Mac Flashback Infections Down to 140,000, Symantec Says
The number of Apple Mac systems infected with the Flashback malware has dropped to about 140,000 worldwide, though officials with security software vendor Symantec said that number seems to be tapering off.
At its height earlier this month, the Flashback exploit had infected more than 600,000 Macs--more than 1 percent of the systems in use globally--a record for a Mac malware attack. A host of security software makers including Symantec, Kaspersky Lab, F-Secure and Intego and Apple itself have rolled out free tools that enable users to detect and remove the malware from their systems.
The fact that so many such tools are out there has Symantec officials wondering why the drop in infected systems isn't greater.
W e had originally believed that we would have seen a greater decline in infections at this point in time, but this has proven not to be the case, the officials said in a post April 17 on Symantec's blog. "Currently, it appears that the number of infected computers has tapered off, but remains around the 140,000 mark. As there have been tools released by Symantec and other vendors in the past few days concerning this threat, the infection numbers should have seen a dramatic decrease by now."
The officials urged users to install the latest patches and use the tools to remove the malware.
The Flashback malware shot holes through the theory that Apple systems were essentially immune from such infections, and exposed Apple s inexperience in addressing such security issues. The Flashback malware exploited a vulnerability in Java, which is owned by Oracle. But while Oracle was able to patch Microsoft Windows PCs and other systems weeks earlier, it wasn t until April 3--after the Mac infections were well underway--that Apple issued the patch for the Java flaw.
Then Apple was days behind the security software vendors in offering a tool to detect and remove the malware.
While the Mac community is trying to put the Flashback attack behind it, another piece of malware has come into the picture. According to companies such as Kaspersky, Symantec, Sophos and Intego, the new malware--called Sabpab or SabPub, depending on the company--that works as a classic backdoor Trojan horse, which is leveraging the same Java flaw as Flashback to get into systems and steal information. The Sabpab Trojan creates files and then sends encrypted logs back to the command-and-control (C&C) server, enabling the hackers to monitor the activity on the system, according to researchers.
However, the threat may not be as widespread as Flashback, according to some researchers.
"These malware variants are being used in targeted attacks against Tibetan-focused NGOs non-governmental organizations and are therefore very unlikely to be encountered in-the-wild by day-to-day Mac users," researchers at F-Secure said in an April 17 post on the company blog. "If you're a Mac-using human rights lawyer, however your odds of exposure are another matter entirely. If you don't have it already, now is the time to install antivirus on your Mac."
Michael Sutton, vice president of security research at Zscaler, said the malware is delivered via email targeted at Tibetan sympathizers. Though some industry observers have wondered whether Sabpub could become as large as Flashback, Sutton said the issue is being over-hyped in the media.
"This is a small targeted attack," he said in an email." It is not widespread, nor is it meant to be. Patches are available for both vulnerabilities targeted by SabPub, so Mac users with fully patched systems are not vulnerable."