Russian security firm says Flashback infection rates still high

Russian security firm says Flashback infection rates still high

Summary: Last week's reports of a sharp decline in infections by the Flashback malware may have been premature. A new report by Dr. Web says 566,000 Macs are still infected, with new infections appearing daily.


Update: Symantec researchers confirm Dr. Web details. See end of post for details.

Last week the Mac community collectively breathed a sigh of relief when Symantec published a report that appeared to indicate that the Flashback malware epidemic appeared to have declined sharply.

In that report, Symantec said the number of infections had dropped to 380,000 on April 10 and to 270,000 on April 11. Kaspersky Labs reported a similar decline, with the number of infected computers dropping to 237,000 according to its monitoring.

But the Russian security company that first reported the news that a massive number of Macs had been infected said today that Symantec’s monitoring tools are mistaken. Not only has the infection rate not declined, says Dr. Web, but new infected computers are continuing to join the botnet daily.

According to Doctor Web, 817 879 bots connected to the BackDoor.Flashback.39 botnet at one time or another and average 550 000 infected machines interact with a control server on a 24 hour basis. On April 16, 717004 unique IP-addresses and 595816 Mac UUIDs were registered on the BackDoor.Flashback.39 botnet while on April 17 the figures were 714 483 unique IPs and 582405 UUIDs. At the same time infected computers, that have not been registered on the BackDoor.Flashback.39 network before, join the botnet every day. The chart below shows how the number of bots on the BackDoor.Flashback.39 botnet has been changing from April 3 to April 19, 2012.

Source: Dr. Web

Based on that chart, the net number of infections is dropping slowly, as existing Macs are cleaned up. But new infections are appearing at the same time. As of April 19, Dr. Web says there are still 566,000 infected Macs, based on unique IDs presented by the botnet members.

Why the discrepancy between the different researchers’ numbers?

According to Dr. Web’s research, the measurement process is straightforward, based on the observed behavior of infected machines:

BackDoor.Flashback.39 uses a sophisticated routine to generate control server names: a larger part of the domain names is generated using parameters embedded in the malware resources, others are created using the current date. The Trojan sends consecutive queries to servers according to its pre-defined priorities. The main domains for BackDoor.Flashback.39 command servers were registered by Doctor Web at the beginning of April, and bots first send requests to corresponding servers. On April 16th additional domains whose names are generated using the current date were registered. Since these domain names are used by all BackDoor.Flashback.39 variants, registration of additional control server names has allowed to more accurately calculate the number of bots on the malicious network, which is indicated on the graph.

So far, so good. But at that point one server, controlled by an unidentified third party, throws a monkey wrench into the data-collection routine:

However, after communicating with servers controlled by Doctor Web, Trojans send requests to the server at, controlled by an unidentified third party. This server communicates with bots but doesn't close a TCP connection. As the result, bots switch to the standby mode and wait for the server's reply and no longer respond to further commands. As a consequence, they do not communicate with other command centers, many of which have been registered by information security specialists. This is the cause of controversial statistics…

If those numbers are accurate, then Apple might have more work to do. So far, Apple has released three Java updates, the most recent of which is designed to clean infections from Macs running OS X Lion and Mac OS X 10.6 (Snow Leopard). But those updates are only effective if they’re installed, and security researchers have long noted that users avoid updates. In addition, roughly 17% of Mac users, or a total population of more than 10 million, are running older versions of OS X that are not eligible for any security updates and can only protect themselves by completely disabling Java.

I have contacted Symantec and Kaspersky and will update this post when I hear back from those companies.

Update 20-Apr 1:35PM PDT: In a blog post update, Symantec researchers confirm the observation by Dr. Web:

A recent Dr. Web blog post reveals our sinkholes are receiving limited infection counts for OSX.Flashback.K.

Our current statistics for the last 24 hours indicate 185,000 universally unique identifiers (UUIDs) have been logged by our sinkhole.

A sinkhole registered at IP address is causing Flashback connections to hang as it never closes the TCP handshake, in effect preventing Flashback from hitting subsequent domains.

See also:

Topics: Servers, Apple, Hardware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Thanks Ed, keep up the great work

    This is a defining moment in the OS X community. Will they start to take security seriously or will they dismiss this as "irrelevant" because it isn't a virus (of note is my recent research showing that the last successful Windows virus was from 1998). Based on the talkbacks so far, OS X users are in for a world of hurt.
    • I have three clean Macs

      So when does it start to hurt?

      Hmmm, Blaster shut down an entire enterprise where I worked in summer 2003. Granted that was almost 9 years ago, but it was a world of hurt for my employer. So what damage has Flashback created that you can verify and document?

      Really, I would love to know. Being a Certified Windows masochist, I want some juice from my Mac...
      • "what damage has Flashback created"?

        Botnets don't exist for the fun of it. They are tools or organized crime. Most likely they will not do anything to the computer that is infected. That way the owner doesn't even realize he is infected because he sees no symptoms.

        That's why Macs are such juicy targets. The owners tend to think of themselves as invulnerable and since they don't have any problems themselves their misconception is reinforced.
      • I have five clean Macs

        In fact, as far as I can tell Flashback hasn't even tried to infect any of them. I've used three different detectors as well as accepted every Apple update since this thing started squawking and not one of them has indicated that any version of Flashback has touched my machines.
      • re: I have five clean Macs

        @vulpine: Congrats. Free from infection. So you didn't hit web sites that others did. [Of coursxe if your Java was up to date, you wouldn't be infected.]

        @cornpie: Damage? Just a pain to people. This is what Windows users had up until a few years back when the scum of the earth decided to switch over to scareware and other crap. If you think Windows users had/have it bad, wait until they target Mac users. If you can buy a Mac for [let's say] double the price of a Windows PC, then you can pay a lot more. So the $200 for Windows will become $500 on a Mac [or whatever].
      • We have 3000 clean PCs at this site.

        We've never had an infection. I've personally never had any malware since Windows 3.1 to my current win7 machine. So, therefore, based on this logic, my anecdotal evidence means there has never been an infected Windows machine.
    • Talkbacks and the World

      Inferring about the state of the world from Talkbacks would be a first mistake.
    • Agreed

      The route to compromising any system has been trojans for a long time, either requiring user interaction or an (un-patched) browser visit to a honey pot.

      Vigilant Windows users have known for years what most Mac users are learning now, unfortunately the hard way. Hopefully future advice and warnings about system updates and security will minimize the misery.
      • Why the down vote?

        Please explain.
      • Your saving grace is the qualifier

        Just as not all Mac users are "vigilant", neither are all Windows users "vigilant." I spend far more time scraping malware out of my clients' Windows machines than I do any of their OS X machines.
      • Will take help though

        Until Apple acknowledges that this is a serious issue and starts taking it seriously, no matter how vigilant the users are, they will be in for a rough ride.

        [i]doing 45 with a blindfold on and a brick wall in your path ....[/i]
    • Talkbacks and the World

      [i]Inferring about the state of the world from Talkbacks would be a first mistake.[/i]

      You can say that again.
    • Use Microsoft's excuse ... blame it on the Hackintoshes

      Many Hackintosh users are probably just as scared to update their systems as are many that run pirated Microsoft Windows software. And in some cases, changes in Apple's OS X updates have prevented further updates to Hackintoshes (e.g., netbooks with Atom processors).

      P.S. And remember that with OS X, Java updates are sourced from Apple, not Oracle (or OpenJDK).
      Rabid Howler Monkey
    • hi

      I'm a doctor,35 ,rich but still single.It's hard to get a girlfriend in my town ,most of them like my money more than like me.I just want to find my true i uploaded my hot photos on Wealthybar.c om under the name of hotlove2.u dont have to be a millionaire,but u can meet one there. ..if you girls see this comment,i hope you will check my photos out there.maybe you are the one whom i'm looking for!!!
  • Noted

    Dr. Web's graph shows no major spikes down after the updates were released. Yet, the other companies that did confirm Dr. Web's original estimates did see a large fall off. Also Dr. Web is the one who has the most to lose if this problem is neutralized.

    At this point I am as open to them being the one right person in the room as I am to there being methodology errors in their counts.

    I've installed all the updates, disabled java in my browser (I did that years ago) and did a check when this thing first arose. Wait and see and living life normally until the next crisis emerges.
    • Don't get the down vote

      Seems to me you are being entirely rational ...
      • That's worth noting

        Down votes get cast regardless of quality, rationality or validity of a post. The down votes are being used by those perhaps not brave enough to debate or don't want to exert the effort to make a sound argument.

        It does make one wonder "what agenda" people have that evidently do nothing but come through and cast down votes.
    • My update

      According to the Slashdot summary this morning, Symantec acknowledged problems with its counting methodology later yesterday.

      Clearly, I would have to say that Dr. Web, if not validated, seems to be better at taking the patient's pulse.
  • This reminds me

    of the botnet for windows a little while ago. What was it the conficker or something like that? It was supposed to do a lot of damage but was found out too quickly and went away. Could be the same thing.
    • Conficker was real and damaging

      Late 2008 - early 2009.

      Even as late as 2010 it was still at 1.5 million infections. Conficker was bad even though it exploited a patched vulnerability.
      Ed Bott