It’s been 20 days since Apple released its Flashback trojan removal tool in April 13 which removed a trojan that exploited an un-patched Java flaw, but there remains confusion as to how successful the multi-vendor removal campaign has been.
Symantec on April12 was the first to claim a huge reduction in the drive-by-download Mac OS X malware that netted around 700,000 users worldwide who for the most part have never felt the need to install antivirus, leaving them at the hands of Apple’s internal procedures for dealing with the relatively infrequent automated attack against macs.
Symantec claimed last week that since the height of infection in early April, infections had fallen from 600,000 to about 270,000 on the 11th April, but has since revised these figures. (See graph 3.)
Kaspersky last Friday April 20 held a media conference proclaiming that Flashback infections had been reduced to just 30,000. It showcases the increasing trend for malware writers to target OS X (see graph 2.
The same day, however, Dr Web, the Russian security outfit that first reported the outbreak claimed Apple’s and the wider security vendor response was not working, Dr Web noted that on the day if Apple’s April 3 Java fix was release infections doubled from just under 300,000 to 600,000. (See graph 1.)
The case highlights how unstable the numbers game is in security. There was some dispute over how each security vendor deployed its ‘sinkholes’, essentially spoofed command centres that researchers use monitor when each infected Mac call backs to the command centre.
Symantec predicted infections would fall to 99,000 by April 17. That is, until April 20 when it conceded that its sinkhole data was wrong because Symantec was “receiving limited infection counts for OSX.Flashback.K.”
“Our current statistics for the last 24 hours indicate 185,000 universally unique identifiers (UUIDs) have been logged by our sinkhole,” it said in the update.
Dr Web meanwhile contends that there remains over 500,000 infections. (Graph 1.)
The question that no security company can answer is what capabilities Flashback’s authors may equip the trojan with next.
Although at the moment it is known to manipulate primarily Google search results with links to fraudulent sites, Windows malware history tells that there is every chance the operators could well equip the trojan with nastier capabilities aimed at stealing login banking credentials or more sinister features.
Dr Web, Graph 1
Kaspersky, Graph 2
Symantec, Graph 3
Follow @CSO_Australia and sign up to the CSO Australia newsletter.