Contradicting Earlier Reports, Flashback Malware Infections Still High

Flashback infections are increasing! Flashback infections are decreasing! Flashback infections are staying the same!

So which is it?

Here’s the backstory: As we reported previously, Mac users have been hit with a nasty bit of malware that requires absolutely nothing on their part – save for visiting malicious websites – in order for Flashback to enter their systems. It’s easily preventable, so long as one disables Java in one’s browser or updates Java to the most current version. In fact, keeping one’s Apple system current with all of its updates is one of the best ways to thwart any kind of malware, not just Flashback.

Finding out if you’re infected with Flashback is similarly easy, as is removing it. But it remains to be seen whether users are doing so in great amounts. That, or whether a bunch of new Macs are being infected even considering the stream of official updates designed to prevent them from being hit.

Symantec reported this past Wednesday that the number of total Flashback infections was down to approximately 140,000 from around half a million. However, the company has since revised its estimate to note that its method for detecting infected systems is reporting “limited infection counts,” as discovered by virus analysts at Dr. Web.

“The botnet statistics acquired by Doctor Web contradicts recently published reports indicating a decrease in the number of Macs infected by BackDoor.Flashback.39. The number is still around 650,000,” reads a blog post on Dr. Web’s site.

Why the big discrepancy? Flashback works by reporting the information captured from a person’s system, like an infected user’s login credentials for websites, back to command-and-control servers. The addresses of these servers are dynamically generated by the malware itself, up to and including web addresses based on the current date.

In other words, Flashback is just shouting this information out into the ether: It’s up to unscrupulous third-party attackers to register data-collecting sites that correspond with where Flashback’s sending the information in order to complete the malware handshake.

Security researchers, predicting what these data-collection domains will be, go ahead and register the domains in advance in order to help mitigate the effects of the malware and calculate the overall size of the infection.

“However, after communicating with servers controlled by Doctor Web, Trojans send requests to the server at 74.207.249.7, controlled by an unidentified third party. This server communicates with bots but doesn’t close a TCP connection. As the result, bots switch to the standby mode and wait for the server’s reply and no longer respond to further commands. As a consequence, they do not communicate with other command centers, many of which have been registered by information security specialists,” reads Dr. Web’s blog post.

“This is the cause of controversial statistics — on one hand, Symantec and Kaspersky Lab reported a significant decline in the number of BackDoor.Flashback.39 bots, on the other hand, Doctor Web repeatedly indicated a far greater number of bots which didn’t tend to decline considerably. “

For more from David, subscribe to him on Facebook: David Murphy.