Sunday, April 22, 2012

Flashback botnot not shrinking after all: security firm

Despite patches, removal tools, and reports to the contrary, it appears the Flashback Mac-based botnet is not shrinking, according to Dr. Web, the Russian antivirus firm that first reported the massive infection three weeks ago.

Dr. Web said on Friday that the number of Flashback-infected Macs is still around 650,000, and that infections are continuing. Although other security firms at first said the number of infections was shrinking quickly, Liam O Murchu, director of operations at Symantec's security response center, also confirmed on Friday that Dr. Web's assertions were correct.

O Murchu in an interview Friday said that "We've been talking with them about the discrepancies in our numbers and theirs. We now believe that their analysis is accurate, and that it explains the discrepancies."

On Tuesday, Symantec had said that the number of machines in the botnet had dropped to 140K, down from an estimated 600,000 in early April. On Thursday, Kaspersky Labs said that the Flashback botnet had shrunk to 30,000 machines.

How did this happen? Dr. Web's analysis is as follows: security companies have "sinkholed" or hijacked the Flashback command-and-control domains, meaning they can keep track of botnet traffic, but what's happening, Dr. Web said, is that after the Flashback malware runs through the list of possible C&C servers, the infected machine then makes a request to a specific server that is using a static IP address.

Once it reaches that server, the botnet machine is then put what is basically a stand-by mode, and does not generate any further traffic, leading to the mistaken impression the botnet is shrinking.

Flashback has primarily made its attacks via a Java vulnerability that was patched by Oracle in February. However, Apple maintains its own version of Java for Mac OS X, and did not patch the vulnerability until seven weeks later.

No comments: