OSX/Flashback: some figures from ESET

In view of some of the big numbers that have been bandied around in relation to the Flashback botnet, it’s interesting to see that ESET, whose researchers are notorious for their refusal to engage in the “23.56% of internet users…” speculation that appeals to the media, has nevertheless issued some hard data from the sinkhole it implemented to monitor the botnet.

Pierre-Marc Bureau’s blog article notes that:

491,793 unique IDs coming from over 749,113 unique IP addresses connecting to our sinkhole.

Typically, however, he notes that:

Defining a unique host is not trivial, even if OSX/Flashback uses hardware UUIDs.

He suggests that duplicate UUIDs, perhaps as a result of infections on virtual machines and “Hackintoshes” (OS X running on unsupported systems, usually some form of x86 PC), probably results in underestimation of overall infection numbers.

He also mentions the use by Flashback of Twitter hashtags to reconnect an orphaned zombie with the botnet  when a C&C server is taken down, by passing instructions via tweets containing those hashtags. Intego previously reported this in more detail back in early March: however, Pierre-Marc notes that the latest version uses new strings – Twitter has been notified accordingly.

Very tasty data. 🙂

Meanwhile, Sean Michael Kerner poses the question at eSecurity Planet ‘Mac Security: A Myth?’  If you’re a regular visitor to this site, you probably know my feelings about that. But I particularly liked a quote from Roger Thompson on three conditions that need to be satisfied for a platform to be a serious target for malware authors.

• The operating system has to be well enough understood that people of hostile intent can write malware.
• The development system needs to be cheap enough that the people of hostile intent can afford it.
• The target base needs to be big enough to provide a return on the effort.

Personally I’d be inclined to widen the definition beyond operating systems – after all, part of the current problem is that Java is to some extent OS-agnostic – but that’s a semantic quibble. The summation tells us something very important about where OS X users are now. It just surprises me, given how prevalent the myth of OS X invulnerability has been, that it took so long to get there. Though, like Kurt Wismer and David Harley, I remain unsurprised that there are factions still preferring to hope that Apple will respond promptly and appropriately to malware rather than use security software, and in some instances continuing to shoot (or at least badmouth) the messenger. Happy though we all are to see Apple biting the bullet and actually admitting there is a malware problem to tackle, it’s a mistake to be too ready to dismiss the importance of AV professionalism.

And finally, here’s a nice, clear summary from Dave Marcus of what the user is likely to see during a Flashback installation. Though I’m not sure that other vendors would agree that McAfee’s detection name (OSX/Flashfake) is the ‘official’ name. 😉

Old “bite that bullet, boys” Mac