Update: 2:05 PM P.T. New concerns emerged Friday about the spread of a malware epidemic that targets users of Apple’s
Mac OS X.
Last week, Symantec said the number of infections had dropped to 140,000. Another security researcher, Kaspersky Labs, also reported a sharp decline in the number of infected computers.
But a Russian security company named Dr. Web, which was the first to spot the fast-spreading malware infection targeting Mac users, suggests that the estimated declines are incorrect. According to Dr. Web:
817,879 bots connected to the BackDoor.Flashback.39 botnet at one time or another and an average of 550,000 infected machines interact with a control server on a 24-hour basis. On April 16, 717,004 unique IP-addresses and 595,816 Mac UUIDs were registered on the BackDoor.Flashback.39 botnet while on April 17 the figures were 714,483 unique IPs and 582,405 UUIDs. At the same time, infected computers that have not been registered on the BackDoor.Flashback.39 network before join the botnet every day. The chart below shows how the number of bots on the BackDoor.Flashback.39 botnet has been changing from April 3 to April 19, 2012.
Flashback is a form of malware designed to grab passwords and other information from users through their Web browser and other applications. A user typically mistakes it for a legitimate browser plug-in while visiting a malicious Web site. At that point, the software installs code designed to gather personal information and send it back to remote servers. In its most recent incarnations, the software can install itself without user interaction.
Dr. Web reported that as of April 19, 566,000 Macs were infected. If so, we’re back to Defcon 1.
BackDoor.Flashback.39 uses a sophisticated routine to generate control server names: a larger part of the domain name is generated using parameters embedded in the malware resources, others are created using the current date. The Trojan sends consecutive queries to servers according to its predefined priorities. The main domains for BackDoor.Flashback.39 command servers were registered by Doctor Web at the beginning of April, and bots first send requests to corresponding servers. On April 16th additional domains whose names are generated using the current date were registered. Since these domain names are used by all BackDoor.Flashback.39 variants, registration of additional control server names has allowed us to more accurately calculate the number of bots on the malicious network, which is indicated on the graph.
In response, Symantec posted a blog stepping back from its prior belief that there would be a sharper decline in the number of infections by now. “This has proven not to be the case,” Symantec said, adding that “it appears that the number of infected computers has tapered off, but remains around the 140,000 mark.”