Mac botnet may not be shrinking much after all

Flashback discoverer may have found second pool of infected Macs

The number of Mac PCs infected by the Trojan that created the Flashback botnet has not been dropping nearly as much as anti-virus vendor Symantec claimed last week according to the Russian security company that first discovered the botnet.

On Aug. 11 Symantec announced the number of Macs infected with the Flashback malware had dropped from more than 600,000 to about 270,000 following release of a patch Apple released to plug the Java hole exploited by the malware.

During the following week it announced further slimming of the botnet to about 140,000 machines compared to a high of 670,000 on April 8.

Other anti-virus and security companies counted the victims far differently, however.

Kaspersky Software's count dropped as far 45,000 active infections, for example.

On the other hand, Russian security company Dr. Web – which published the first warnings of the malware April 4 – announced earlier today it counts 650,000 Macs with the Flashback virus still active, a drop of only 23,000 from the peak it counted earlier.

The difference in numbers comes from the methods Symantec and Dr. Web use to count infections.

Symantec counts using a sinkhole – servers set up to look like one of the 70 command & control servers the Flashback Trojan polls periodically for instructions.

Dr. Web does the same, but claims to have found an entirely separate pool of infected Macs by tracing secondary communications between bots and C&C servers.

Once the malware connects to one of the original 70 C&C servers, according to Dr. Web, it sends a request to a separate set of servers that sends the actual orders, and leaves open the TCP port through which it communicates so the client can't communicate with the servers or sinkholes they first contacted, according to a story quoting Dr. Web in the Dutch security news site Security.nl.

Symantec, meanwhile, reported Friday that the same method used to distribute Flashback has also been used to distribute the OSX.Sabpab malware identified last week.

That could mean Dr. Web is double-counting machines infected with both variants, or that it is including Sabpab infections with its count of Flashback infections.

Symantec and Dr. Web both said they were talking about differences in their counts, but with different results.

Symantec announced it and Dr. Web were using consistent methods to count infected machines and that its researchers were stumped about the vast differences in estimates of the size of the infection.

In this morning's story, Dr. Web claimed Symantec researchers had admitted Dr. Web's methods were right and would change theirs to be more consistent.

No response so far from Symantec.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies