600K strong Flashback botnet comprises mostly Macs
There has been a lot of talk and speculation about the size of the botnet formed by computers targeted with the Flashback malware and whether all these machines were, in fact, all Macs.
The botnet was first discovered by the researchers working for Dr. Web, a Russian security company, who managed to redirect the botnet traffic to their servers. Initially they counted 550,000 infected machines, but the number has reached 600,000 shortly after.
Their announcement has sparked a great debate, likely fueled in part by the Macs’ image as machines that can’t be easily infected by malware.
Kaspersky Lab researchers decided to check for themselves if the claim was true, and by reverse engineering the malware’s C&C domain generation algorithm and using the date, they managed to beat the botnet herders to the registration of a domain that the infected machines proceeded to send requests to.
“Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots,” said the researchers. “Our logs indicate that a total of 600 000+ unique bots connected to our server in less than 24 hours. They used a total of 620 000+ external IP addresses. More than 50% of the bots connected from the United States.”
In addition to that, they used passive OS fingerprinting techniques to estimate which percent of the machines were actually Macs, and as it turns out, 98 percent likely are.
It is believed that the number of active Mac machines around the world reaches 60 million, making the ones infected by this particular malware part of one percent of the total number.
Given that Flashback has the capability of downloading additional malware on the affected machines, it is a good idea for all those who suspect that they might have been hit to verify the speculation with this free tool.