Apr 06, 2012

Half of 600,000 infected Macs are in the U.S.

By Byron Acohido, USA TODAY Updated 5m ago

Some 300,000 of the 600,000 Macs infected by the Flashback Trojan are located in the U.S., including 274 in Cuppertino, Apple's hometown in Silicon Valley, according to Tweets from Ivan Sorokin, a malware analyst at Russian anti-virus company Dr. Web.

Sorokin's disclosure earlier this week of a massive botnet made up entirely of Macs is serving as a lightning rod for the community of a few hundred top virus hunters worldwide, some of whom would like to see Apple become more collaborative about defending the Internet against cybercriminals.

"Maybe Apple will feel a little of the pain their users are now feeling and get serious about being more candid and perhaps more revealing in their patch release notifications," says Paul Henry, security and forensic analyst at network security company Lumension.

Henry notes that calculating the number of infected Macs has been relatively easy, since the Trojan "actually sends a copy of each infected Mac's UUID to the command and control server."

Sorokin used sinkhole technology to redirect the botnet traffic to Dr. Web's own servers to count infected Macs.

Botnets are the Swiss Army Knife of cybercrime. Cybergangs use botnets are used to spread spam, infect websites, carry out denial of service attacks and hijack online bank accounts.

An unpatched portion of Java left Mac users prone to the Flashback Trojan, which causes the machine to quietly report to a command and control server for further instructions. Mac users can get infected by navigating to a viral Web page pre-loaded to deliver a driveby download tuned to exploit this Java vulnerability.

And as many Windows PC users can attest, when a Mac is performing bot duties, its processing efficiencies naturally get sapped. One commenter to Ars Technica's coverage noted:

My wife's first gen core duo macbook pro hard drive is always busy, which i thought was due to limited hard drive space. Even after cleaning out ~15 gigs of space, the OS is slow and often unresponsive, and the HD is clickety clacking all the time. I sure hope I don't have it. I'm going to check first thing when I get home. Has anyone's machine here tested positive? If so, does this sound familiar?

Apple has since patched the Java flaw. F-Secure has supplied details on how to diagnose and fix the problem, but warns that the steps are tricky.

"This latest wave of infections is a wake-up call to Mac users that their system is not immune to threats," says Mike Geide, senior security researcher at Zscaler ThreatLabZ. "And the need to follow best security practices, such as remaining current with patches, is ubiquitous — it doesn't matter if you're using Windows, Mac or even mobile phone."

Lumension's Henry opines that "Apple still lacks any urgency in their patch release and in fact, users had to be lucky enough to have checked.

"Simply put, if Apple wants to be taken seriously as an enterprise provider, they need to be more timely and candid about their patches," Henry continues. "How else will administrators understand the necessary sense of urgency to prioritize and deal with security issues?"

Apple has been issuing patches roughly once a month, much like Microsoft issues security fixes on the second Tuesday of each month, known as Patch Tuesday. "Apple should take a lesson from Microsoft and formally adopt a monthly process and provide, at minimum, the same level of disclosure users have come to expect from Microsoft," says Henry.

Half of 600,000 infected Macs are in the U.S.