The Flashback Trojan that has been infecting Mac OSX machines of late appears to have become the most successful piece of Mac-based malware in the short history of such things. Researchers say that there have been upwards of 500,000 Macs infected by the malware, and that number may still rise despite the fact that Apple has now released a patch for the Java flaw that the Trojan exploits.

Flashback has been infecting Mac users for several months now and a couple of different variants. One version from last fall had the ability to disable the XProtect built-in Mac antimalware application. A more recent version, discovered in February, is the one that’s been causing so much trouble for Mac users lately. That version is exploiting a Java vulnerability in order to compromise Macs.

The Trojan uses the same kind of drive-by download techniques that have plagued Windows users for a decade and injects code into running processes on the vulnerable Macs. They then will become unstable and sometimes will crash, researchers say. It was unknown how many machines had been compromised by Flashback, but now researchers from Russian company Dr. Web say that the number is in the neighborhood of 550,000.

“Now BackDoor.Flashback botnet encompasses more than 550 000 infected machines, most of which are located in the United States and Canada. This once again refutes claims by some experts that there are no cyber-threats to Mac OS X,” the company said in an analysis of the attack.

“Systems get infected with BackDoor.Flashback.39 after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system. JavaScript code is used to load a Java-applet containing an exploit. Doctor Web’s virus analysts discovered a large number of web-sites containing the code.”

Estimating infection levels for malware is a difficult process that’s fraught with pitfalls and problems. This is especially true when it comes to botnets, but it’s made somewhat easier in the case of Flashback, thanks to a unique method that the malware uses to connect to its command-and-control servers. 

“Flashback trojan uses MAC address as the User-Agent when connecting to C&C servers. If Dr. Web is counting them, their numbers are accurate,” Mikko Hypponen of F-Secure said on Twitter on Thursday. 

Flashback has been exploiting three different Java vulnerabilities in the last few months, and although Apple issued a patch for the most recent one on Tuesday, there likely still are plenty of vulnerable machines online.

“Each bot includes a unique ID of the infected machine into the query string it sends to a control server. Doctor Web’s analysts employed the sinkhole technology to redirect the botnet traffic to their own servers and thus were able to count infected hosts.

Over 550 000 infected machines running Mac OS X have been a part of the botnet on April 4. These only comprise a segment of the botnet set up by means of the particular BackDoor.Flashback modification,” Dr. Web said in its analysis.

Categories: Malware