Investigations by Intego and others have turned up some interesting information which explains why different sinkholes are providing different numbers of infected Macs. (See our blog post earlier today, Flashback Mac Infection Rates Underestimated.) As mentioned above, the Flashback malware looks for specific domains with the .com, .net, .info, .in and .kz top-level domains. It seems that for some of these domains, Dr Web’s sinkhole is trapping infected Macs. Yet for the other domains – those with .net, .in and .kz – testing shows that the specific domains that the Flashback malware attempts to contact resolve to the IP address 127.0.0.1, or localhost (that is, the infected Mac itself).
It looks as though action has been taken with companies responsible for root nameservers to block the domains that the Flashback malware attempts to contact, and redirects these requests to the users’ Macs. The effect here is that the Macs are still infected, but they will not be able to contact the command and control servers, and, especially, cannot be counted by sinkholes. However, we cannot have any idea of the real scope of the Flashback malware infection.
Depending on each ISP’s DNS server, this information may or may not have propagated, so Macs in different countries may have different results when attempting to contact Flashback command and control servers.
You can test for yourself to see if these domains resolve to 127.0.0.1. Here is a list of some of these domains. (If you use OpenDNS as your DNS server, these domains will resolve to their address.)
Run the following command in Terminal:
For example, to test the first domain name in the list, run the command:
Note that if this were not a DNS-level redirection, you would get a “not found” message when running the host command.