Flashback discoverer bucks claims of malware's decline
In a status report released on Friday, the Russian security firm that first discovered the Flashback trojan disagrees with recent findings from Symantec and Kaspersky Labs, warning that the number of machines affected by the malware is not declining.
Citing data from its own analysis of the largest Mac botnet to date, Dr. Web notes that around 650,000 computers are still affected, which is stark contradiction to the 30,000 number provided by well-known security companies Symantec and Kaspersky.
Analysts from the Russian firm researched the discrepancy and found that the raw data coming in from the larger companies' servers were likely inaccurate due to Flashback's use of complex domain name creation techniques and a unique TCP connection operation that effectively masks bots from command and control servers.
"BackDoor.Flashback.39 uses a sophisticated routine to generate control server names: a larger part of the domain names is generated using parameters embedded in the malware resources, others are created using the current date. The Trojan sends consecutive queries to servers according to its pre-defined priorities."
When the malware was first discovered in early April, Dr. Web registered for the main domains used as Flashback command servers while other security firms most likely use "hijacked servers" that are in this case less reliable. The report explains that Flashback's mode of operation allows its network of bots to go largely unnoticed by the hijacked servers which could be the reason for the precipitous drop reported this week that saw the number of affected machines fall from 140,000 to 30,000.
Source: Dr. Web
"On April 16th additional domains whose names are generated using the current date were registered. Since these domain names are used by all BackDoor.Flashback.39 variants, registration of additional control server names has allowed to more accurately calculate the number of bots on the malicious network, which is indicated on the graph."
Dr. Web notes that the trojan send requests to a server run by an unidentified third party, which in turn communicates with the bots but fails to close the TCP connection. This action is critical to researchers as it puts the bots in standby mode which means they do not communicate with other command servers monitored by information security specialists.
Code illustrating how an open TCP connection to the command server causes a bot to freeze. | Source: Dr. Web
There has been no response by Symantec or Kaspersky Labs and their respective website still reflect a "Very Low" threat level from the Flashback trojan.
The first iteration of the malware appeared in 2011 disguised as an Adobe Installer, and later morphed into the current self-installing version that was seen on 600,000 Macs worldwide. Following installation, Flashback harvests sensitive data like user IDs, passwords and web browsing history and sends the information to an off-site server.
Apple has responded to the malware by releasing a number of software updates, including a specially-designed Flashback removal tool, over the past two weeks.
Citing data from its own analysis of the largest Mac botnet to date, Dr. Web notes that around 650,000 computers are still affected, which is stark contradiction to the 30,000 number provided by well-known security companies Symantec and Kaspersky.
Analysts from the Russian firm researched the discrepancy and found that the raw data coming in from the larger companies' servers were likely inaccurate due to Flashback's use of complex domain name creation techniques and a unique TCP connection operation that effectively masks bots from command and control servers.
"BackDoor.Flashback.39 uses a sophisticated routine to generate control server names: a larger part of the domain names is generated using parameters embedded in the malware resources, others are created using the current date. The Trojan sends consecutive queries to servers according to its pre-defined priorities."
When the malware was first discovered in early April, Dr. Web registered for the main domains used as Flashback command servers while other security firms most likely use "hijacked servers" that are in this case less reliable. The report explains that Flashback's mode of operation allows its network of bots to go largely unnoticed by the hijacked servers which could be the reason for the precipitous drop reported this week that saw the number of affected machines fall from 140,000 to 30,000.
Source: Dr. Web
"On April 16th additional domains whose names are generated using the current date were registered. Since these domain names are used by all BackDoor.Flashback.39 variants, registration of additional control server names has allowed to more accurately calculate the number of bots on the malicious network, which is indicated on the graph."
Dr. Web notes that the trojan send requests to a server run by an unidentified third party, which in turn communicates with the bots but fails to close the TCP connection. This action is critical to researchers as it puts the bots in standby mode which means they do not communicate with other command servers monitored by information security specialists.
Code illustrating how an open TCP connection to the command server causes a bot to freeze. | Source: Dr. Web
There has been no response by Symantec or Kaspersky Labs and their respective website still reflect a "Very Low" threat level from the Flashback trojan.
The first iteration of the malware appeared in 2011 disguised as an Adobe Installer, and later morphed into the current self-installing version that was seen on 600,000 Macs worldwide. Following installation, Flashback harvests sensitive data like user IDs, passwords and web browsing history and sends the information to an off-site server.
Apple has responded to the malware by releasing a number of software updates, including a specially-designed Flashback removal tool, over the past two weeks.
Comments
Of course they do.
THEY'RE AN ANTI-VIRUS COMPANY!
Why are we listening to this tripe? It's the same as if we were to take what Greenpeace reported about companies as gospel.
sounds like the "security firm" might have a vested interest in the malware...
D'OH, beat me to it.
Quote:
Originally Posted by Tallest Skil
Of course they do.
THEY'RE AN ANTI-VIRUS COMPANY!
Why are we listening to this tripe? It's the same as if we were to take what Greenpeace reported about companies as gospel.
All three companies reporting numbers are anti-virus companies, so I'm not sure what you're trying to say...?
Quote:
Originally Posted by yAak
All three companies reporting numbers are anti-virus companies, so I'm not sure what you're trying to say...?
I'm saying they're spreading FUD. They're fearmongering. They're in the business of doing that. We don't have a clue if 600,000 Macs were actually infected. Nor will we ever, really.
Quote:
Originally Posted by yAak
Quote:
Originally Posted by Tallest Skil
Of course they do.
THEY'RE AN ANTI-VIRUS COMPANY!
Why are we listening to this tripe? It's the same as if we were to take what Greenpeace reported about companies as gospel.
All three companies reporting numbers are anti-virus companies, so I'm not sure what you're trying to say...?
I think it is something like "Because of the message, I'll throw out some FUD about the messenger".
It's funny how most of these "security" companies come from a country widely known for its (i) transparency and (ii) low corruption levels and (iii) extremely low incidence of hacking activities...
Yeah, this whole thing remains a bit fishy to me. I don't doubt there is something out there, but still, fishy fishy fishy.
Quote:
Originally Posted by rkevwill
Yeah, this whole thing remains a bit fishy to me. I don't doubt there is something out there, but still, fishy fishy fishy.
The methodology just doesn't make any sense. How in the world would they be able to accurately measure the number of infected systems?
So basically all Apple's efforts amounted to nothing, the removal tool had no effect, the Java patches which worked on Windows and Linux had no effect, the awareness of this trojan and people of varying skill levels attempts to remove it had no effect, the people who installed and used AV software had no effect.
Something stinks about this.
Quote:
Originally Posted by hill60
So basically all Apple's efforts amounted to nothing, the removal tool had no effect, the Java patches which worked on Windows and Linux had no effect, the awareness of this trojan and people of varying skill levels attempts to remove it had no effect, the people who installed and used AV software had no effect.
Something stinks about this.
Or maybe, new infections are as numerous as the number of computers being cleaned?
Quote:
Originally Posted by iCarbon
sounds like the "security firm" might have a vested interest in the malware...
D'OH, beat me to it.
I wouldn't put it past some of them to be behind the trojans.
Quote:
Originally Posted by I am a Zither Zather Zuzz
Or maybe, new infections are as numerous as the number of computers being cleaned?
Maybe Dr Web's methodology is flawed.
Quote:
Originally Posted by I am a Zither Zather Zuzz
Or maybe, new infections are as numerous as the number of computers being cleaned?
Or maybe the entire thing is ridiculous.
1. The chart attached to this article shows that the number of infections went from 300,000 to 600,000 in one day - and then stayed roughly constant.
2. The number of infections was declining slowly until the day Apple released a fix - and it jumped at that time.
3. The other data says that the number of infections dropped by around 50% in one day - a week before Apple released a fix.
4. The entire premise of their 'sampling' is questionable. The trojan sends information to servers set up by the trojan author. Just how are these security firms trapping private communications between the 'infected' computer and the server? The only way they could do that is if they had direct access to the server and/or the Internet backbone.
Since the data is completely inconsistent with any rational explanation, the authors have a long way to go to establish the validity of the data.
Quote:
Originally Posted by brlawyer
It's funny how most of these "security" companies come from a country widely known for its (i) transparency and (ii) low corruption levels and (iii) extremely low incidence of hacking activities...
LOL
Quote:
Originally Posted by iCarbon
sounds like the "security firm" might have a vested interest in the malware...
D'OH, beat me to it.
Maybe that's why Apple closed one of their servers down?
Or maybe they are trying to get their own back because Apple closed their servers down?
Quote:
Originally Posted by Tallest Skil
I'm saying they're spreading FUD. They're fearmongering. They're in the business of doing that. We don't have a clue if 600,000 Macs were actually infected. Nor will we ever, really.
I would agree about Dr Web. But the other folks are actually defusing the FUD to some degree by showing the threat is even less of a threat now than before.
But you are correct that the truth is that we don't know if any of this is real or not. And even if they are infected with the trojan and calling out to some server (which for all we know is controlled by Dr Web because they are the creators) that might be all it ever does.
Dr Web should know better than anyone else.
After all the Dr likely gave birth to that Trojan.
But the Dr can't even count accurately, I doubt that Trojan will be very effective !
Dr. Bott is the one spreading the Trojan, so of course there numbers are going to be higher. I myself never got it, and actually don't know of anyone personally that
got it either. This is a company that wants to spread FUD to get customers to buy anti-virus, anti-malware software. Apple already addressed the issue and the trojan is dead already no matter what the Russians think.
"sampling" could mean that they have websites that infect systems via the same method.
The number of Macs hit in this way is multiplied by some estimate of the hit rate of the 'security' firm web site compared to the hit rate of the 'real' phishing sites.
At best this will be a very inaccurate estimate, at worst it's absolutely bogus.
J.