Second source confirms: 1 in 100 Macs are infected by Flashback

Second source confirms: 1 in 100 Macs are infected by Flashback

Summary: A second source has now confirmed previously reported research: at least 600,000 Macs worldwide are infected with the Flashback malware downloader. That's a staggering number, representing about 1% of the installed base of Macs. So what's next?

SHARE:
75

Two independent sources have now confirmed that at least 600,000 Macs worldwide have been infected with the malware downloader called Flashback.

That number is not just an estimate. It’s a count of unique hardware IDs reporting in to a command-and-control server.

If you're concerned that you might be infected, or if you want to remove the Flashback infection from a Mac under your control, see this post from our sister site CNET: Mac Flashback malware: What it is and how to get rid of it (FAQ)

First Dr. Web, a Russian security company, published its findings. The company’s analysts cleverly redirected the botnet traffic to their own servers and thus were able to count infected hosts. The initial report was 550,000 infected machines running Mac OS X on April 4. Later that day, the analyst responsible for the original research reported that the count had increased to 600,000.

That report inspired some skepticism among readers of my initial post, who wondered whether the numbers were accurate.

Apparently, other security researchers were equally skeptical, leading Kaspersky Labs to replicate the research:

We reverse engineered the first domain generation algorithm and used the current date, 06.04.2012, to generate and register a domain name, "krymbrjasnof.com". After domain registration, we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots. Our logs indicate that a total of 600 000+ unique bots connected to our server in less than 24 hours. They used a total of 620 000+ external IP addresses. More than 50% of the bots connected from the United States.

The Kaspersky researchers also used "passive heuristics" to try to sort out which platforms the infected machines were using:

More than 98% of incoming network packets were most likely sent from Mac OS X hosts. Although this technique is based on heuristics and can’t be completely trusted, it can be used for making order-of-magnitude estimates. So, it is very likely that most of the machines running the Flashfake bot are Macs.

Based on that same research, Kaspersky concluded that approximately 1% of the 600,000 machines in the botnet were running FreeBSD or Linux, and 0.06% were running Windows 7 or Windows 8.

Amusingly, within moments after reading that article, I found confirmation of that research in a post on Apple’s support forums from a user whose infected Mac had been lured to Kaspersky’s domain.

Six hundred thousand.

So what percent of Apple’s installed base does that represent?

At Apple’s “Back to the Mac” event in October 2010, Steve Jobs announced that the worldwide installed base of Macs had reached 50 million. Apple sold 16.7 million Macs of all types in 2011 (source: Apple 2012 SEC form 10-K, PDF). Add another 4-5 million for Q1 2012, subtract a few million that have been retired in the past 18 months, and you get a number somewhere between 60 million and 70 million.

With 600,000 infections in a user base of 60-70 million, that means roughly 1% of all Macs worldwide have been hit by this thing, which is capable of downloading additional malware at will.

What’s remarkable about that number is that it represents infections from a single downloader. The infections happened over a total of about seven months, but critical mass didn’t occur until the last few weeks, when the malware distributors began using an unpatched Java exploit to automate the infections.

By comparison, the single largest Windows-based infection ever was Conficker. At its peak in 2009, it infected 7 million PCs, or about 0.7% of the total Windows installed base.

So now the question is, What’s next? Apple has yet to acknowledge this issue at all, except in antiseptic terms in its security update bulletins. Will they accelerate their time to deliver patches for the next critical Java security vulnerability?

The gang running the network of infected websites that delivered this round of infections has to be feeling pretty good about their success rate. Do they race Apple to market when the next unpatched Java vulnerability appears? Do they put together a Mac-focused exploit kit like the Windows-centric BlackHole? Or does their success doom them to a fate like the Mac Defender gang, which was broken up last summer by Russian authorities?

We'll see.

See also:

Topics: Malware, Apple, Hardware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

75 comments
Log in or register to join the discussion
  • Feeling good about their success rate

    But obviously they are not happy about this publicity. They used a good number of tricks to try to fly under the radar.

    Obviously these guys know their stuff. They are in it for the money, not publicity.

    Still, this attack is only moderately advanced. It is certainly more sophisticated than a simple trojan as it now infects at drive-by as well. But it is only a taste of what is yet to come.

    Expect them to bring over more tricks from their Windows experience, such as morphing code, blended attacks and a hole suite of exploits.

    With thus success rate you can be *certain* that they will be back. Stronger. The smug Apple crowd is in for a brute awakening.

    As I have written before, Apple has a systemic problem where they *do not* control or materially influence the publication of information about vulnerabilities in their stack. The various open source libraries follow their own schedules and Apple will have a hard time reigning them in and making them commit to coordinated publication when Apple is ready to patch.

    In effect, *every* time an external project on which OS X depends publicizes a vulnerability (because a patch is available), this is the equivalent of a zero-day vuln in OS X.

    And we know from the Windows experience that only a fraction of 1% of attacks uses attacker-discovered vulns. Attackers now can simply sit back and wait for patches to libxml, apache, java etc.

    They know that OS X will be notoriously late, so they'll have a window of opportunity practically every time.

    And the best part: The Mac users are shockingly complacent (evidenced in these very talkbacks) and refuse to accept that they can be affected. They are easy targets.
    honeymonster
    • Well

      Looks like time to sell the Air!
      slickjim
      • Sounds Good

        I'll give you 10cents on the dollar..... :D
        rhonin
      • Hmm

        @rhonin I would feel like I was ripping you off man so, I should just hang on to it. :-)
        slickjim
      • You have to *want* to get infected; also, you have to be twice clueless

        you have to be twice clueless to get infected. First, you have to think Adobe Flash does not update itself (though it does, and updates utsekf highly visibly). Second, you have to believe that Adobe Flash updates all of sudden come from non-Adobe sites. [b]You can not get infected unless you go to page where "Flash Player update" is supposed to be[/b].

        As to infection thing in general, it is Java's vulnerability, nothing to do with OS X. So while Ed and Co love to bring Apple into this, Apple has nothing to do with it. No company could ever beat mix of twice clueless people and other companies' product (Java).
        DDERSSS
      • @DeRSSS: You are spreading misinformation

        This attack is a *drive-by* attack. If you are using an unpatched Mac to visit a website with this malware on it, *boom* you are infected. No user interaction required. No alerts. Simply silently installs.

        Is that so hard to understand?

        You are focusing on earlier versions of the same malware which only tried to use social engineering to make the user download it. But this recent version doesn't need that.

        You probably also missed the information on how this attack is served by compromised Wordpress sites. You do not even have to be fooled into visiting a malicious site set up by the attackers. The attackers have compromised sites that users visit regularly to read blog posts etc. Many corporate sites also run Wordpress.

        As for your "this is Java and thus not an OS X problem". You are aware that Java until the latest version was distributed as *part of* OS X? You are aware that if users upgraded from an earlier version to Lion, the upgrade *did not* remove Java and that they may very well be vulnerable even if they are running Lion?

        Your attitude and willingness to spread misinformation is a big part of this problem. Really.
        honeymonster
      • You have to "visit a website with this malware on it"

        @honeymonster: yes, unless you believe that Flash does not update itself and you visit a non-Adobe site with "Flash update" with malware on it, you are not getting infected.

        [b]You are totally safe if either of those two conditions are not met[/b], because otherwise you will never ever enter any weird sites that might get you infected.

        Also, it is interesting that Ed never mentions that this issue has nothing to do with Apple's software, but rather with Java vulnerability. Java is not developed by Apple and even does not ship with the OS.

        Yet Ed loves to make readers think that this is Apple's issue.
        DDERSSS
      • What does the URL of a "weird" site look like?

        "you will never ever enter any weird sites that might get you infected"

        We are all waiting for your tips on what the URL of a "weird" site looks like so that we can avoid going to "weird" sites and getting malware.

        I'd also like to see you write that Microsoft is completely faultless for every single drive-by infection that has happened to a Windows user. After all, if that user had simply not gone to a "weird" site, they would never have gotten infected. The user is totally to blame, right?
        toddbottom3
      • Regarding Java and OS X

        "Java is not developed by Apple and even does not ship with the OS."

        Please prove that every one of those 600,000 infected, botnet ridden OS X machines were running Lion and had not been updated from Snow Leopard. If you can't, then you have to admit that at least 1 of those infected was infected through a vulnerability in software that shipped with the OS they were running.

        I'd also like to see you write that Microsoft is completely faultless for every single Windows infection that came in through 3rd party code like Flash, Acrobat, Java, etc.
        toddbottom3
      • @DeRSSS

        Doesn't Apple supply it's own particular brand of Java? Would a trip to java.com and going to their downloads section for macs not show the folowing text: [i]Apple supplies their own version of Java. Use the Software Update feature (available on the Apple menu) to check that you have the most up-to-date version of Java for your Mac.[/i]?

        http://java.com/en/download/manual.jsp for the link.

        Since this is a fact easily verified by going to java.com does that not completely blow this: [b]So while Ed and Co love to bring Apple into this, Apple has nothing to do with it. No company could ever beat mix of twice clueless people and other companies' product (Java).[/b] out of the water?

        Ooops, I just kicked the leg you were standing on out from under you. So what other excuses will you and the other mac fanbois come up with?
        NonFanboy
      • This is outdated information; Apple stopped to do their own Java since ...

        @NonFanboy: ... December of 2011. And this is when they also stopped to ship it with the OS. They announced at the time that Java (as well as Flash, et cetera) should be compiled/cared solely by company that develops it. However, it seems that Java's site still does not recognize it.
        DDERSSS
      • DeRSSS: Please respond to these requests

        1. I'd also like to see you write that Microsoft is completely faultless for every single drive-by infection that has happened to a Windows user. After all, if that user had simply not gone to a "weird" site, they would never have gotten infected. The user is totally to blame, right?

        2. I'd also like to see you write that Microsoft is completely faultless for every single Windows infection that came in through 3rd party code like Flash, Acrobat, Java, etc.

        Or ignore it, that says just as much.
        toddbottom3
    • Good summary!

      I agree, the folks behind these attacks have lots of room to sharpen their attacks, based on lessons learned from their Windows experience.
      Ed Bott
    • Ho boy! Editor's chioice!

      Tell me Ed, is toddytroll's office down the hall or do you share one with him?

      lol... :D
      ScorpioBlack
    • The sky is falling!... NOT!

      No one knowledgeable about the Mac has EVER said that Mac OS X is immune to malware!

      But what knowledgeable Mac users DO know is that in the more than 11 years that Mac OS X has been in existence, there has NEVER been a single case of a Mac virus in the wild (an actual virus that can spread from Mac to Mac like the tens of thousands of Windows viruses).

      Trojans are NOT viruses! They require a user to be tricked into installing this type of malware onto their own Mac.

      A Trojan is like if some stranger came to your door and said he represents your bank, and needs you to fill out your personal banking information for him. A sensible person would reject doing this, and would not have to worry about this stranger stealing from you.

      On the other hand, a virus is like a burglar that breaks into your house when you are not home, and steals from you. This has never happened with Mac OS X, but it goes on all the time with Windows PCs!
      Harvey Lubin
  • But I thought Macs couldn't get Malware or Viruses!

    If anything these odds are generous when you take into account the low and high average hours these Macs are used (low hour machines less affected). Some may see just a few hours a week of use. While some are on 24/7 just like many Windows PC's. If you were to compare actual use then, the possibility of being infected by this malware... indeed go up!

    Another point to consider, is if these were PC's being attacked, Multiple MILLIONS.... not just 1,000's of computers, would have been affected by this Flashback Malware!!!

    Since PC's are used far more frequently in the work environment, it would be expected that they show greater infection rates. But that's not the case and that's why this is referred to as being of Epidemic Proportions!!!
    KronJohn
    • Apple never said that

      You're being a troll. Apple never said that. Also, this is not a virus although it is malware.
      Relayman5C
      • Then what were the Mac vs PC commecials talking about then

        in reference to the one when they showed the "Windows based PC" actor being covered with viruses and malware, while the "OS X based Mac" actor was standing there virus and malware free?

        I would have to assume that they were saying just that, that Mac users have no need to fear such things.
        :|
        Tim Cook
      • Yes, they do not need such things; they need timely Java updates

        @Mister Spock: Java is Sun/Oracle product, not Apple. This malware thing does not have to do anything with Apple's software. The same as if FireFox browser would all of sudden show vulnerability that would get its users infected -- in this case this would have [b]nothing to do with Apple's software either[/b].
        DDERSSS
      • this is why...

        This is why Apple has already stopped doing Java. They are still doing it for the moment only because they don't want OSX users to have no java at all, but its being pushed off to a 3rd party just like Windows Java is, and will be a separate install and maintained by a separate group... these things take time though.

        To the commercial, I do fault Apple for not being clear and many people misunderstanding the commercials. If you actually listen to what they say they only say that Windows viruses don't affect Macs. They do not say they are immune to any form of malware...

        Their OSX security info page currently says they have a ton of built in protection, but if you read the security tips at the very bottom, it quite simply says that no system is 100% immune.
        http://www.apple.com/macosx/what-is/security.html
        doh123