Flashback Slashed But Apple Faces Backlash

Apple is slow and misguided, but the number of Flashback bots is coming down, say security experts

The number of active Flashback botnet infections has been cut to below 300,000, as Apple and the security industry succeed in tackling the estimated 650,000 Mac machines riddled with the malware.

Symantec said today the number of bots had been cut to 270,000 as of 11 April, whilst yesterday Kaspersky said the number had been reduced to 237,103 as of 8 April. Almost all infected machines are Apple Macs.

Security firms have set up sinkholes to direct bots to their own servers rather than the hackers’ command and control (C&C) ones. The OSX.Flashback.K malware uses a domain name generator (DNG) algorithm to generate a new domain each day to contact the C&C servers, but security firms have managed to acquire the names of those domains in advance before sinkholing them.

Symantec also identified some IP addresses used in the OSX.Flashback.K variant, but found they are no longer serving malicious content related to the Trojan. “However, we are monitoring the situation closely should the Flashback gang decide to redistribute their operations,” the security giant added in a blog post.

Bad Apples

Although Apple has moved to cut infections by working on a Flashback removal tool – something some security firms and other developers have already done – the Mac maker has come under fire for not being quicker to react to Flashback.

Rik Ferguson, director of security research and communication at Trend Micro, said Apple’s security updates are issued too slowly and not an any regular schedule.

“In this particular example, the most recent security update contains fixes for many vulnerabilities. The specific fix in question comes about six weeks after Microsoft, Adobe and Oracle released their fixes,” Ferguson told TechWeekEurope.

“It is misguided to believe that the simple act of not talking about publicly disclosed, and worse actively exploited, vulnerabilities will protect your customer. Criminals follow vulnerability trends and abuse them as soon as code is available.

“Should Apple start patching more quickly? In general terms, yes and particularly where an exploit is in-the-wild. This is certainly one area where Apple could learn a few lessons from the much abused Microsoft, in terms of the release of security bulletins detailing vulnerabilities and applying a graded rating system.”

Apple has said it plans to kill the botnet completely, however, as it said it was working with ISPs across the world to end Flashback completely. The company’s first steps created something of a snafu, however, as it asked for one of security company Dr Web’s domains to be closed. The domain was being used by Dr Web as part of its sinkhole operation.

Think you know security? Test yourself with our quiz.