Russian antivirus firm Doctor Web claims the Flashback Trojan variant has infected enough Mac OS X systems to create a botnet of 600,000 hosts.
By Windows standards, 600,000 is small. The Zeus botnet, which targeted Windows systems, by contrast, was claimed to have infected 13 million since 2007, according to Microsoft which took action against it last week.
But this is big by Mac OS X standards, which is often claimed to be off attackers’ radar.
Dr Web said its researchers used a “sinkhole” to redirect the Flashback botnet’s traffic to its own servers, allowing them to come up with the figure, which it initially reported as 550,000.
“Over 550 000 infected machines running Mac OS X have been a part of the botnet on April 4,” the security firm claimed.
More than half the infections were in the US, about 19 per cent in Canada, about 12 per cent in the UK, and fourth on the list was Australia at about 6 per cent, amounting to 32,527 infected hosts.
However, infections quickly climbed according to the company. Ars Technica referenced a Twitter updated by Dr Web malware analyst Sorokin Ivan who claimed infections had now hit 600,000 four hours after the initial report.
The FlashBack attackers have been working on new variants since first being discovered in 2011 and have been exploiting several Java (owned by Oracle) vulnerabilities over the past few months, the last of which F-Secure warned about last Sunday.
After a Mac user visits a rigged website, the Trojan first checks if the Mac is using one of several security products which it lists, and if they are not found it issues the payload.
Flashback, as F-Secure and Dr Web point out, were using exploiting Java vulnerabilities (CVE-2011-3544 and CVE-2008-5353) to infect systems without user interaction in February 2012.
Mac AV vendor Intego brought attention to the Trojan’s new techniques in February, but failed to mention which flaws it was exploiting to achieve infections without user intervention.
But they were the old flaws.
“After March 16 they switched to another exploit (CVE-2012-0507),” says Dr Web, a Java flaw that Oracle issued a fix for in February.
While Microsoft quickly issued a patch for that flaw, Apple only released its patch yesterday.
“The vulnerability has been closed by Apple only on April 3 2012,” Dr Web notes.
Mac users are strongly advised to update their OSX software immediately. Apple provides details about the update here.
According to Dr Web, there were more than 4 million pages that could infect Mac OS X systems without the Java update, including, reportedly, the website of widely-used networking company maker, DLink.
Dr Web said its research has debunked the myth “there are no cyber-threats to Mac OS X”.