Huge Infected Mac Network May Be Hibernating, Not Shrinking
CREDIT: Image composite by SecurityNewsDaily
This story was updated at 5:25 pm EDT Friday.
The vast network of Apple Macintosh machines infected by the Flashback Trojan may be going dormant instead of shrinking, a Russian information-security firm said in a blog posting today (April 20).
"The botnet statistics acquired by Doctor Web contradict recently published reports indicating a decrease in the number of Macs infected by BackDoor.Flashback.39 The number is still around 650,000," read the posting on the Dr. Web website.
On Tuesday, American anti-virus software giant Symantec reported that the Flashback botnet had been reduced to 140,000 machines, a sharp drop from an estimated 600,000 in early April.
Yesterday, another Russian anti-virus company, Kaspersky Lab, in a conference call with information-security specialist and journalists, estimated that the Flashback botnet was at a mere 30,000 machines — less than a twentieth the size of Dr. Web's figures.
Dr. Web thinks it knows why the numbers are different.
"Recent publications found in open access report a reduction in the number of BackDoor.Flashback.39 bots. Typically, these materials are based on analysis of statistics acquired from hijacked botnet control servers. Doctor Web's analysts conducted a research to determine the reasons for this discrepancy."
The posting goes into some detail explaining how machines infected by the Flashback Trojan generate new domain names for command-and-control servers, using pre-arranged algorithms that allow information-security companies such as Dr. Web to set up "sinkhole" servers to capture and measure botnet traffic.
There's a twist, however. After running through the list of possible command-and-control servers, each infected machine then shoots a request to a specific server that's not using a generated domain name, but a static Internet Protocol address.
That server replies to the infected machine, but keeps the connection open, preventing the infected machine from communicating with any other command-and-control servers. (Readers with networking experience can take a look at a Wireshark screenshot on the Dr. Web site.)
In effect, the infected machine is put on hold.
"Bots switch to the standby mode and wait for the server's reply and no longer respond to further commands," the Dr. Web posting explains. "As a consequence, they do not communicate with other command centers, many of which have been registered by information security specialists."
Apple has not commented on the Flashback infection, other than to issue software patches to block its installation and remove any instances of it. Only Apple knows how many Macs have applied the patches, but the updates should have significantly reduced the size of the botnet.
Igor Soumenkov of Kaspersky Lab, in a statement to SecurityNewsDaily, guessed that different companies might be running their sinkholes differently.
"This is just speculation on my part but the discrepancy could be in the different way the sinkholing is conducted," Soumenkov said. "There is a small possibility that other companies sinkholed more 'daily' C&C domain names while we rely on 'persistent' domain names (generated by function that does not depend on date), and the subsets that use these domain names are a bit different."
If you're a Mac user and you haven't applied Apple's software updates, do so now. If you have, then the next step is to install anti-virus software, because one thing's for certain: Flashback will not be the last widespread Mac infection we see this year.
UPDATE: Just after this story was initially posted, Symantec conceded that Dr. Web's argument was valid.
"We now believe that their analysis is accurate, and that it explains the discrepancies," Symantec's Liam O Murchu told Computerworld.