If you still think your Mac is bulletproof, impervious and zip-locked when it comes to viral incursions, let this latest infection fiasco lift the scales from your eyes: Over 600,000 Macs may have succumbed to a Flashback Trojan, a number arrived at after a Russia-based antivirus vendor deployed a method called “sink-holing” to glean distribution information about the malware.
The vendor, Dr.Web, first wrote about the “spreading” Trojan yesterday, dubbed BackDoor.Flashback, and claimed that it had infected “more than 550,000″ systems running Mac OS X, most of which it said were located in the U.S. and Canada. “This once again refutes claims by some experts that there are no cyber-threats to Mac OS X,” added Dr.Web. As you can see from the image above, Dr.Web estimates 56.6% of affected Macs are in the U.S. (303,449), 19.8% in Canada (106,379), 12.8% in the U.K. (68,577) and 6.1% in Australia (32,527). In any other country, the estimated number is less than 1%.
After the CRO of F-Secure, Mikko Hypponen, tweeted “we can’t confirm or deny [Dr.Web’s] figure,” Dr.Web analyst Sorokin Ivan replied that “at this moment botnet Flashback over 600k, include 274 bots from Cupertino and special for you Mikko – 285 from Finland.”
Flashback malware first appeared in September 2011, but that version depended on social engineering tricks where users were involved in order to spread (it originally tried to fake users out by posing as an Adobe Flash installer). The newer version, by contrast, simply exploits Java and does what it needs to on the sly.
Apple issued a “Java for OS X” fix on April 3 (it’ll pop up if you perform a manual “Software Update”), but Dr.Web says attackers began spreading this malware in February 2012, switching to another last month. Thus while it may seem Apple’s on the ball here, since reporting about the exploit coincides with Apple’s release of a fix, it’s that release that appears to have alerted both security companies and the media. If you think you’ve already been infected, F-Secure has instructions on how to remove it here.