“The Flashback trojan that hijacked well over 500,000 Macs at its peak is still clinging to life, with about 22,000 infected machines in recent days, a security researcher said,” Dan Goodin reports for Ars Technica.
“The compromised Macs were observed connecting to command and control servers that had been ‘sinkholed’ — meaning taken over for research or security purposes — by analysts from security firm Intego,” Goodin reports. “During a five-day period ending January 7, 22,000 Flashback-infected computers reported to server domains recently acquired by Intego, Arnaud Abbati, a researcher with the company, wrote in a blog post. Those machines could be maliciously controlled by anyone who has access to one of the many domain names programmed into a Flashback algorithm, assuming they know how the internals of the malware works.”
“Abbati went on to say that Apple countered the threat by reverse engineering the domain-generation algorithm and buying all of the names through the end of 2013. That prevented him or anyone else outside of Apple from monitoring the Flashback botnet. Then, at the beginning of the year, Apple briefly failed to purchase some domain names, making it possible once again for Intego to peer into the inner workings of Flashback. Over the past few days, Apple has bought all of the 2014 domains,” Goodin reports. “Abbati said that’s a good thing for the safety of those who remain infected.”
Read more in the full article here.
Mac Flashback trojan hacker may have been identified, researcher says FBI will likely investigate – April 4, 2013
Apple releases Flashback Removal Security Update for Leopard, Leopard Security Update 2012-003 – May 14, 2012
Symantec: Mac Flashback trojan infections declining rapidly, have dropped six-fold in a week – April 18, 2012
Apple releases Flashback trojan removal tool – April 14, 2012
Apple releases Java Update to remove Flashback trojan – April 12, 2012
600,000 Macs infected with Flashback trojan, 274 in Cupertino; how to check your Mac – April 5, 2012