Mac Botnet Shrinks As Defensive Efforts Take Hold

The number of Macs infected with the Flashback malware has fallen by more than half, an indication of the success of efforts to destroy the largest network to date of compromised Apple computers, a security vendor said.

Since reaching its peak last week of 600,000 Macs, the botnet has been getting smaller, comprising 270,000 systems as of Thursday, Cupertino, Calif.-based Symantec said. The majority of infected systems were in the United States and Canada, with fewer found in the U.K., Europe and Australia.

The publicity surrounding the botnet, which accounted for more than 1 percent of all Macs in use, has contributed to the erosion, Liam O Murchu, manager of operations for the Symantec Security Response team, said. Once made aware of the infection, Mac users have been checking their systems and using removal tools, some of which security vendors are providing for free. In addition, Apple has been working with Internet service providers to take down command-and-control servers, making it difficult for the malicious network to grow.

[Related: Nix That Click: Six Scareware Scams To Watch Out For ]

Sponsored post

The botnet is expected to fade as the intensity of the publicity increases the chances of the attackers getting caught, Murchu said. Because the same criminals have been targeting Macs with Flashback since September 2011, they are likely to return with another variant of the malware, which is capable of stealing passwords used in online banking or other websites. "They put a bit of work in this already, so it is conceivable that they would just move on to create a new version and start infecting people again," Murchu said.

The attackers have had so much success in the latest campaign, because they have targeted a vulnerability in the Mac that makes it possible to install the malware when someone visits a malicious website. The flaw is within the Java application platform, and the doorway is the Web browser. Mac users were probably directed to the malicious site after clicking on a link secretly embedded on a legitimate website, Murchu said.

NEXT: Apple's and Security Vendors' Responses

Adding to the ease at which the Macs were infected was Apple's slow response to the Java vulnerability. The company did not release a patch for weeks after a fix was issued for Windows PCs. Apple released Wednesday a short statement outlining its defensive efforts, which included getting ISPs to take the criminals' servers offline. On Thursday, Apple released an update for Mac OS X v10.7 and v10.6 that would automatically remove the most common variants of Flashback. In addition, if Java has not been used in the last 35 days, the platform is automatically disabled and has to be reactivated manually to run a Java application. Apple has advised people using older versions of the Mac to disable Java support.

Meanwhile, security vendors have been seeking attention from Mac users by releasing advice and free tools to combat the malware. Symantec and Kaspersky Lab have released removal software, while F-Secure has posted on its website a how-to on removing it manually.

Free help aside, the outbreak is a wakeup call for Mac users. With Apple's market share growing in the PC market, the Mac has become a worthwhile target for cyber-criminals. While the latest outbreak is the largest to date, it likely won't be the last, said Symantec's Murchu. "What it shows in general is a shift away from attackers solely looking at Windows and they're starting to look at other operating systems as well."