Contrary to popular reports, the Flashback botnet is not shrinking, said the Russian antivirus firm that first reported the massive infection three weeks ago.
Dr. Web, which was the first to report the largest-ever successful malware attack against Apple’s OS X, said the pool of Flashback-infected Macs still hovers around the 650,000 mark, and that infections are continuing.
Also on Friday, Liam O Murchu, manager of operations at Symantec’s security response center, confirmed Dr. Web’s numbers were correct.
Both Dr. Web’s tally and its contention that infections are ongoing flew in the face of other antivirus companies’ assertions. Kaspersky Lab and Symantec, which have each “sinkholed” select domains — hijacked them before the hackers could use them to issue orders to compromised machines — used those domains to count the Macs that try to communicate with the malware’s command-and-control centers.
Earlier this week, Symantec said the Flashback botnet had shrunk by 60% and was down to 142,000 machines. Kaspersky claimed its count registered only 30,000 infected Macs.
Not even close, said Dr. Web. “The number is still around 650,000,” said Dr. Web.
On April 16, the company continued, it said 595,000 different Macs registered on the botnet, while the next day, April 17, the count was over 582,000.
Symantec’s O Murchu said Dr. Web is right.
“We’ve been talking with them about the discrepancies in our numbers and theirs,” O Murchu said. “We now believe that their analysis is accurate, and that it explains the discrepancies.”
When asked for comment, Kaspersky Lab said it was looking into the matter.
According to Dr. Web, counts by others were incorrect because of how the malware calculates the locations of command-and-control (C&C) servers, and how it communicates, or tries to, with those domains.
Dr. Web said it had sinkholed the primary Flashback C&C domains at the beginning of the month, and after an infected Mac asks those servers — controlled by Dr. Web — for instructions, they then reach out to another domain.
Dr. Web said it did not know who controlled that follow-up domain, but O Murchu suspected it is another security company or researcher.
But Dr. Web did know what happens next in Flashback’s complex communication scheme.
“This server communicates with bots but doesn’t close a TCP connection,” wrote Dr. Web. “As [a] result, bots switch to the stand-by mode and wait for the server’s reply and no longer respond to further commands. As a consequence, they do not communicate with other command centers, many of which have been registered by information security specialists [including Kaspersky and Symantec].”