The number of Apple Mac systems infected with the Flashback malware has dropped to about 140,000 worldwide, though officials with security software vendor Symantec said that number seems to be tapering off.
At its height earlier this month, the Flashback exploit had infected more than 600,000 Macsmore than 1 percent of the systems in use globallya record for a Mac malware attack. A host of security software makersincluding Symantec, Kaspersky Lab, F-Secure and Integoand Apple itself have rolled out free tools that enable users to detect and remove the malware from their systems.
The fact that so many such tools are out there has Symantec officials wondering why the drop in infected systems isnt greater.
[W]e had originally believed that we would have seen a greater decline in infections at this point in time, but this has proven not to be the case, the officials said in a post April 17 on Symantecs blog. Currently, it appears that the number of infected computers has tapered off, but remains around the 140,000 mark. As there have been tools released by Symantec and other vendors in the past few days concerning this threat, the infection numbers should have seen a dramatic decrease by now.
The officials urged users to install the latest patches and use the tools to remove the malware.
The Flashback malware shot holes through the theory that Apple systems were essentially immune from such infections, and exposed Apples inexperience in addressing such security issues. The Flashback malware exploited a vulnerability in Java, which Oracle owns. But while Oracle was able to patch Microsoft Windows PCs and other systems weeks earlier, it wasnt until April 3after the Mac infections were well underwaythat Apple issued the patch for the Java flaw.
Then Apple was days behind the security software vendors in offering a tool to detect and remove the malware.
While the Mac community is trying to put the Flashback attack behind it, another piece of malware has come into the picture. According to companies such as Kaspersky, Symantec, Sophos and Intego, the new malwarecalled Sabpab or SabPub, depending on the companythat works as a classic backdoor Trojan horse, which is leveraging the same Java flaw as Flashback to get into systems and steal information. The Sabpab Trojan creates files and then sends encrypted logs back to the command-and-control (C&C) server, enabling the hackers to monitor the activity on the system, according to researchers.
However, the threat may not be as widespread as Flashback, according to some researchers.
These malware variants are being used in targeted attacks against Tibetan-focused NGOs [non-governmental organizations] and are therefore very unlikely to be encountered in-the-wild by day-to-day Mac users, researchers at F-Secure said in an April 17 post on the company blog. If you’re a Mac-using human rights lawyer, however ¦ your odds of exposure are another matter entirely. If you don’t have it already, now is the time to install antivirus on your Mac.
Michael Sutton, vice president of security research at Zscaler, said the malware is delivered via email targeted at Tibetan sympathizers. Though some industry observers have wondered whether Sabpub could become as large as Flashback, Sutton said the issue is being over-hyped in the media.
This is a small targeted attack, he said in an email. It is not widespread, nor is it meant to be. Patches are available for both vulnerabilities targeted by SabPub, so Mac users with fully patched systems are not vulnerable.
Like other security researchers, Sutton said users of Macs and other Apple devices need to understand that as those devicesnot only Macs, but also iPhones and iPadsbecome more popular with consumers and businesses, the number of attacks on them will also grow. So will attention from news organizations.
As the Mac becomes an increasingly popular computing platform, we will naturally see an increase in attacks geared toward the OS X platform, Sutton wrote. That said, today, Mac OS X targets remain a small sliver of total malware currently in the wild. SabPub, for example, is receiving far more media attention than would a similar PC-based attack, given the limited number of victims involved.