Gregg Keizer reported yesterday that the Flashback Trojan horse -- which was supposed to be going the way of the dodo -- has hardly skipped a beat. Dr. Web, the Russian company that three weeks ago figured out how to count the number of infected Macs, says that the number of unique IP addresses with infected Macs has held steady around 700,000, and the number of unique infected Macs hovers around 580,000 to 595,000.
Meanwhile, other researchers and antimalware companies have been blogging about steep declines in the number of infections. It turns out they were fooled by Flashback.
There's an algorithm in Flashback that sets up a new "phone home" URL every 24 hours. Dr. Web cracked the naming system, allowing the company to set up sinkholes on those URLs and count the number of infected machines that hit them. According to Dr. Web's site, apparently nobody noticed until late last week that after contacting the daily URL, Flashback then contacts the "the server at 184.108.40.206, controlled by an unidentified third party. This server communicates with bots but doesn't close a TCP connection. As the result, bots switch to the standby mode and wait for the server's reply and no longer respond to further commands. As a consequence, they do not communicate with other command centers."
The server at 220.127.116.11 puts the infected machine on hold, which keeps it from contacting the next daily URL. Speculation is that Flashback will start phoning the daily URL again when a Mac is rebooted. Newly infected Macs would also phone the daily URL.
Symantec reported 142,000 hits on its daily URL on April 16. Presumably, that's the total of new infections, plus rebooted infected systems, in addition to an unknown number of Macs that might've spontaneously closed the TCP connection -- a sobering number. There's a detailed description of the infection method on Kaspersky's SecureList blog.
As I explained last week, Flashback started out as a simple Trojan last September. It tried to trick Mac users into installing the malware, disguising it as an update to the Flash player. But in February it took a menacing turn, adding drive-by infection techniques. Nobody seems to know exactly when the current triple-threat version of Flashback appeared, but it was definitely in the wild in late March. Dr. Web posted information about it on March 27 and started tracking infected systems with its sinkhole on April 3. Throughout this timeline, Apple has been dropping the ball.
There are three exploits used by the latest version of Flashback:
- Java vulnerability CVE-2012-0507 was fixed by Oracle on Feb. 15. On March 28, Blackhole added CVE-2012-0507 to its arsenal, and Metasploit followed on March 30. Apple's first patch for OS X CVE-2012-0507 appeared on April 3. Elapsed time: 48 days.
- Java vulnerability CVE-2011-3544 was fixed by Oracle on Nov. 18, 2011. It was added to both Metasploit and Blackhole on or about Nov. 30. Apple's first patch for OS X CVE-2011-3544 appeared on March 29. Elapsed time: 132 days.
- Apple patched the third vulnerability, CVE-2008-5353, way back in May of 2009. Elapsed time from the Sun patch: 163 days.
Apple has subsequently released two more pertinent patches: a Java update and Flashback removal tool for OS X Snow Leopard 10.6.8 and OS X Lion 10.7.3 on April 12; and a Flashback malware removal tool for OS X Lion 10.7 or later on April 13.
Where would you point the finger?
This story, "Flashback returns: Is Apple dropping the ball?," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.