Firms Can't Agree On Real Size of Flashback Botnet

By Kevin Parrish
published

Various security firms are spouting different numbers concerning the overall size of the Flashback botnet, yet Doctor Web insists it's still above 600,000 infected Macs.

Just last week, Symantec said that the Flashback/Flashfake botnet had dwindled down to around 140,000 infected Mac computers. Yet Dr. Web, the security firm that discovered the mass Mac infection, stands firm that it still counts 650,000 Macs with active Flashback/Flashfake infections. Kaspersky's count has dropped to 45,000, meaning that no one is really for sure how large the Flashfake botnet really is.

"According to Doctor Web, 817,879 bots connected to the BackDoor.Flashback.39 botnet at one time or another, and an average of 550,000 infected machines interact with a control server on a 24 hour basis," Doctor Web stated on Friday. "On April 16, 717,004 unique IP addresses and 595,816 Mac UUIDs were registered on the BackDoor.Flashback.39 botnet while on April 17 the figures were 714,483 unique IPs and 582,405 UUIDs. At the same time, infected computers that have not been registered on the BackDoor.Flashback.39 network before, join the botnet every day."

The difference in numbers between the various security firms stem from the methods they use to count infections. Both Symantec and Doctor Web establish a server that looks like one of the 70 command and control servers used to control the botnet, yet Doctor Web says it found a entirely separate pool of infected Macs by tracing a secondary line of communication between the servers and infected Macs.

"On April 16th, additional domains whose names are generated using the current date were registered," Doctor Web said. "Since these domain names are used by all BackDoor.Flashback.39 variants, registration of additional control server names has allowed to more accurately calculate the number of bots on the malicious network."

"However, after communicating with servers controlled by Doctor Web, trojans send requests to the server at 74.207.249.7, controlled by an unidentified third party," the firm adds. "This server communicates with bots but doesn't close a TCP connection. As the result, bots switch to the standby mode and wait for the server's reply and no longer respond to further commands. As a consequence, they do not communicate with other command centers, many of which have been registered by information security specialists."

This is the reason why security firms like Symantec and Kaspersky don't show the same numbers as Doctor Web. But Symantec claims that the same method to distribute Flashback has also been used to unleash the OSX.Sabpab malware which was just identified that week. This suggests that Doctor Web is actually double-counting machines infected with both malware, or the firm is including the Sabpab infections with its Flashback infection count.

Currently Doctor Web and Symantec are reportedly talking about their differences and are stumped as to why they're coming up with different numbers. The latter company is supposedly admitting that Doctor Web's methods are correct, and that Symantec would change its own to be more consistent. However Symantec has not provided an official statement.

Doctor Web is now warning Mac OS X users to install the Java updates and scan the system to determine whether it has been infected. For more information about BackDoor.Flashback detection and neutralization, visit https://www.drweb.com/flashback/. To remove the trojan, consumers can use Dr.Web for Mac OS X Light available free of charge.

Kevin Parrish
10 Comments Comment from the forums
  • proxy711
    Ya this is really confusing too I just read an article on apples research they said zero macs were infected. They then went on to explain that this botnet was really a trial for a product they call Inet. Its going to be a new feature in the Bobcat update, along with Ivirius and Imalware and maybe even Irootkit if its finished in time.

    I can't wait for this update!
    Reply
  • tramit
    Does it matter anymore now that a fix has been implemented and a downward trending of infected users has been established?
    Reply
  • thety6on
    proxy711Ya this is really confusing too I just read an article on apples research they said zero macs were infected. They then went on to explain that this botnet was really a trial for a product they call Inet. Its going to be a new feature in the Bobcat update, along with Ivirius and Imalware and maybe even Irootkit if its finished in time.I can't wait for this update!
    You ACTUALLY believed something Apple said?
    Reply
  • rantoc
    One side is the apple marketing sponsored companies who like to keep the numbers down at any cost (including the users security) and on the others those who like to scare people into purchasing anti-virus software. The numbers are likely in between...

    Would be interesting to know how many percent of the mac's that are infected considering they only have a small 6% market share worldwide.
    Reply
  • thezooloomaster
    Some people are overly paranoid about computer infections, and others believe they are immune to it; it's the nature of Personal Computing. The truth is that we could all be infected by just about anything without really knowing it, and as long as there are active hackers, new undetectable malicious content will be making its way onto peoples' machines.
    Reply
  • wantiao2013
    Very interesting, thank you for sharing!
    Reply
  • dreadlokz
    rot apple, rot!!! Or make a new iPhone better then everything else in the market like the first one... I don't think so, just rot =)
    Reply
  • rex86
    This is so much fun. I'm loving it.
    Reply
  • byous88
    new undetectable malicious content will be making its way onto peoples' machines.
    Reply
  • eddieroolz
    The secretive ways of Apple may have something to do with the difficulty, I'm sure.
    Reply