Dr. Web, the Russian security company that has been the most prolific source of information on the Flashback malware infestation, published new data today based on its successful interception of infected Macs.
The new blog post methodically breaks down how infected machines communicate with the control servers in the bot network, using data that was gathered on April 13, when the outbreak was at its peak.
According to the new research report, the Trojan horse program running on the infected Mac sends requests to control servers. These requests contain detailed information on the infected system, including the bot version, the OS kernel number, and whether the malware was installed with elevated privileges or as an ordinary user account.
The kern.osrelease value uses the Darwin version number, which might confuse a casual observer looking at the data in the Dr. Web chart. (Darwin kernel 9.8, I plugged the Dr. Web data into a spreadsheet and converted those numbers into the equivalent OS X versions. Here’s how they broke down:
- 10.5 (Leopard) – 25%
- 10.6 (Snow Leopard) – 63.4%
- 10.7 (Lion) – 11.2%
The percentage of infected Macs running Lion, the latest release of OS X, is lower than its share among machines in use. That’s not surprising. This malware spreads through an exploit in Java, which is included in Leopard and Snow Leopard but not in Lion.
It’s also noteworthy that 25% of the infected machines were running Leopard, which is no longer supported by Apple. The owners of those machines cannot get a patch for the vulnerable Java release, nor can they uninstall Java. Their only recourse is to disable the Java plugin in the browser.
Breaking down the data even further, I was alarmed to see how many of the infected Macs are running outdated versions of OS X. Nearly 24% of all infected Macs running Snow Leopard in this sample were at least one version out of date, and more than 10% of those users had skipped three or more major updates.
Similarly, among Lion users, nearly 28% of infected machines had skipped at least one update.
As part of its installation routine, the Flashback malware prompts the user for an administrative password. If the user types in that password, the malware installs in a location with system privileges. If the user doesn’t enter a password, the malicious executable file is saved in the user's home directory and launched with the current user permissions, which is sufficient to perform its malicious tasks.
Dr. Web found that 12% of infected Macs were running with administrator privileges, which means that the malware’s social engineering was effective on 1 in 8 users.
Last week, Symantec researchers confirmed Dr. Web’s report that the number of Flashback infections remained high. In a separate statement today, Kaspersky Lab independentlyconfirmed those findings:
Last week Kaspersky Lab provided an updated number of the Flashfake botnet’s size, which was based on the findings of the company’s sinkhole. The sinkhole showed that the botnet was significantly decreasing in size as the number of unique bots went from 650,748 (as of 6th April) to 30,629 (as of 19th of April).
However, Kaspersky Lab found that its statistics were being affected by a third-party sinkhole, which was limiting the infection counts of unique bots connected to Kaspersky Lab’s sinkhole. The third-party sinkhole, which was registered for research purposes at IP address 188.8.131.52, was causing Flashback connections to hang as it never closes the TCP handshake, in effect preventing Flashback from hitting subsequent domains.
Kaspersky Lab confirms the botnet’s size is larger than previously estimated, and will publish updated research findings on the size of the botnet once its analysis is finished.
Meanwhile, a report this week found a new variant of the Flashback malware in circulation, suggesting that its authors were still actively at work and aiming at vulnerable Macs.