At least 22,000 Macs still have Flashback; so what?

At least 22,000 Macs still have Flashback; so what?

Summary: The OSX/Flashback botnet is "adrift" says Intego, but still alive. Mac version research shows how this is unsurprising and not a big concern.

TOPICS: Security, Apple

Research from Intego, the famed Mac antimalware company, shows that the botnet comprised of OSX/Flashback infections, probably the most significant Mac malware ever, still has a pulse, with " least 22,000 infected machines."

In isolation, this number may look impressive, but considering the latest research on what versions of OS X are in use in the wild, it's not at all surprising.

OSX Version %Total %Macs
10.9 2.79% 37%
10.8 1.66% 22%
10.7 1.23% 16%
10.6 1.47% 20%
10.5 0.29% 4%
10.4 0.08% 1%
(no version reported) 0.01% 0%
Total: 7.53  

Intego discovered Flashback, which appears to be the only serious attempt by a professional malware gang to bring the malware ecosystem to the Mac, back in 2011. By early 2012 it had infected as many as 600,000 Macs, and new variants were using Java exploits and drive-by downloads.

Flashback was beaten down when Apple took notice and measures, using the XProtect feature to blacklist the malware, including a Flashback remover as a security update, and quietly acquiring the Internet domains used by the botnet.

XProtect (officially called File Quarantine) is available to versions 10.6 (Snow Leopard) and upApple's Flashback Removal Tool is available to 10.7 (Lion) and up. Even if we only consider the approximately 5% of Mac users running versions 10.5 and earlier, 22,000 is still well below 5% of the 600,000 said to be infected. Also, clearly some 10.6 users (still 20% of Macs) would have been infected before XProtect blocked Flashback, but never got a removal tool. This is all assuming that everyone applies updates all the time, and only 10.9 users are going to be getting those from now on.

Intego says they also bought some of the domains used for C&C (command and control) for the botnet, and it is from those systems that they get the 22,000 number. Here is a screen shot of Intego's Apache server log showing attempts to contact the C&C:

source: Intego

I was confused by the "Windows NT 6.1" in the useragent string of the clients. I asked Intego and they provided this explanation:

      The string (also known as the user-agent) and the referrer strings are sent directly by the FlashBack code and are not proof that machine is a Windows machine. The server compare those strings to be sure that it is a true infected mac. Even in Safari the user-agent string may be changed by the user and is not a proof of a system nor a proof of a browser. It's a given data to a web server, and for the Flashback server, certain user-agent strings are correct and tested by the Flashback server (it tests for other strings in addition elsewhere).

Topics: Security, Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • interesting it can still run on Mavericks

    I assume it would have been injected before upgrade? Apple may want to put out an equivalent of Microsoft's Malicious Software Removal tool.
  • I don't think so

    XProtect should block new installs for some time now
  • When it comes to malware no one cares about Macs

    Too small of a platform to be worthwhile.
    • That's not actually a bad thing

      One of the main reasons I put Linux as a dual boot on most of my Windows machines was it reduced the surface area of an attack for me. If our household connects to the Internet with only obscure platforms, we're not an interesting enough target.

      You may have meant it as some sort of low grade insult but for those of us in the non tech religion camp, I expect we could care less.
      • I didn't say it was a bad thing.

    • Works for me.

      The practical upshot is that my Mac has less malware. I'll take it.
    • Sure

      And have I remembered lately to thank you for your tireless efforts to keep our numbers small?
    • ..what?

      MacOS is Unix 4.3 BSD - and has 30 years of exposure to malware and viruses, trojans and the lot.

      The problem is the Internet security staff test now for vulnerability you have in Microsoft - running incomplete 4.2 tcp/ip, patched up every time it is beaten. Launch your browser as another user and you can see "localhosts" connections going out - and kill them. This is also a pretty tight "sandbox"... not available on Windows. Make a "Java" user and a "Flash" user... this is not Windows!
  • Rubbish

    I have absolutely no faith whatsoever in claims made by commercial anti malware companies. Some people will believe anything.
    • Anti-malware is a scam.

      I've been saying this for years. Yet "experts" continue to recommend it. If it worked why are there so many problems with malware?
    • They show a table with Mozilla firefox on Windows and claim this is all ...

      ... sudden an indication of Macintosh malware?
      • Apple & Malware ...

        Some would say Apple does not support as much software or 3rd party vendors as Microsoft - yet I would also say Apple fails to support (most of the time) malware vendors.

        Though this does seem to be changing. Apple really should issue security updates back to at least 10.6.x - it would be the least they should do ... not everyone can or needs to upgrade to 10.9 - sometimes users are simply unable to do to other software they are running that wont work well under the new OS.

        Also, good anti-virus is a must for just about any medium to large sized company - if you run Windows (maybe even if you dont). Sure it can suck up resources, slow the computer down, cause all sort of other issues (potentially) and could well be circumvented by the very malware it is supposed to protect against - yet if your company is hit hard by a virus or malware and you had no anti-virus - the share holders and other bean counters will crucify the IT leadership (or worse).

        Secruity steps always need to be taken - even if sometimes the "cure" is almost as bad as the disease ... and it is also important to CYA!
        Bee Ryan
        • Malware is a commercial industry

          just like any other software company. The first viruses hit Unix machines, running the very same OS as my Mac. Then things were changed in Unix. Microsoft left "holes" in the operating systems, they believed they needed it to verify license payment and to be able to patch and fix remotely. Before MS had started using these features others had discovered them and distributed malware with ease and elegance, innovative programming on an attractive platform. Then the "exploitations" were discovered, and paved the way for a new industry. People have earned a fortune getting paid to patch these holes. But the industry will die with MS, and be replaced by a new breed, that focus on protecting the information from coming into wrong hands. This is applicable on every Mac and Linux also.
  • Re: OS X 10.6 Snow Leopard....

    What is of note (according to the table) is 20% Macs are still running Snow Leopard.
    • Snow Leopard was a good version

      I ran that for a long time.
      • Snow Leopard is awesome!

        I mean SL is getting a bit long in the tooth, yet it is probably one of Apple's best OSs. SL mostly was a "cleanup" OS - cleaning up a lot of 10.5 (which was not bad either). SL supported some cool things (though they were already orphaned at this time) such as Front Row (for turning your Mac into a simple media center) ... and it runs the latest iTunes (iirc) and has fairly modern software all around and will even run PPC apps!

        Mac OS X/Lion (10.7) was a huge let down - as Apple seemed to want to be more like Microsoft (often a bad idea) and make Mac OS X more like iOS (also a bad idea - see Windows 8).

        I'm hoping Mountain Lion (10.8) fixes most of the Lion issues and works better across all home devices (phone, tablet, laptop, desktop, etc...). I'm also hoping Apple supports 10.8 for many, many years (hopefully not in vain).
        Bee Ryan
        • Snow Leopard

          .. is the last "liberalistic" variant. It starts to depend on central things provided by the Apple iCloud, but is happy without it.
          I for one dislike that others poke around with my things - like that my address book is "maintained" by Apple. That is my private property, and boy I hated Apple one day when I discovered that the "sync" had resulted in 4000 new duplicate addresses. (Well, I made my own "Cloud", and gave me a reason NOT TO change version).
  • I had a flashback last night...

  • Flashback Removal Tool

    > Apple's Flashback Removal Tool is available to 10.7 (Lion) and up.

    True, but Apple included their Malware Removal Tool (MRT) as a one-time process along with the XProtect system with Security Update 2011-003 (Snow Leopard) 10.6.7 at the end of May 2011 as part of the campaign against MadDefender. OS X 10.6.8 as well as every OS X security and Java update include an "updated malware removal tool that will remove the most common variants of malware."

    Yet we run across perhaps one user a month running 10.6 or above on the Apple Support Community forum who is somehow still infected.

    Obviously one possible reason is that they haven't updated their OS since they were infected, but another possibility is that there are still WordPress sites that are poisoned with Flashback and users with enabled older versions of Java are being newly infected with the botnet portion of Flashback, and since the C&C servers were down they never received the malicious Flashback files.
  • The second column is stupid

    Looking at it and you could assume it says "%Mac" or percentage of *ALL* Macs when in fact it is the percentage of all Macs that are infected.