The number of Apple Macs infected with the Flashback malware seems to be shrinking as Internet security software vendors roll out tools to detect and remove the exploit and run sinkhole operations to reduce its effectiveness.
According to security vendor Symantec, the number of infected systems worldwide has shrunk to 270,000, less than half the more than 600,000 discovered by two other security firms earlier this month.
In an April 11 post on the companys official blog, Symantec officials said that a sinkhole operation theyve been monitoring had seen the number of infections drop from 380,000 to 270,000 in a 24-hour period. The sinkhole operation not only enables Symantec to monitor the Flashback malware, but also to prevent the exploit from contacting the command-and-control servers for more instructions, rendering the malware benign.
The bulk of the infected Macsabout 47.3 percentare in the United States, according to Symantec officials. Canada has the second-highest number of infections, at 13 percent.
Symantec also was able to identify many distinct IP addresses that are being used for the one of the Flashback variants.
The IP addresses are no longer serving malicious content related to OSX.Flashback.K; however, we are monitoring the situation closely should the Flashback gang decide to redistribute their operations, Symantec officials wrote.
The Flashback malware was first discovered last year, and operated as a classic Trojan, disguising itself as an update to Adobe Flash (thus the Flashback name). New versions were found in late March and earlier this month, with the variants acting more as drive-by malware, which infects the systems when the users go to a compromised or malicious Website.
A small Russian antivirus company, Dr. Web, announced April 4 that more than 600,000 Macsor between 1 and 2 percent of all Macs in use worldwidewere infected by the Flashback malware, a number that was later confirmed by security software maker Kaspersky Lab. Flashback became the largest malware issue to hit Apple systemswhich had seen several attacks by other malware over the past yearand has helped blow apart the theory that Macs are invulnerable to malicious software.
Apple has come under fire for its slow response to the Flashback malware, which takes advantage of flaws in Java. Oracle had fixed the flaws for Windows PCs and other systems weeks ago, but Apple didnt offer the patch to Mac users until last week. In addition, Dr. Web CEO Boris Sharov told Forbes.com that he never heard back from Apple after sending it all the information he had on the Flashback malware. In addition, the notoriously tight-lipped Apple at one point asked a Russian registrar to shut down a domain that Dr. Web was using as part of its sinkhole operation. Sharov said he believed it was an honest mistake on Apples part but that it indicates that Apple needs to learn how to work with the security community.
They told the registrar this [domain] is involved in a malicious scheme. Which would be true if we werent the ones controlling it and not doing any harm to users, Sharov told Forbes. This seems to mean that Apple is not considering our work as a help. Its just annoying them.
At the same time, Apple officials announced in a brief note on their Website April 10 that they were working on a tool that will enable Mac users to detect and remove the malware from their systems. However, they did not give a timetable of when that will be released.
In an April 11 post on his companys blog, Mikko Hypponen, chief research officer for F-Secure, criticized Apples slow response.
Apple has announced that it's working on a fix for the malware, but has given no schedule for it, Hypponen wrote. Quite surprisingly, Apple hasn't added detection for Flashbackby far the most widespread OS X malware everto the built-in Xprotect OS X antivirus tool. Also note that Apple has not provided a patch for the Java vulnerability used by Flashback for OS X v10.5 (or earlier).