Flashback discoverer bucks claims of malware's decline

Posted:
in macOS edited January 2014
In a status report released on Friday, the Russian security firm that first discovered the Flashback trojan disagrees with recent findings from Symantec and Kaspersky Labs, warning that the number of machines affected by the malware is not declining.

Citing data from its own analysis of the largest Mac botnet to date, Dr. Web notes that around 650,000 computers are still affected, which is stark contradiction to the 30,000 number provided by well-known security companies Symantec and Kaspersky.

Analysts from the Russian firm researched the discrepancy and found that the raw data coming in from the larger companies' servers were likely inaccurate due to Flashback's use of complex domain name creation techniques and a unique TCP connection operation that effectively masks bots from command and control servers.

"BackDoor.Flashback.39 uses a sophisticated routine to generate control server names: a larger part of the domain names is generated using parameters embedded in the malware resources, others are created using the current date. The Trojan sends consecutive queries to servers according to its pre-defined priorities."

When the malware was first discovered in early April, Dr. Web registered for the main domains used as Flashback command servers while other security firms most likely use "hijacked servers" that are in this case less reliable. The report explains that Flashback's mode of operation allows its network of bots to go largely unnoticed by the hijacked servers which could be the reason for the precipitous drop reported this week that saw the number of affected machines fall from 140,000 to 30,000.

Flashback Graph
Source: Dr. Web


"On April 16th additional domains whose names are generated using the current date were registered. Since these domain names are used by all BackDoor.Flashback.39 variants, registration of additional control server names has allowed to more accurately calculate the number of bots on the malicious network, which is indicated on the graph."

Dr. Web notes that the trojan send requests to a server run by an unidentified third party, which in turn communicates with the bots but fails to close the TCP connection. This action is critical to researchers as it puts the bots in standby mode which means they do not communicate with other command servers monitored by information security specialists.

Flashback bot freeze
Code illustrating how an open TCP connection to the command server causes a bot to freeze. | Source: Dr. Web


There has been no response by Symantec or Kaspersky Labs and their respective website still reflect a "Very Low" threat level from the Flashback trojan.

The first iteration of the malware appeared in 2011 disguised as an Adobe Installer, and later morphed into the current self-installing version that was seen on 600,000 Macs worldwide. Following installation, Flashback harvests sensitive data like user IDs, passwords and web browsing history and sends the information to an off-site server.

Apple has responded to the malware by releasing a number of software updates, including a specially-designed Flashback removal tool, over the past two weeks.
«1

Comments

  • Reply 1 of 36
    tallest skiltallest skil Posts: 43,399member


    Of course they do.


     


    THEY'RE AN ANTI-VIRUS COMPANY!


     


    Why are we listening to this tripe? It's the same as if we were to take what Greenpeace reported about companies as gospel. 

  • Reply 2 of 36
    icarbonicarbon Posts: 196member


    sounds like the "security firm" might have a vested interest in the malware...


     


     


    D'OH, beat me to it.

  • Reply 3 of 36
    yaakyaak Posts: 2member


     


    Quote:

    Originally Posted by Tallest Skil View Post


    Of course they do.


     


    THEY'RE AN ANTI-VIRUS COMPANY!


     


    Why are we listening to this tripe? It's the same as if we were to take what Greenpeace reported about companies as gospel. 



     


    All three companies reporting numbers are anti-virus companies, so I'm not sure what you're trying to say...?

  • Reply 4 of 36
    tallest skiltallest skil Posts: 43,399member

    Quote:

    Originally Posted by yAak View Post


    All three companies reporting numbers are anti-virus companies, so I'm not sure what you're trying to say...?



     


    I'm saying they're spreading FUD. They're fearmongering. They're in the business of doing that. We don't have a clue if 600,000 Macs were actually infected. Nor will we ever, really.

  • Reply 5 of 36


     


    Quote:

    Originally Posted by yAak View Post


     


    Quote:

    Originally Posted by Tallest Skil View Post


    Of course they do.


     


    THEY'RE AN ANTI-VIRUS COMPANY!


     


    Why are we listening to this tripe? It's the same as if we were to take what Greenpeace reported about companies as gospel. 



     


    All three companies reporting numbers are anti-virus companies, so I'm not sure what you're trying to say...?



     


    I think it is something like "Because of the message, I'll throw out some FUD about the messenger".

  • Reply 6 of 36
    brlawyerbrlawyer Posts: 828member


    It's funny how most of these "security" companies come from a country widely known for its (i) transparency and (ii) low corruption levels and (iii) extremely low incidence of hacking activities... ;)

  • Reply 7 of 36
    rkevwillrkevwill Posts: 224member


    Yeah, this whole thing remains a bit fishy to me. I don't doubt there is something out there, but still, fishy fishy fishy.

  • Reply 8 of 36
    jragostajragosta Posts: 10,473member


     


    Quote:

    Originally Posted by rkevwill View Post


    Yeah, this whole thing remains a bit fishy to me. I don't doubt there is something out there, but still, fishy fishy fishy.



     


    The methodology just doesn't make any sense. How in the world would they be able to accurately measure the number of infected systems?

  • Reply 9 of 36
    hill60hill60 Posts: 6,992member


    So basically all Apple's efforts amounted to nothing, the removal tool had no effect, the Java patches which worked on Windows and Linux had no effect, the awareness of this trojan and people of varying skill levels attempts to remove it had no effect, the people who installed and used AV software had no effect.


     


    Something stinks about this.

  • Reply 10 of 36
    blasevblasev Posts: 5member
    Are they even sure that all of it are mac based machine?
  • Reply 11 of 36


     


    Quote:

    Originally Posted by hill60 View Post


    So basically all Apple's efforts amounted to nothing, the removal tool had no effect, the Java patches which worked on Windows and Linux had no effect, the awareness of this trojan and people of varying skill levels attempts to remove it had no effect, the people who installed and used AV software had no effect.


     


    Something stinks about this.



     


    Or maybe, new infections are as numerous as the number of computers being cleaned?  

  • Reply 12 of 36
    MacProMacPro Posts: 19,251member


     


    Quote:

    Originally Posted by iCarbon View Post


    sounds like the "security firm" might have a vested interest in the malware...


     


     


    D'OH, beat me to it.



     


    I wouldn't put it past some of them to be behind the trojans.


     


     

  • Reply 13 of 36
    hill60hill60 Posts: 6,992member


     


    Quote:

    Originally Posted by I am a Zither Zather Zuzz View Post


     


     


    Or maybe, new infections are as numerous as the number of computers being cleaned?  



     


    Maybe Dr Web's methodology is flawed.


     


     

  • Reply 14 of 36
    jragostajragosta Posts: 10,473member


     


    Quote:

    Originally Posted by I am a Zither Zather Zuzz View Post


     


     


    Or maybe, new infections are as numerous as the number of computers being cleaned?  



     


    Or maybe the entire thing is ridiculous.




    1. The chart attached to this article shows that the number of infections went from 300,000 to 600,000 in one day - and then stayed roughly constant.


    2. The number of infections was declining slowly until the day Apple released a fix - and it jumped at that time.


    3. The other data says that the number of infections dropped by around 50% in one day - a week before Apple released a fix.


    4. The entire premise of their 'sampling' is questionable. The trojan sends information to servers set up by the trojan author. Just how are these security firms trapping private communications between the 'infected' computer and the server? The only way they could do that is if they had direct access to the server and/or the Internet backbone.


     


    Since the data is completely inconsistent with any rational explanation, the authors have a long way to go to establish the validity of the data.

  • Reply 15 of 36


     


    Quote:

    Originally Posted by brlawyer View Post


    It's funny how most of these "security" companies come from a country widely known for its (i) transparency and (ii) low corruption levels and (iii) extremely low incidence of hacking activities... ;)



     


    LOL image

  • Reply 16 of 36


     


    Quote:

    Originally Posted by iCarbon View Post


    sounds like the "security firm" might have a vested interest in the malware...


     


     


    D'OH, beat me to it.



     


    Maybe that's why Apple closed one of their servers down? 


     


    Or maybe they are trying to get their own back because Apple closed their servers down?


     


     

  • Reply 17 of 36
    charlitunacharlituna Posts: 7,217member


     


    Quote:

    Originally Posted by Tallest Skil View Post


     


    I'm saying they're spreading FUD. They're fearmongering. They're in the business of doing that. We don't have a clue if 600,000 Macs were actually infected. Nor will we ever, really.



     


    I would agree about Dr Web. But the other folks are actually defusing the FUD to some degree by showing the threat is even less of a threat now than before. 


     


    But you are correct that the truth is that we don't know if any of this is real or not. And even if they are infected with the trojan and calling out to some server (which for all we know is controlled by Dr Web because they are the creators) that might be all it ever does. 

  • Reply 18 of 36
    joshajosha Posts: 901member


    Dr Web should know better than anyone else.


    After all the Dr likely gave birth to that Trojan.


    But the Dr can't even count accurately, I doubt that Trojan will be very effective !

  • Reply 19 of 36
    b9botb9bot Posts: 238member


    Dr. Bott is the one spreading the Trojan, so of course there numbers are going to be higher. I myself never got it, and actually don't know of anyone personally that 


    got it either. This is a company that wants to spread FUD to get customers to buy anti-virus, anti-malware software. Apple already addressed the issue and the trojan is dead already no matter what the Russians think.

  • Reply 20 of 36
    jnjnjnjnjnjn Posts: 588member
    jragosta wrote: »
    <p>  </p><div class="quote-container"> <span>Quote:</span> <div class="quote-block"> Originally Posted by <strong>I am a Zither Zather Zuzz</strong> <a href="/t/149467/flashback-discoverer-bucks-claims-of-malwares-decline#post_2098943"><img alt="View Post" class="inlineimg" src="/img/forum/go_quote.gif" /></a><br /> <br /> <p>  </p> <p>  </p> <p> Or maybe, new infections are as numerous as the number of computers being cleaned?  </p> </div></div><p>  </p><p> Or maybe the entire thing is ridiculous.</p><p> <br /> 1. The chart attached to this article shows that the number of infections went from 300,000 to 600,000 in one day - and then stayed roughly constant.</p><p> 2. The number of infections was declining slowly until the day Apple released a fix - and it jumped at that time.</p><p> 3. The other data says that the number of infections dropped by around 50% in one day - a week before Apple released a fix.</p><p> 4. The entire premise of their 'sampling' is questionable. The trojan sends information to servers set up by the trojan author. Just how are these security firms trapping private communications between the 'infected' computer and the server? The only way they could do that is if they had direct access to the server and/or the Internet backbone.</p><p>  </p><p> Since the data is completely inconsistent with any rational explanation, the authors have a long way to go to establish the validity of the data.</p>

    "sampling" could mean that they have websites that infect systems via the same method.
    The number of Macs hit in this way is multiplied by some estimate of the hit rate of the 'security' firm web site compared to the hit rate of the 'real' phishing sites.
    At best this will be a very inaccurate estimate, at worst it's absolutely bogus.

    J.
Sign In or Register to comment.