Number of infected Macs flashbacks to 650000

Powered by SC Magazine
 

Security firms trapped in tarpit.

Despite patches released by Apple and other customized offerings from security firms, the number of computers hijacked by the Flashback trojan remains near the 650,000 first reported.

Infection estimates released last week by researchers at Kaspersky Lab and Symantec seemed to indicate a major decrease in the number of compromised machines linked to the botnet.

According a blog pos by Symantec, researchers at the security firm believed the infection count to be approximately 140,000.

But now they are backing down on the optimistic projection, saying the number of poisoned machines has barely budged since the outbreak began two weeks ago.

The company said its count may have been distorted because a third-party sinkhole that used a “tarpitting” technique to prevent the malware from attempting to connect to subsequent domains, such as the one set up by Symantec to tally the number of infected Macs, Liam O Murchu, director of operations at the company's Security Response Center said.

“The impact of this is it caused Flashback connections to hang, which skewed our data,” he said. “The term [tarpitting] refers to the technique of responding as slowly as possible -- or not at all -- to the connecting machine so that the connecting machine will wait for the response indefinitely and not continue with the rest of its malicious code.”

While tarpitting serves the overall good by preventing compromised machines from receiving commands from attackers, it also makes life harder for legitimate researchers trying to gauge the size of a botnet infection.

Doctor Web's analysts found that Flashback uses a sophisticated routine to generate control server names, with a larger part of the domain names generated using parameters embedded in the malware resources. Others are created using the current date. The trojan then sends consecutive queries to servers according to its pre-defined priorities.

It further said that after communicating with servers controlled by Doctor Web, trojans send requests to the server at 74.207.249.7, controlled by an unidentified third party. This server communicates with bots but does not close a TCP connection, so bots switch to the standby mode and wait for the server's reply and no longer respond to further commands.

As they do not communicate with other command centres, many of which have been registered by information security specialists, this is the cause of some statistics showing it to be reducing.

Dr. Web was the first to report on the malware earlier this month, considered to be the largest successful botnet attack ever on the Mac OS X.

“After we understood what was happening, then we realized that Dr. Web's numbers are probably accurate,” O Murchu said.

In a statement Monday, Kaspersky Lab also acknowledged its mistake.

“Although there have been differences in the reported size of the botnet, the most important issue is still unresolved: a number of Mac OS X users are still infected with [Flashback] and haven't taken the proper steps to remove the malware,” it said.

A representative from Dr. Web could not be reached for comment.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Number of infected Macs flashbacks to 650000
 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  26%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 337

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  57%
 
No
  43%
TOTAL VOTES: 141

Vote