Security experts today could not confirm claims by a little-known Russian antivirus company that more than 600,000 Macs have been infected with a zero-day-exploiting Trojan, but they said the number was within reason.
“Even though the number is very, very large, it seems correct,” said Roel Schouwenberg, a senior researcher with Moscow-based antivirus company Kaspersky Lab. He added that Doctor Web’s methodology looked spot on.
Wednesday, Doctor Web estimated that more than half a million Macs had been infected with Flashback, a Trojan horse installed through drive-by attacks when users surf to compromised websites, making the ensuing collection of computers—a “botnet” in security vernacular—the largest ever for Apple’s machine.
Find out what you need to know about the Flashback trojan in Macworld’s FAQ
Doctor Web’s researchers were able to “sinkhole” part of the Flashback botnet—hijack some of the domains used to issue commands to infected computers—and calculated the size of the botnet by counting the UUIDs (universally unique identifiers) presented by OS X to the controlling servers.
Thursday, Doctor Web upped its estimate to just over 613,000.
While some botnets composed of Windows PCs have been much larger—Conficker, for instance, hijacked millions of machines—the size of the Flashback infection is unprecedented for Mac OS X.
Skepticism about the number of infected Macs is probably unwarranted, said several security professionals interviewed today by Computerworld, citing circumstantial evidence that Flashback could have been this successful.
Among the clues, they said, were the Flashback gang’s use of a zero-day Java vulnerability that Apple patched only this week, the tactic the cybercriminals used to infect unwary Mac owners and the availability of operating system-independent, Web-based exploit kits.
“A lot of things happened at the same time,” said Mike Geide, senior security researcher at Zscaler ThreatLabZ. “There have been mass compromises of WordPress sites, and the controllers [for those hijacked websites] match the domain structure Doctor Web described. That’s been ongoing since at least early March.”
WordPress is a popular open-source blogging and content management platform used by about one in seven websites.
Those usurped WordPress sites have been redirecting users to malicious URLs, where hackers have hosted the Blackhole exploit kit. Blackhole tries multiple exploits, including several aimed at Java bugs on Macs, to compromise machines.
The sheer size of the WordPress installed base and the scope of the WordPress injection campaign means that it would not have been impossible for hackers to poison more than 600,000 Macs.
“The number is entirely feasible,” said Brett Stone-Gross, a security researcher with the Counter Threat Unit of Dell SecureWorks. Atlanta-based SecureWorks is well-known for its botnet research.
“In fact, I’m actually kind of surprised that Macs aren’t targeted more frequently,” added Stone-Gross. “[Exploit] toolkits include exploits that could be easily modified to run on any OS, especially those for vulnerabilities in Java, Flash Player and other software that runs on any operating system. They’re all vulnerable to the same exploits.”
None of the researchers or companies contacted by Computerworld were able to definitively confirm Doctor Web’s numbers, however. That would require the same kind of access to the Flashback command-and-control infrastructure that the Russian firm claimed to have obtained.
But several companies said they were working on the problem, including Kaspersky, SecureWorks and Symantec.
“If you had a sinkhole, you could get a more granular idea of the size [of the botnet],” said Liam O Murchu, manager of operations at Symantec’s security response team, talking about duplicating Doctor Web’s work. “But there are other ways we can use to see similarly large botnets.”
Not every researcher bought into Doctor Web’s numbers.
“We are not sure that all 500K [of the Flashback bots] are Mac users,” said Aleks Gostov, a chief security expert with Kaspersky, in a message on Twitter on Thursday. “I have some suspicions that probably bots for Windows [are] also present.”
Gostov seemed to base his opinion on the fact that Windows machines provide a GUID (globally unique identifier), Microsoft’s implementation of the UUID standard. If Doctor Web wasn’t able to correctly parse the hexadecimal string that represents the GUID/UUID, the Russian firm may have counted Windows PCs among the 600,000-plus it thinks are Mac machines.