Security firm Kaspersky Lab today weighed in on the Flashback Trojan controversy, confirming that the flaw likely infected more than half a million Macs.
In a blog post, Kaspersky Lab expert Igor Soumenkov said the firm analyzed the latest variant of the botnet - dubbed Flashfake - to try and nail down where the infected computers resided and how many were affected.
"We reverse engineered the first domain generation algorithm and used the current date, 06.04.2012, to generate and register a domain name, 'krymbrjasnof.com,'" Soumenkov wrote. "After domain registration, we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots."
Kaspersky's analysis saw more than 600,000 unique bots connect to its servers in less than 24 hours, using a total of 620,000 external IP addresses. More than 50 percent came from the United States.
That's in line with Wednesday data from anti-virus firm Doctor Web, which said that about 550,000 Macs were likely infected by the Java flaw, known as the Flashback Trojan.
Approximately 300,917 of the active bots were located in the U.S., followed by 94,625 in Canada, 47,109 in the U.K., and 41,600 in Australia, Kaspersky said. A smaller number of devices in France, Italy, Mexico, Spain, Germany, and Japan were also affected.
Soumenkov said Kaspersky could not confirm or deny that all the bots were running Mac OS X, but the firm was able to get a "rough estimation" using passive OS fingerprinting techniques.
"More than 98 percent of incoming network packets were most likely sent from Mac OS X hosts," he wrote. "Although this technique is based on heuristics and can't be completely trusted, it can be used for making order-of-magnitude estimates. So, it is very likely that most of the machines running the Flashfake bot are Macs."
Yesterday, Apple issued a second update to address this issue, though it did not appear to be too in depth.
Security experts are suggesting that Mac users, particularly those on older versions of OS X, update their software as soon as possible. For the technically inclined, F-Secure also has instructions on how to locate a Flashback infection.
Post a Comment