Contrary to recent reports, the worldwide botnet of Macs infected with the Flashback malware has remained relatively steady in size, the Russian security vendor Dr. Web claims.
Dr. Web discovered the botnet -- which it calls BackDoor.Flashback.39 -- on April 4. It claims more than 817,000 bots have connected to the botnet thus far, and that an average of 550,000 infected machines are interacting with a command-and-control server each day.
New infected machines that have not yet been registered in the botnet, and which cannot yet be tracked, are joining every day, according to Dr. Web.
Dr. Web's latest findings contradict those of Symantec and Kaspersky Lab, which earlier this month reported that the Flashback botnet had shrunk to less than half its peak size of 650,000 infected machines due to Apple's work with Internet service providers to take down command-and-control servers and the release of malware removal tools from third parties.
However, Dr. Web says these findings are inaccurate because they rely on the analysis of data from hijacked botnet control servers. After conducting its own analysis, Dr. Web found that additional control servers have come online, and some bots had been switched to standby mode, which means the botnet is larger than Symantec and Kaspersky claim.
"This is the cause of controversial statistics - on one hand, Symantec and Kaspersky Lab reported a significant decline in the number of BackDoor.Flashback.39 bots," Dr. Web researchers said in the blog post. "On the other hand, Doctor Web repeatedly indicated a far greater number of bots which didn’t tend to decline considerably."
"Doctor Web once gain warns Mac OS X users of the BackDoor.Flashback.39 threat and strongly recommends you to install Java updates and scan the system to determine whether it has been infected," the company said in the blog post.
Apple issued a patch for the Java vulnerability April 4, but security researchers criticised the company for its slow response to the issue, which was first reported in February.
On April 12, Apple released an update for Mac OS X v10.7 and v10.6 that removes most common variants of Flashback.
Last week, security researchers identified a Flashback variant, called SabPub, that appears to have been built to carry out targeted attacks, potentially against pro-Tibetan activists.
In the wake of Dr. Web's discovery, Apple contacted Russian Web registrar Reggi.ru seeking to have one of the vendor's domains taken offline, according to a report from Forbes.
Apple apparently mistook it for one of the botnet's command-and-control servers, when in fact it was being used by Dr. Web for testing purposes.
This article originally appeared at crn.com
Issue: 315 | May 2013
Access CRN's extensive online resources including; email bulletins, community discussions and unique online news.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can log on to the CRN website or start posting comments on articles.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain '@crn.com.au' to your white-listed senders.
