[Macworld]

Post your comments for Security experts: 600,000-plus estimate of Mac botnet likely on target here

[LelandHendrix]

I agree--I suspect that the 600,00 number may have machines running other OSes counted as well.

It's a JAVA exploit, the same JAVA that runs on every supported platform.

[lkrupp]

Because of the constant drone of these anti-virus companies predicting doom for Mac users unless we buy their product I will NEVER purchase anything from any of them. I will just live with ClamXav for better or worse.

[cashxx]

I still say Dr Web is behind the malware. Usually the malware is from Russia or other places overseas and he is making headlines now and the only one with the data.

[bsmith8900]

No, this can't possibly be true. Macs don't get malware. Apple said so.

[Dotkhan]

The headline should be
Security "expert": 600,000 estimate of Mac botnet disputed
There is not agreement that the 600,000 reported by 1 source are all Macs and not another OS.
In a con game, an expert is a stranger that someone we trust has told us is knowledgeable on a subject.

[doh123]

how do we verify the UUID info? We can't see the code? What if part of the botnet strategy was making random UUID info and not sending the actual one.. then 1 computer could have seemed like thousands.

[RLSp7ed]

lkrupp, on 06 April 2012 - 05:25 PM, said:

Because of the constant drone of these anti-virus companies predicting doom for Mac users unless we buy their product I will NEVER purchase anything from any of them. I will just live with ClamXav for better or worse.

do you think ClamX is up to this particular job?

[klahanas]

LelandHendrix, on 06 April 2012 - 04:33 PM, said:

I agree--I suspect that the 600,00 number may have machines running other OSes counted as well.

It's a JAVA exploit, the same JAVA that runs on every supported platform.

It's a Java exploit that targets folders and files that are only present on a Mac. Thus it's Mac specific.

[k88dad]

Beyond conflict of interest, the reason that I find the number suspicious is because of the large number of things that this trojan checks for before activating. In addition to most well-known antivirus, it checks for both 2008 and 2011 versions of Microsoft Office. It also checks for Xcode and Little Snitch. I suppose that there are a lot of Macs not running one of the last two versions of Office. I wonder of trial versions count?

[k88dad]

klahanas, on 07 April 2012 - 07:09 AM, said:

LelandHendrix, on 06 April 2012 - 04:33 PM, said:

I agree--I suspect that the 600,00 number may have machines running other OSes counted as well.

It's a JAVA exploit, the same JAVA that runs on every supported platform.

It's a Java exploit that targets folders and files that are only present on a Mac. Thus it's Mac specific.

In all fairness, there are multiple versions of Flashback. It is not clear that the 600K number is referring only to the latest Mac flavor.

[klahanas]

k88dad, on 07 April 2012 - 08:42 AM, said:

klahanas, on 07 April 2012 - 07:09 AM, said:

LelandHendrix, on 06 April 2012 - 04:33 PM, said:

I agree--I suspect that the 600,00 number may have machines running other OSes counted as well.

It's a JAVA exploit, the same JAVA that runs on every supported platform.

It's a Java exploit that targets folders and files that are only present on a Mac. Thus it's Mac specific.

In all fairness, there are multiple versions of Flashback. It is not clear that the 600K number is referring only to the latest Mac flavor.

The 600K number is the latest Mac flavor, and was measured as such. Older variants of this malware are obsolete. To your point, which I will take as a "best case" scenario, see the link below.

http://www.securelis...otnet_confirmed


Exerpted from above link:

"We have used passive OS fingerprinting techniques to get a rough estimation. More than 98% of incoming network packets were most likely sent from Mac OS X hosts. Although this technique is based on heuristics and can’t be completely trusted, it can be used for making order-of-magnitude estimates. So, it is very likely that most of the machines running the Flashfake bot are Macs."

[k88dad]

klahanas, on 07 April 2012 - 09:06 AM, said:

The 600K number is the latest Mac flavor, and was measured as such. Older variants of this malware are obsolete. To your point, which I will take as a "best case" scenario, see the link below.

http://www.securelis...otnet_confirmed


Exerpted from above link:

"We have used passive OS fingerprinting techniques to get a rough estimation. More than 98% of incoming network packets were most likely sent from Mac OS X hosts. Although this technique is based on heuristics and can’t be completely trusted, it can be used for making order-of-magnitude estimates. So, it is very likely that most of the machines running the Flashfake bot are Macs."

Thanks for the research. My main point is that Macworld is not including enough info in these articles. Let me rephrase my previous statement to: It is not clear from this article... Most of my knowledge on this is coming from a large number of websites that are not necessarily Mac-oriented.

[FlopTech]

lkrupp, on 06 April 2012 - 05:25 PM, said:

Because of the constant drone of these anti-virus companies predicting doom for Mac users unless we buy their product I will NEVER purchase anything from any of them. I will just live with ClamXav for better or worse.

Same here. Apparently the Flashback malware doesn't install itself if ClamXav or other anti-virus apps are already installed. To "avoid detection."

We use ClamXav, and we've donated to the developer.