Earlier this week, Symantec reported that the number of Mac OS X computers infected with the Flashback malware had been cut down to just 140,000, compared to over 500,000 Mac PCs just a couple of weeks ago. Now the Dr. Web research team, which discovered the Flashback malware in the first place, is saying, "Not so fast," to Symantec"s numbers. In fact the team claims that the number could be as high as 650,000 infected Mac PCs.
In a post on its site, Dr. Web states:
BackDoor.Flashback.39 uses a sophisticated routine to generate control server names: a larger part of the domain name is generated using parameters embedded in the malware resources, others are created using the current date. The Trojan sends consecutive queries to servers according to its predefined priorities. The main domains for BackDoor.Flashback.39 command servers were registered by Doctor Web at the beginning of April, and bots first send requests to corresponding servers. On April 16th additional domains whose names are generated using the current date were registered. Since these domain names are used by all BackDoor.Flashback.39 variants, registration of additional control server names has allowed us to more accurately calculate the number of bots on the malicious network, which is indicated on the graph.
Symantec quickly posted an update to its blog which admitted that the Dr. Web team may have a point. While it still believes that Flashback infections have in fact been curtailed, they have not gone down as much as expected.
Apple has already released a Mac OS X update that is supposed to remove the Flashback malware. In addition, the update also sets the Java web plug-in program to disable the automatic execution of any Java applets. Flashback was installed on all those Mac PCs thanks to a flaw, since fixed, that allowed JavaScript code to load to a Java applet that contained Flashback to a Mac PC.
Image via Dr. Web