Drastic drop of Flashback-ridden Macs appears premature

Share this article:

Despite patches released by Apple and other customized offerings from security firms, the number of computers hijacked by the Flashback trojan remains near the 650,000 first reported.

Infection estimates released last week by researchers at Kaspersky Lab and Symantec seemed to indicate a major decrease in the number of compromised machines linked to the botnet. According a blog post Friday by Symantec, researchers at the security firm believed the infection count to be approximately 140,000.

But now they are backing down on the optimistic projection, saying the number of poisoned machines has barely budged since the outbreak began two weeks ago.

The company said its count may have been distorted because a third-party sinkhole that used a “tarpitting” technique to prevent the malware from attempting to connect to subsequent domains, such as the one set up by Symantec to tally the number of infected Macs, Liam O Murchu, director of operations at the company's Security Response Center, said in an email Monday to SCMagazine.com.

“The impact of this is it caused Flashback connections to hang, which skewed our data,” he said. “The term [tarpitting] refers to the technique of responding as slowly as possible -- or not at all -- to the connecting machine so that the connecting machine will wait for the response indefinitely and not continue with the rest of its malicious code.”

While tarpitting serves the overall good by preventing compromised machines from receiving commands from attackers, it also makes life harder for legitimate researchers trying to gauge the size of a botnet infection.

Dr. Web was the first to report on the malware earlier this month, considered to be the largest successful botnet attack ever on the Mac OS X.

“After we understood what was happening, then we realized that Dr. Web's numbers are probably accurate,” O Murchu said.

In a statement Monday, Kaspersky Lab also acknowledged its mistake.

“Although there have been differences in the reported size of the botnet, the most important issue is still unresolved: a number of Mac OS X users are still infected with [Flashback] and haven't taken the proper steps to remove the malware,” it said.

A representative from Dr. Web could not be reached for comment.

Share this article:

Sign up to our newsletters

More in News

Hackers deliver Kelihos to users sympathetic to Russian 'cause'

Hackers deliver Kelihos to users sympathetic to Russian ...

Playing off the Ukraine conflict, a Kelihos campaign promises victims software to help the Russian cause but delivers malware instead.

Study shows how attackers make use of websites existing for less than 24 hours

Study shows how attackers make use of websites ...

Looking at the top 50 of parent domains that produced websites existing for less than 24 hours, researchers with Blue Coat Security Labs observed that 22 percent were malicious.

Phishing campaign lures victims with models' photos

Two nude models' photos reeled in unsuspecting victims who handed over their Facebook logins to gain access to adult material.