Since the first reports that more than 600,000 Macs were infected by the Flashback malware, Intego has been monitoring this situation closely. Not only has Intego found new variants of Flashback that can install with no password request, but Intego has been using a sinkhole to analyse how many Macs are infected.
Sinkhole: a server set up to intercept data sent to and from infected computers in a botnet.
The way this works is simple. Flashback uses a number of domain names for its command and control servers. Intego knows how these domain names are formed; there is a complex algorithm used to generate what looks like a random 12-character string, plus a top-level domain, such as .com, .net or .info. A specific domain name is used each day, and the creators of the malware have not reserved all of these domains, allowing Intego and other security companies to reserve them in advance.
Command and control servers: these are the computers that send instructions to infected Macs, and that may remotely install new malware, or copy documents and files from these Macs.
Intego reserved some of these domains, and has been analyzing traffic from infected Macs. The numbers we have seen over the past week are interesting:
- 04/30/2012 – 102,769 infected Macs
- 05/01/2012 – 96,948 infected Macs
- 05/02/2012 – 103,779 infected Macs
- 05/03/2012 – 121,826 infected Macs
- 05/04/2012 – 102,375 infected macs
- 05/05/2012 – 118,593 infected macs
- 05/06/2012 – 113,909 infected macs
- 05/07/2012 – 152,114 infected macs
This is not the total number of infected Macs, as Intego is only one company that is using a sinkhole. In addition, Intego is only trapping those Macs infected by the most recent versions of the Flashback malware.
Infected Macs contact the command and control servers every hour, if they are on, and if the infected user is logged in. And this number of Macs means that the servers get a lot of connections. Intego’s sinkhole got more than 300,000 connections on May 3, or 13,000 per hour. A command and control server managing the total number of infected Macs – more than 600,000 – would need to be very powerful to accept the number of connections it would receive.
What stands out in the above numbers is the variations. While on May 1 the number of infected Macs that contacted the server that Intego is sinkholing dropped a bit, this is likely because May 1 is a holiday in many parts of the world, and many users did not turn on their Macs.
What is troubling though is that the number of infected Macs is not decreasing, but is actually increasing. Even though Apple has provided an update which patches the Java vulnerability that this malware is exploiting, it seems that many Mac users are simply not updating their Macs. The numbers on May 5 and 6, Saturday and Sunday, might be expected to be lower, as fewer people use their Macs, but that is not the case. The number for May 7 is even more surprising, as it is 50% higher than the numbers Intego was seeing at the end of April.
So, what can you do? Make sure you have applied all the security updates available for Mac OS X. Click on the Apple menu, then choose Software Update and, if any updates are available, install them. Also, given the silent nature of this malware, it is a good idea to use antivirus software on your Mac, such as Intego’s Mac antivirus, VirusBarrier X6. VirusBarrier X6 has been able to block new variants of this malware through its behavioral analysis features, protecting you even if new variants are distributed.
(Updated to add statistics for May 7.)