Mac malware is still enough of an oddity that the existence of a single botnet made up of Macs has prompted a huge amount of publicity and finger-pointing in the general direction of Apple. The furor over the Flashback malware seems to be receding a bit, and researchers say that the number of unique bots connecting to a sinkhole server dropped significantly over the weekend. But that doesn’t mean that the threat is over.
Statistics compiled by Kaspersky Lab, which is operating a sinkhole command-and-control server to which a portion of the Flashback-infected machines are connecting, show that the since Friday, the number of bots communicating with the server has dropped by more than 50 percent. On Friday, the count was more than 650,000 bots, but by Sunday it was down to about 237,000 bots.
“We continued to intercept domain names after setting up the sinkhole server and we are currently still monitoring how big the botnet is. We have now recorded a total of 670,000 unique bots. Over the weekend (7-8 April) we saw a significant fall in the number of connected bots,” Aleks Gostev, chief security expert at Kaspersky, said in a blog post. “This doesn’t mean, however, that the botnet is shrinking rapidly – these are merely the numbers for the weekend.”
Botnets often will go through periods of ups and downs in terms of numbers of infected bots, especially after the existence of the network is made public. When that happens, users begin looking for infections on their machines and the numbers begin to drop. But some of those same machines will then become infected again if the underlying vulnerability isn’t fixed and the users run across the same malware.
To help users determine whether their Macs are infected with the Flashback malware, Kaspersky has set up a site that includes information on the Flashback Trojan itself, how the infection occurs, and a mechanism to check their UUIDs against a list of infected machines. The site, Flashbackcheck.com, will help compile statistics on numbers of infected machines. Users also can download a free removal tool for Flashback that will disinfect machines.
Flashback has been infecting Mac users in various forms for several months and the malware is now using exploits for a Java vulnerability to infect users through a drive-by download attack.