Questions Abound On Size and Makeup of Flashback Botnet

Author: Dennis Fisher
minute read

The botnet assembled by the Flashback Trojan that’s been infecting Macs in recent months is turning out to be a rather difficult one to pin down. Researchers have said that the network of compromised machines may be upwards of 600,000, while newere estimates say that it’s more likely in the 500,000-Mac range. And now some researchers are questioning whether the entire botnet is made up of Macs or whether there are some Windows machines in the mix as well.

Mac trojanThe botnet assembled by the Flashback Trojan that’s been infecting Macs in recent months is turning out to be a rather difficult one to pin down. Researchers have said that the network of compromised machines may be upwards of 600,000, while newere estimates say that it’s more likely in the 500,000-Mac range. And now some researchers are questioning whether the entire botnet is made up of Macs or whether there are some Windows machines in the mix as well.

Researchers at Russian security firm Dr. Web earlier this week said that they had sinkholed some of the command-and-control domains being used by the Flashback malware to communicate and found that there were more than 550,000 infected hosts connecting. The company came up with those numbers by looking at the unique identifiers that infected machines use to identify themselves to the C&C server. In many other botnets, this is simply an IP address, but in the case of Flashback, the bots are supplying the MAC address of the machine that’s infected. 

This is thought to be giving researchers a more accurate count of infected machines than is normally possible because counting individual IP addresses doesn’t necessarily correlate to counting infected machines. On Thursday night, researchers at Kaspersky Lab sinkholed another of the Flashback C&C domains and came up with a count of around 515,000 unique hosts connecting to it. However, Aleks Gostev, Kaspersky’s chief security expert, said that he’s not convinced that all of the infected machines are running Mac OSX. 

“We are not sure that all 500k Flashback bots are Mac users. I have some suspicions that probably bot for Windows also presented [in the wild],” Gostev said on Twitter Friday morning.

The difficulty in identifying what kind of machines are connecting to the C&C servers is that when the user agent from the infected computer communicates with the server, it doesn’t supply definitive data on the operating system that’s installed. Kaspersky researchers are continuing to investigate the question of whether all of the infected machines are Macs and are likely to have updated information on it later in the day. 

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.