Apple Plotting Flashback Botnet Murder

Apple is working with internet service providers to dismantle the command and control (C&C) infrastructure of the Flashback botnet, which has been infecting Mac machines across the world.

Security company Dr Web said over 600,000 machines had been hit by Flashback. Other vendors have pushed out software to help users determine whether they are infected with Flashback, and Apple released a patch for various Java vulnerabilities being exploited by the malware.

Apple strikes back

Now Apple is going one step further in attempting to take apart the Flashback botnet, whilst developing software to detect and remove the malware itself.

“In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions. Apple is working with ISPs worldwide to disable this command and control network,” an Apple Knowledge Base article read.

Apple also advised Mac owners running Mac OS X v10.5 or earlier to disable Java in web browser preferences if they wanted to give themselves better protection. The patch released on 3 April did not cover those operating systems.

It appears Apple has already moved to shut down servers it believes is running C&C operations for Flashback. However, it appears the company mistakenly targeted a sinkhole operation being run by Dr Web.

Dr Web, which said yesterday over 650,000 computers running Mac OS X  had been infected by Flashback, claimed a “corporation made unsuccessful attempts to block domains used by Doctor Web to study the BackDoor.Flashback.39 botnet.” Boris Sharov, chief executive of the security firm, suggested it was Apple that had requested one of its domains be taken down.

Kaspersky criticism

Meanwhile, Kaspersky has claimed 670,000 machines have Flashback on them, making it the largest Mac-based infection to date. There are 47,109 infected systems in the UK.

Kaspersky also took to criticising Apple for not moving faster in issuing a patch. The three month delay in sending a security update was a bad decision on Apple’s part,” said Kaspersky Lab’s Chief Security Expert, Alexander Gostev.

“There are a few reasons for this. First, Apple doesn’t allow Oracle to patch Java for Mac. They do it themselves, usually several months later. This means the window of exposure for Mac users is much longer than PC users.

“This is especially bad news since Apple’s standard AV update is a rudimentary affair which only adds new signatures when a threat is deemed large enough. Apple knew about this Java vulnerability for three months, and yet neglected to push through an update in all that time. The problem is exacerbated because – up to now – Apple has enjoyed a mythical reputation for being ‘malware free’. Too many users are unaware that their computers have been infected, or that there is a real threat to Mac security.”

Think you know security? Test yourself with our quiz.