Mac Botnet Infects More Than 600,000 Apple Computers

New variants of the fast-growing Flashback Trojan have affected more than 600,000, according to security vendor Doctor Web.

More than 600,000 Apple Mac computers worldwide€”more than half of them in the United States€”have been hit by a new fast-moving variant of the Flashback Trojan malware that uses Javascript code rather than relying on user interaction, according to security researchers.

Officials with security software company Intego said in an April 3 blog post that they found samples of the new Flashback Trojan March 23, and noted that the new malware€”like the previous version discovered last year€”uses two Java vulnerabilities, they said, one of which was patched by Apple April 3. The malware attacks Macs running the Mac OS X operating system.

Bloggers from Russian security company Doctor Web said in a post April 4 that the new Flashback variant had compromised up to 550,000 Mac computers, more than 300,000 of which were in the United States and more than 106,000 in Canada. Later in the day, Ivan Sorokin, an analyst with Doctor Web, said in a Twitter update that the number of Macs infected by the Trojan had jumped to more than 600,000.

In addition, Sorokin noted that 274 of the infected Macs were found in Cupertino, Calif., where Apple keeps its headquarters.

Doctor Web officials said in their blog that they were able to redirect some of the botnet traffic to their own servers in an operation, known as €œsinkholing,€ and were able to count the number of infected hosts.

The number of variants seems to be growing. Intego officials said they have been finding new samples and variants of the malware almost daily since March 23, and those samples are not all the same as those that other security companies are reporting they have found. The latest variant that Intego has is called Flashback.R.

€œIn any case, the safest thing that users can do is turn off Java in their Web browser,€ Intego said in its blog post. €œIf you use Safari, choose Safari > Preferences, then click on Security. Uncheck Enable Java, to ensure that no Java applet can run. For other browsers, check in their security preferences as well.€

Security software vendor F-Secure began talking about the new Flashback variants April 2, with a blogger saying that company officials have €œbeen anticipating something like this for a while now.€

€œIt appears that the Flashback gang is keeping up with the latest in exploit kit development,€ the blogger said, noting that a report by another security blogger the week before said the latest Flashback variant had been incorporated into the Blackhole exploit kit. €œAnd that's not all. Though it is unconfirmed, there are rumors of yet another available exploit for an €˜as-yet unpatched critical flaw in Java€™ on sale. So if you haven't already disabled your Java client, please do so before this thing really becomes an outbreak.€

F-Secure couldn€™t say whether an outbreak has actually occurred. On Twitter April 4, Mikko Hypponen, the company€™s chief research officer, said he couldn€™t confirm Doctor Web€™s number of more than 600,000 infected Macs, saying, €œWe don€™t have good stats on Mac malware.€

Doctor Web officials on their blog said, €œSystems get infected with BackDoor.Flashback.39 after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system. JavaScript code is used to load a Java-applet containing an exploit. Doctor Web's virus analysts discovered a large number of Websites containing the code.€

The Russian company said cyber-criminals began exploiting two vulnerabilities in February, then switched to another after March 16. That last vulnerability was closed by Apple€™s patch April 3.

€œThe exploit saves an executable file onto the hard drive of the infected Mac machine,€ Doctor Web said. €œThe file is used to download malicious payload from a remote server and to launch it. Doctor Web found two versions of the Trojan horse; attackers started using a modified version of Backdoor.Flashback.39 around April 1.€

Like older versions, the latest variant first searches the hard drive of the infected Mac for particular components, then€”if the files aren€™t found€”€œthe Trojan uses a special routine to generate a list of control servers, sends an installation success notification to intruders' statistics server and sends consecutive queries at control server addresses.€

Security experts have seen a growing number of Mac malware incidents since last year, including the Tsunami Trojan and the Revir/Imuler Trojan. The Flashback malware€”named as such because it masquerades itself as an update to Adobe Flash, or Flash Player installer€”was first detected in September 2011.

Macs for a long time were thought to be particularly resistant to malware attacks. However, researchers late last year warned that future attacks were inevitable.

"If the bad guys think they can make money out of infecting and compromising Macs, they will keep trying," Graham Cluley, a senior technology consultant at Sophos, said in a blog in October 2011, predicting more malware targeting "poorly defended Mac computers."

Mike Geide, senior security research at Zscaler ThreatLabZ, agreed.

"This latest wave of infections is a wake-up call to Mac users that their system is not immune to threats," Geide said in an email. "And the need to follow best security practices, such as remaining current with patches, is ubiquitous -- it doesn't matter if you're using Windows, Mac, or even [a] mobile phone."