The botnet assembled by the Flashback Trojan that’s been infecting Macs in recent months is turning out to be a rather difficult one to pin down. Researchers have said that the network of compromised machines may be upwards of 600,000, while newere estimates say that it’s more likely in the 500,000-Mac range. And now some researchers are questioning whether the entire botnet is made up of Macs or whether there are some Windows machines in the mix as well.
Researchers at Russian security firm Dr. Web earlier this week said that they had sinkholed some of the command-and-control domains being used by the Flashback malware to communicate and found that there were more than 550,000 infected hosts connecting. The company came up with those numbers by looking at the unique identifiers that infected machines use to identify themselves to the C&C server. In many other botnets, this is simply an IP address, but in the case of Flashback, the bots are supplying the MAC address of the machine that’s infected.
This is thought to be giving researchers a more accurate count of infected machines than is normally possible because counting individual IP addresses doesn’t necessarily correlate to counting infected machines. On Thursday night, researchers at Kaspersky Lab sinkholed another of the Flashback C&C domains and came up with a count of around 515,000 unique hosts connecting to it. However, Aleks Gostev, Kaspersky’s chief security expert, said that he’s not convinced that all of the infected machines are running Mac OSX.
“We are not sure that all 500k Flashback bots are Mac users. I have some suspicions that probably bot for Windows also presented [in the wild],” Gostev said on Twitter Friday morning.
The difficulty in identifying what kind of machines are connecting to the C&C servers is that when the user agent from the infected computer communicates with the server, it doesn’t supply definitive data on the operating system that’s installed. Kaspersky researchers are continuing to investigate the question of whether all of the infected machines are Macs and are likely to have updated information on it later in the day.