In isolation, this number may look impressive, but considering the latest research on what versions of OS X are in use in the wild, it's not at all surprising.
|(no version reported)||0.01%||0%|
Intego discovered Flashback, which appears to be the only serious attempt by a professional malware gang to bring the malware ecosystem to the Mac, back in 2011. By early 2012 it had infected as many as 600,000 Macs, and new variants were using Java exploits and drive-by downloads.
Flashback was beaten down when Apple took notice and measures, using the XProtect feature to blacklist the malware, including a Flashback remover as a security update, and quietly acquiring the Internet domains used by the botnet.
XProtect (officially called File Quarantine) is available to versions 10.6 (Snow Leopard) and up. Apple's Flashback Removal Tool is available to 10.7 (Lion) and up. Even if we only consider the approximately 5% of Mac users running versions 10.5 and earlier, 22,000 is still well below 5% of the 600,000 said to be infected. Also, clearly some 10.6 users (still 20% of Macs) would have been infected before XProtect blocked Flashback, but never got a removal tool. This is all assuming that everyone applies updates all the time, and only 10.9 users are going to be getting those from now on.
Intego says they also bought some of the domains used for C&C (command and control) for the botnet, and it is from those systems that they get the 22,000 number. Here is a screen shot of Intego's Apache server log showing attempts to contact the C&C:
I was confused by the "Windows NT 6.1" in the useragent string of the clients. I asked Intego and they provided this explanation:
The string (also known as the user-agent) and the referrer strings are sent directly by the FlashBack code and are not proof that machine is a Windows machine. The server compare those strings to be sure that it is a true infected mac. Even in Safari the user-agent string may be changed by the user and is not a proof of a system nor a proof of a browser. It's a given data to a web server, and for the Flashback server, certain user-agent strings are correct and tested by the Flashback server (it tests for other strings in addition elsewhere).