Security Experts: 600,000+ Estimate of Mac Botnet Likely on Target
Security experts could not confirm claims by a little-known Russian antivirus company that more than 600,000 Macs have been infected with a zero-day-exploiting Trojan, but they said the number was within reason.
Fri, April 06, 2012
Computerworld — Security experts today could not confirm claims by a little-known Russian antivirus company that more than 600,000 Macs have been infected with a zero-day-exploiting Trojan, but they said the number was within reason.
"Even though the number is very, very large, it seems correct," said Roel Schouwenberg, a senior researcher with Moscow-based antivirus company Kaspersky Lab. He added that Doctor Web's methodology looked spot on.
Wednesday, Doctor Web estimated that more than half a million Macs had been infected with Flashback, a Trojan horse installed through drive-by attacks when users surf to compromised websites, making the ensuing collection of computers -- a "botnet" in security vernacular -- the largest ever for Apple's machine.
Doctor Web's researchers were able to "sinkhole" part of the Flashback botnet -- hijack some of the domains used to issue commands to infected computers -- and calculated the size of the botnet by counting the UUIDs (universally unique identifiers) presented by OS X to the controlling servers.
Thursday, Doctor Web upped its estimate to just over 613,000.
While some botnets composed of Windows PCs have been much larger -- Conficker, for instance, hijacked millions of machines -- the size of the Flashback infection is unprecedented for Mac OS X.
Skepticism about the number of infected Macs is probably unwarranted, said several security professionals interviewed today by Computerworld, citing circumstantial evidence that Flashback could have been this successful.
Among the clues, they said, were the Flashback gang's use of a zero-day Java vulnerability that Apple patched only this week, the tactic the cybercriminals used to infect unwary Mac owners and the availability of operating system-independent, Web-based exploit kits.
"A lot of things happened at the same time," said Mike Geide, senior security researcher at Zscaler ThreatLabZ. "There have been mass compromises of WordPress sites, and the controllers [for those hijacked websites] match the domain structure Doctor Web described. That's been ongoing since at least early March."
WordPress is a popular open-source blogging and content management platform used by about one in seven websites.
Those usurped WordPress sites have been redirecting users to malicious URLs, where hackers have hosted the Blackhole exploit kit. Blackhole tries multiple exploits, including several aimed at Java bugs on Macs, to compromise machines.
The sheer size of the WordPress installed base and the scope of the WordPress injection campaign means that it would not have been impossible for hackers to poison more than 600,000 Macs.
"The number is entirely feasible," said Brett Stone-Gross, a security researcher with the Counter Threat Unit of Dell SecureWorks. Atlanta-based SecureWorks is well-known for its botnet research.