or Connect
AppleInsider › Forums › Software › Mac OS X › Flashback discoverer bucks claims of malware's decline
New Posts  All Forums:Forum Nav:

Flashback discoverer bucks claims of malware's decline

post #1 of 35
Thread Starter 
In a status report released on Friday, the Russian security firm that first discovered the Flashback trojan disagrees with recent findings from Symantec and Kaspersky Labs, warning that the number of machines affected by the malware is not declining.

Citing data from its own analysis of the largest Mac botnet to date, Dr. Web notes that around 650,000 computers are still affected, which is stark contradiction to the 30,000 number provided by well-known security companies Symantec and Kaspersky.

Analysts from the Russian firm researched the discrepancy and found that the raw data coming in from the larger companies' servers were likely inaccurate due to Flashback's use of complex domain name creation techniques and a unique TCP connection operation that effectively masks bots from command and control servers.

"BackDoor.Flashback.39 uses a sophisticated routine to generate control server names: a larger part of the domain names is generated using parameters embedded in the malware resources, others are created using the current date. The Trojan sends consecutive queries to servers according to its pre-defined priorities."

When the malware was first discovered in early April, Dr. Web registered for the main domains used as Flashback command servers while other security firms most likely use "hijacked servers" that are in this case less reliable. The report explains that Flashback's mode of operation allows its network of bots to go largely unnoticed by the hijacked servers which could be the reason for the precipitous drop reported this week that saw the number of affected machines fall from 140,000 to 30,000.

Flashback Graph
Source: Dr. Web


"On April 16th additional domains whose names are generated using the current date were registered. Since these domain names are used by all BackDoor.Flashback.39 variants, registration of additional control server names has allowed to more accurately calculate the number of bots on the malicious network, which is indicated on the graph."

Dr. Web notes that the trojan send requests to a server run by an unidentified third party, which in turn communicates with the bots but fails to close the TCP connection. This action is critical to researchers as it puts the bots in standby mode which means they do not communicate with other command servers monitored by information security specialists.

Flashback bot freeze
Code illustrating how an open TCP connection to the command server causes a bot to freeze. | Source: Dr. Web


There has been no response by Symantec or Kaspersky Labs and their respective website still reflect a "Very Low" threat level from the Flashback trojan.

The first iteration of the malware appeared in 2011 disguised as an Adobe Installer, and later morphed into the current self-installing version that was seen on 600,000 Macs worldwide. Following installation, Flashback harvests sensitive data like user IDs, passwords and web browsing history and sends the information to an off-site server.

Apple has responded to the malware by releasing a number of software updates, including a specially-designed Flashback removal tool, over the past two weeks.
post #2 of 35

Of course they do.

 

THEY'RE AN ANTI-VIRUS COMPANY!

 

Why are we listening to this tripe? It's the same as if we were to take what Greenpeace reported about companies as gospel. 

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply
post #3 of 35

sounds like the "security firm" might have a vested interest in the malware...

 

 

D'OH, beat me to it.

post #4 of 35

 

Quote:
Originally Posted by Tallest Skil View Post

Of course they do.

 

THEY'RE AN ANTI-VIRUS COMPANY!

 

Why are we listening to this tripe? It's the same as if we were to take what Greenpeace reported about companies as gospel. 

 

All three companies reporting numbers are anti-virus companies, so I'm not sure what you're trying to say...?

post #5 of 35
Quote:
Originally Posted by yAak View Post

All three companies reporting numbers are anti-virus companies, so I'm not sure what you're trying to say...?

 

I'm saying they're spreading FUD. They're fearmongering. They're in the business of doing that. We don't have a clue if 600,000 Macs were actually infected. Nor will we ever, really.

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply
post #6 of 35

It's funny how most of these "security" companies come from a country widely known for its (i) transparency and (ii) low corruption levels and (iii) extremely low incidence of hacking activities... ;)

iMac Intel 27" Core i7 3.4, 16GB RAM, 120GB SSD + 1TB HD + 4TB RAID 1+0, Nuforce Icon HDP, OS X 10.9.1; iPad Air 64GB; iPhone 5 32GB; iPod Classic; iPod Nano 4G; Apple TV 2.
Reply
iMac Intel 27" Core i7 3.4, 16GB RAM, 120GB SSD + 1TB HD + 4TB RAID 1+0, Nuforce Icon HDP, OS X 10.9.1; iPad Air 64GB; iPhone 5 32GB; iPod Classic; iPod Nano 4G; Apple TV 2.
Reply
post #7 of 35

Yeah, this whole thing remains a bit fishy to me. I don't doubt there is something out there, but still, fishy fishy fishy.

post #8 of 35

 

Quote:
Originally Posted by rkevwill View Post

Yeah, this whole thing remains a bit fishy to me. I don't doubt there is something out there, but still, fishy fishy fishy.

 

The methodology just doesn't make any sense. How in the world would they be able to accurately measure the number of infected systems?

"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #9 of 35

So basically all Apple's efforts amounted to nothing, the removal tool had no effect, the Java patches which worked on Windows and Linux had no effect, the awareness of this trojan and people of varying skill levels attempts to remove it had no effect, the people who installed and used AV software had no effect.

 

Something stinks about this.

Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #10 of 35
Are they even sure that all of it are mac based machine?
post #11 of 35

 

Quote:
Originally Posted by hill60 View Post

So basically all Apple's efforts amounted to nothing, the removal tool had no effect, the Java patches which worked on Windows and Linux had no effect, the awareness of this trojan and people of varying skill levels attempts to remove it had no effect, the people who installed and used AV software had no effect.

 

Something stinks about this.

 

Or maybe, new infections are as numerous as the number of computers being cleaned?  

post #12 of 35

 

Quote:
Originally Posted by iCarbon View Post

sounds like the "security firm" might have a vested interest in the malware...

 

 

D'OH, beat me to it.

 

I wouldn't put it past some of them to be behind the trojans.

 

 

Been using Apple since Apple ][ - Long on AAPL so biased
nMac Pro 6 Core, MacBookPro i7, MacBookPro i5, iPhones 5 and 5s, iPad Air, 2013 Mac mini, SE30, IIFx, Towers; G4 & G3.
Reply
Been using Apple since Apple ][ - Long on AAPL so biased
nMac Pro 6 Core, MacBookPro i7, MacBookPro i5, iPhones 5 and 5s, iPad Air, 2013 Mac mini, SE30, IIFx, Towers; G4 & G3.
Reply
post #13 of 35

 

Quote:
Originally Posted by I am a Zither Zather Zuzz View Post

 

 

Or maybe, new infections are as numerous as the number of computers being cleaned?  

 

Maybe Dr Web's methodology is flawed.

 

 

Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #14 of 35

 

Quote:
Originally Posted by I am a Zither Zather Zuzz View Post

 

 

Or maybe, new infections are as numerous as the number of computers being cleaned?  

 

Or maybe the entire thing is ridiculous.


1. The chart attached to this article shows that the number of infections went from 300,000 to 600,000 in one day - and then stayed roughly constant.

2. The number of infections was declining slowly until the day Apple released a fix - and it jumped at that time.

3. The other data says that the number of infections dropped by around 50% in one day - a week before Apple released a fix.

4. The entire premise of their 'sampling' is questionable. The trojan sends information to servers set up by the trojan author. Just how are these security firms trapping private communications between the 'infected' computer and the server? The only way they could do that is if they had direct access to the server and/or the Internet backbone.

 

Since the data is completely inconsistent with any rational explanation, the authors have a long way to go to establish the validity of the data.

"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #15 of 35

 

Quote:
Originally Posted by brlawyer View Post

It's funny how most of these "security" companies come from a country widely known for its (i) transparency and (ii) low corruption levels and (iii) extremely low incidence of hacking activities... ;)

 

LOL lol.gif

post #16 of 35

 

Quote:
Originally Posted by iCarbon View Post

sounds like the "security firm" might have a vested interest in the malware...

 

 

D'OH, beat me to it.

 

Maybe that's why Apple closed one of their servers down? 

 

Or maybe they are trying to get their own back because Apple closed their servers down?

 

 

post #17 of 35

 

Quote:
Originally Posted by Tallest Skil View Post

 

I'm saying they're spreading FUD. They're fearmongering. They're in the business of doing that. We don't have a clue if 600,000 Macs were actually infected. Nor will we ever, really.

 

I would agree about Dr Web. But the other folks are actually defusing the FUD to some degree by showing the threat is even less of a threat now than before. 

 

But you are correct that the truth is that we don't know if any of this is real or not. And even if they are infected with the trojan and calling out to some server (which for all we know is controlled by Dr Web because they are the creators) that might be all it ever does. 

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #18 of 35

Dr Web should know better than anyone else.

After all the Dr likely gave birth to that Trojan.

But the Dr can't even count accurately, I doubt that Trojan will be very effective !

post #19 of 35

Dr. Bott is the one spreading the Trojan, so of course there numbers are going to be higher. I myself never got it, and actually don't know of anyone personally that 

got it either. This is a company that wants to spread FUD to get customers to buy anti-virus, anti-malware software. Apple already addressed the issue and the trojan is dead already no matter what the Russians think.

post #20 of 35
Quote:
Originally Posted by jragosta View Post

 

Quote:
Originally Posted by I am a Zither Zather Zuzz View Post

 

 

Or maybe, new infections are as numerous as the number of computers being cleaned?  

 

Or maybe the entire thing is ridiculous.


1. The chart attached to this article shows that the number of infections went from 300,000 to 600,000 in one day - and then stayed roughly constant.

2. The number of infections was declining slowly until the day Apple released a fix - and it jumped at that time.

3. The other data says that the number of infections dropped by around 50% in one day - a week before Apple released a fix.

4. The entire premise of their 'sampling' is questionable. The trojan sends information to servers set up by the trojan author. Just how are these security firms trapping private communications between the 'infected' computer and the server? The only way they could do that is if they had direct access to the server and/or the Internet backbone.

 

Since the data is completely inconsistent with any rational explanation, the authors have a long way to go to establish the validity of the data.


"sampling" could mean that they have websites that infect systems via the same method.
The number of Macs hit in this way is multiplied by some estimate of the hit rate of the 'security' firm web site compared to the hit rate of the 'real' phishing sites.
At best this will be a very inaccurate estimate, at worst it's absolutely bogus.

J.
post #21 of 35

 

Quote:
Originally Posted by jnjnjn View Post


"sampling" could mean that they have websites that infect systems via the same method.
The number of Macs hit in this way is multiplied by some estimate of the hit rate of the 'security' firm web site compared to the hit rate of the 'real' phishing sites.
At best this will be a very inaccurate estimate, at worst it's absolutely bogus.
J.

 

If you were correct, there are several problems:
 

1. Artificially infecting systems to determine what some other trojan might do is illegal. So why should we pay attention to a criminal enterprise?
2. The effectiveness of a trojan is dependent on how appealing the enticement is. If they put their trojan on web sites that are more (or less) appealing than the actual ones used, the results would be meaningless.

3. In the original article, they cited infection rates in some countries as low as 0.1% in some cases. Doing so and reporting data from many countries suggests that they would have had to infect many hundreds of thousands of systems to get the data they need.

 

The whole thing sounds bogus.

"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #22 of 35
Quote:
Originally Posted by jragosta View Post

... The whole thing sounds bogus.


I agree.
post #23 of 35
Quote:
Originally Posted by brlawyer View Post

It's funny how most of these "security" companies come from a country widely known for its (i) transparency and (ii) low corruption levels and (iii) extremely low incidence of hacking activities... 1wink.gif


It is also known for having a high concentration of security researchers.

I would caution people to not take these things lightly. Apple's model creates a much more significant attack vector since so much of their ecosystem is in a default state, with common applications and therefore common attack vectors.

I just wish I had a better idea of how to protect things in a general case-- getting a Cisco ASA for home just seems stupid and ineffective overkill.
post #24 of 35
Shoot the messenger. I just hope that not many good guys turn bad. There does not seem much room at the inn.
post #25 of 35
Quote:
Originally Posted by aaarrrgggh View Post

I just wish I had a better idea of how to protect things in a general case-- getting a Cisco ASA for home just seems stupid and ineffective overkill.

Default ok, I would say.
You could activate the firewall, deinstall java, stop using flash, browse with as little permission for Safari as possible, only install from the app store, update automatically and install little snitch, to be extremely save.

J.
post #26 of 35
One way to monitor traffic is to sniff the traffic on their own network. They sniff all the packets, put an infected Mac on the network, and see what it's trying to do, to whom it is communicating with.
post #27 of 35

 

Quote:
Originally Posted by colinng View Post

One way to monitor traffic is to sniff the traffic on their own network. They sniff all the packets, put an infected Mac on the network, and see what it's trying to do, to whom it is communicating with.

 


That's not how they're not doing it. If you're such an expert, try your own sniffing - as in reading! You should be able to figure out their method.

 

 

post #28 of 35

 

Quote:
Originally Posted by aaarrrgggh View Post


It is also known for having a high concentration of security researchers.
I would caution people to not take these things lightly. Apple's model creates a much more significant attack vector since so much of their ecosystem is in a default state, with common applications and therefore common attack vectors.
I just wish I had a better idea of how to protect things in a general case-- getting a Cisco ASA for home just seems stupid and ineffective overkill.

 

I'm not saying that one should take reports seriously.


However, THIS report has a lot of red flags that make the conclusions very questionable. I listed some of them above.

"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #29 of 35
An interesting and far reaching interpretation.
post #30 of 35

 

Quote:
Originally Posted by brlawyer View Post

It's funny how most of these "security" companies come from a country widely known for its (i) transparency and (ii) low corruption levels and (iii) extremely low incidence of hacking activities... ;)

 

Intego, who first identified the Flashback variant are French.

 

Symantec are American and now agree with DrWeb that the number sits at 600 000.

 

Are you really suggesting that this is a global conspiracy?

 

 

post #31 of 35

Yup, they all want to sell Mac anti virus software, which would NOT have stopped this from happening. Best possible thing they can do is have software that will remove these kinds of things after they become known.

post #32 of 35

 

Quote:
Originally Posted by jnjnjn View Post


Default ok, I would say.
You could activate the firewall, deinstall java, stop using flash, browse with as little permission for Safari as possible, only install from the app store, update automatically and install little snitch, to be extremely save.
J.

 


I have always used Firefox with the no script addon with an free antivirus program (Sophos and ClamXav current).  Oh regarding the app store it's version of ClamXav doesn't have ClamXav Sentry while the one from the site does.

 

As for that "server run by an unidentified third party" claim taking a sampling of the list of contacts at http://contagiodump.blogspot.com/2012/04/i-have-been-tracking-infections-too-and.html produces a very interesting pattern if you throw them at http://www.ip-adress.com/whois/.

post #33 of 35

 

Quote:
Originally Posted by usr1 View Post
... I just hope OS X will not force everyone to "MacStore-only" security model when "security through minority" does not prove to be effective any more.

 

The "security through obscurity" motto has been definitely debunked in the other discussion by the researches themselves who follow the malware evolution on the Mac platform:

 

"As we correctly predicted back in May, Mac malware has not scaled continuously due to market share, but rather, is more the result of opportunist "bubble economies" that have produced new threats in fits and starts," researchers said

 

What increased market share naturally does, is to increase the interest of the malware programmers but this is not translated necessarily to more malware available in the wild. Besides, Mac OS X has much more market share than the classic Mac OS ever had, and this the moment when malware can propagate like a wild fire through the internet. Nevertheless, the classic Mac OS had about 50 known actual and functioning malware including viruses, in an era when internet was barely present, while we have yet to see a single virus under Mac OS X. The system architecture is obviously what makes all the difference here. Therefore, the "security through obscurity" motto, although it contains a truth in the sense I explained previously, it is really overblown out of proportion.

post #34 of 35
Everyone of any worth has agreed for days that Dr Web is right. Some readers have a tendency to be dated.
post #35 of 35
Quote:
Originally Posted by aBeliefSystem View Post
Everyone of any worth has agreed for days that Dr Web is right. Some readers have a tendency to be dated.

 

Ah, so I'm of no worth. Got it.

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Flashback discoverer bucks claims of malware's decline