Does FlashBack really have 600k Macs?
- — 06 April, 2012 09:57
p> Yesterday Russian antivirus firm Dr Web claimed to have debunked the myth that malware writers are not in pursuit of Mac users, announcing that 600,000 Mac OS X machines were infected with the latest variant of the Flashback Trojan.
It's a massive OS X botnet, however Hypponen had some reservations about the numbers claimed by Dr Web because the company did not explain exactly what it was counting: PCs or IP addresses.
One way of calculating the size of a botnet is by counting the number of IP addresses that are connecting to the botnet operator’s servers.
It’s important for counting Mac infections since OS X systems for the most part are used by consumers and are less common in corporate environments.
“This means that if your computer’s running under an ISP which gives you a DHCP ( Dynamic Host Configuration Protocol) every time you go online you get a different IP address,” explained Hypponen.
“One infected computer could show up as five different IP addresses and the non-scientific rule of thumb is that you divide the number of IP addresses in two to get a rough estimate of how many computers that is.”.
The opposite is true for corporate networks, which typically connect thousands of PCs to the web through a handful of IP addresses, or the company’s firewall or proxy.
“So in some cases you get one IP address which means 10 infected computers, and in some cases you get 10 IP addresses which means one infected computer.”
CSO attempted to reach Dr Web malware researcher Sorokin Ivan, who announced yesterday there were 600,000 Flashback infections, but is yet to receive a reply.
Hypponen today said he confirmed with Ivan that they did count actual PCs, not IP addresses.
“They are counting actual PCs. Flashback uses a unique hardware-based User-Agent in it's requests.”
Flashback mob are serious about Macs.
Why is FlashBack important for Mac users? Because unlike older Mac malware, it does not require any “user interaction” to infect the machine.
“We have one serious gang who is serious about infecting large amounts of Macs, and they are monetising the infected computer and they seem to have the skills to create working fairly-well written malware,” Hypponen told CSO.com.au.
The key difference between FlashBack.K as F-Secure defines it -- or BackdoorFlashBack.39 as Dr Web named it -- is it uses “exploits” as opposed to just “fooling you in to typing in the root password” which until now been the main method of infecting Macs.
It’s the first mass infection where Mac users are infected the way Windows users have been for a long time: drive-by downloads.
“They surf the web and happen to hit a website, which has a Java drive by download and uses a Java exploit or a Flash or a redirect exploit and it can infect you with you doing anything. You just surf the web and get infected,” said Hypponen.
“They (Flashback) weren’t using Java exploits until Flashback.K, which is the latest version we know of,” said Hypponen.
“Before this they were trying to fool users with fake Flash updates and stuff like that.”
And what does Flashback actually do?
In a Twitter reply to security blogger Brian Krebs, Dr Web’s Ivan, said the Trojan is not trying to steal passwords, but rather hijacking Google search results, which means Google itself is not affected, but the Trojan manipulates Google search results returned to the infected Mac.
In other words, it could lead the user to a site that could host malware or generate cash for the botnet controllers through referral programs.