Russian Security Firm Says Flashback Botnet Is Not Shrinking


Contrary to recent reports, the worldwide botnet of Macs infected with the Flashback malware has remained relatively steady in size, the Russian security vendor Dr. Web said over the weekend.

Dr. Web discovered the botnet -- which it calls BackDoor.Flashback.39 -- on April 4. It claims that more than 817,000 bots have connected to the botnet thus far, and that an average of 550,000 infected machines are interacting with a command-and-control server each day.

New infected machines that have not yet been registered in the botnet -- and which cannot yet be tracked -- are joining every day, according to Dr. Web.

Dr. Web's latest findings contradict those of Symantec and Kaspersky Lab, which earlier this month reported that the Flashback botnet had shrunk to less than half its peak size of 650,000 infected machines due to Apple's work with Internet service providers to take down command-and-control servers and the release of malware removal tools from third parties.

However, Dr. Web says these findings are inaccurate because they rely on the analysis of data from hijacked botnet control servers. After conducting its own analysis, Dr. Web found that additional control servers have come online, and some bots had been switched to standby mode, which means the botnet is larger than Symantec and Kaspersky claim.

"This is the cause of controversial statistics -- on one hand, Symantec and Kaspersky Lab reported a significant decline in the number of BackDoor.Flashback.39 bots," Dr. Web researchers said in the blog post. "On the other hand, Doctor Web repeatedly indicated a far greater number of bots which didn’t tend to decline considerably."

"Doctor Web once gain warns Mac OS X users of the BackDoor.Flashback.39 threat and strongly recommends you to install Java updates and scan the system to determine whether it has been infected," the company said in the blog post.

Apple issued a patch for the Java vulnerability April 4, but security researchers criticized the company for its slow response to the issue, which was first reported in February.

On April 12, Apple released an update for Mac OS X v10.7 and v10.6 that removes most common variants of Flashback.

Last week, security researchers identified a Flashback variant, called SabPub, that appears to have been built to carry out targeted attacks, potentially against pro-Tibetan activists.

In the wake of Dr. Web's discovery, Apple contacted Russian Web registrar Reggi.ru seeking to have one of the vendor's domains taken offline, according to a report from Forbes. Apple apparently mistook it for one of the botnet's command-and-control servers, when in fact it was being used by Dr. Web for testing purposes.