Over the past couple days established security experts and firms have been slowly wrapping their head around the zero-day Mac Flashback trojan exploit which a small Russian based antivirus company brought to light mid week claiming well over 600,000 Mac OSX installs were already infected and forming a fresh new Mac OS X botnet.
While more established external security companies can not confirm exact numbers as of yet, the general consensus is that there is indeed a serious botnet of infected Mac’s out there and potentially many more in the making. Russian based antivirus heavy hitter Kaspersky Labs stated that “even though the number is very, very large, it seems correct”, also acknowledging that the methodology used by their lesser known Russian antivirus colleagues from the Doctor Web seemed perfectly apt and accurate in its analysis.
The Mac OSX installs are supposedly being infected en mass with the Flashback Trojan horse which is being installed via drive-by-attacks by simply having vulnerable installs surf to comprised web sites. So far if the numbers are correct, and some experts believe still likely to rise perhaps even some more if there are determined mutations or many remaining un-patched machines, it would effectively likely be the largest known botnet ever involving Apple’s operating system.
Doctor Web security researchers were able to estimate the number of infections by “sinkholing” part of the Flashback botnet by hijacking some of the command issuing domains and proceeding to issue commands relayed through the command and control mechanism to count all the listed UUIDs (universally unique identifiers) of the infected Mac OSX machines presenting themselves available to the controlling botnet servers.
While many may wonder what the big deal is, citing known Windows based OS botnets with substantially higher numbers well into the millions, the fact of the matter is it is sort of a first and unprecedented find for Unix based OS’s like Mac OS X to be found integrated and targeted so efficiently to bring them into a botnet. It may also shock some in the mainstream who have gotten into the habit of believing that Mac’s and more generally *nix based PC’s are somehow immune and that viruses and botnets are a Windows only concern.
One of the possible exploit routes used by Flashback was to exploit a zero-day Java vulnerability which Apple only got around to patching and pushing out around mid week. Whether or not this was the only exploited escalation point is not known for sure yet but was definitely the main culprit. It is also suspected the the Mac’s were compromised with an OS independent web exploit which means Windows PC’s could also make up a sizable share of the growing botnet which would seem rather likely.
Security researchers hinted to a sort of perfect storm situation which could be the main factor for the apparent massive rapidity of the Flashback Trojan’s propagation success. First in line for the drive-by-download attacks could be a steadily growing mass compromise of WordPress based sites spreading from as early as March 2012, with evidence that many of the Flashback botnet controllers domain structures as described by Dr Web matched those of the comprised WP site structures.
WordPress based sites are of course fabulously popular and currently run on almost one in every seven websites currently online according to some estimates, which is a truly massive pool of potential propagation points if left vulnerable and would easily explain the ability for the Mac OSX Flashback botnet to have soared to such numbers so rapidly.
So while it does indeed seem like a big escalation of the targeting of Mac OS X by cyber-criminals which we’re likely to see more and more of in the future as the OS X usage grows, it is still important to note that despite the claims from Doctor Web, it is likely the Flashback Botnet is not only comprised of Mac OS X as many claim but that there are surely many Windows machines among the infected who may have even been hit by the same original OS independent Java exploit. One hopes Oracle and Microsoft are on top of this.
More information on the Mac OS X Flashback Trojan Backdoor can be found at F-Secure.