Despite a fix offered by Apple, Symantec reports that there are still around 140,000 Macs infected with the OSX.Flashback.K malware. To some degree, that's actually good news, as approximately 600,000 Macs were infected as of April 9. Only 380,000 machines had the Flashback/Flashfake malware the next day, and 323,000 the day thereafter. But by Tuesday less than 99,000 were expected to still be infected, yet the number still hovered around the 140,000 mark on Wednesday.
"We had originally believed that we would have seen a greater decline in infections at this point in time, but this has proven not to be the case," Symantec reports. "Currently, it appears that the number of infected computers has tapered off, but remains around the 140,000 mark. As there have been tools released by Symantec and other vendors in the past few days concerning this threat, the infection numbers should have seen a dramatic decrease by now."
The security firm added that the recent Oracle Java SE Remote Java Runtime Environment Denial Of Service Vulnerability used to distribute the Flashback Trojan has been spotted distributing another Mac threat called OSX.Sabpab. This trojan has been used in targeted attacks distributed with malicious Word documents exploiting the Microsoft Word Record Parsing Buffer Overflow Vulnerability.
As for Flashback/Flashfake, the company has uncovered new information about its domain name generator (DNG) algorithm. According to the company, it does not limit itself to using ".com" as the top level domain (TLD), but chooses between five domain names. As an example, it can reach out to eeejudpyefmsnd.net or bwincdwtyxsorh.info.
Naturally Symantec suggests that Mac users have the latest antivirus signatures installed and have applied the latest available patches for both the operating system and third-party applications. A free detection and removal tool for the OSX.Flashback.K issue, "Norton Flashback Detection and Removal Tool," is also freely available for download.
Last week Kaspersky Lab also launched its own Flashfake removal tool, but later pulled it over a bug that caused an erroneous removal of certain user settings including auto-start configurations, user configurations in browsers, and file sharing data.
Mac users concerned that they might be infected with Flashback/Flashfake can still use Kaspersky's online tool to scan their system. This dedicated site is safe for users to visit and enter their computer’s UUID, which will be checked in Kaspersky Lab’s Flashfake database of infected computers (instructions for entering user UUIDs are included as well). If the UUID is found in Kaspersky's database, then infected Mac users will need to download and run the fixed removal tool when it becomes available.
