For several days now we have been keeping a close eye on all the news about Flashback, the malware package designed to steal personal information from Mac users.
Early reports have indicated that more than 600,000 machines are infected with the malicious piece of software that has continually evolved to take avantage of Mac vulnerabilities. Usually it is very hard to estimate the number of infected machines in widespread attacks because of Network Address Translation, DNS servers, Proxy Servers, and other machines that could have hundreds or thousands of hosts behind them. For Flashback however, the attackers are using a unique identifier within their user-agent string. This is most likely is a way for them to track infections or perform more advanced Command and Control (C&C).
Our large distributed network of DNS servers allow us to immediately stop the C&C by prohibiting the infected host from phoning home. When we detect that someone is looking up one of the domains that are connected to Flashback we redirect them to our distributed set of servers, giving us direct insight into Flashback’s growth and strategy. Additionally, we can combine information from our geographic distribution and 30+ million users with analysis of the unique identifier in the malware’s request to give us insightful and accurate data on the number of infected hosts.
We are also seeing evidence that the most recent variant of Flashback, which is only alleged to have been released a few weeks ago, may have been in the wild longer than is being reported. We are seeing large numbers of infected hosts that are connecting to the domains that were generated as early as Feb 2, 2012. In particular, Feb 9, 2012 has a large share of the requests.
Here are some interesting numbers and data on what we have seen to date:
- Number of infected machines last 24 hours: 63,744
- Largest number of infected hosts in one class C Network: 170
- Largest number of infected hosts in one class B Network: 710
- Number of OpenDNS users protected: 30+ Million
Infected Hosts: Breakdown by Domain Generated Date (or built-in)
Infected Hosts: Breakdown by Data Center Location
What can users do?
- OpenDNS users can rest assured knowing that they’re protected. Earlier this week we announced that protection for Flashback would be immediately and automatically integrated into our service for all users.
- Patch patch patch: Variants of Flashback have been using exploits in a fixed security hole within Java. Make sure your machine is updated through Apple’s update process.
- Use caution: Be very careful when connecting to websites that ask you to install software or log on as the administrator.
- Stay alert: Surely there will be another variant of this malware and probably more following. OpenDNS is committed to protecting all customers against these variants moving forward.
If you’d like to learn more about Flashback, read Macworld’s article here.