Apple Snubs Firm That Discovered Mac Botnet, Tries To Cut Off Its Server Monitoring Infections

Forbes ^ | April 9, 2011 | Andy Greenberg

[dickmc]

Until it was revealed last week that more than half a million Macs were infected with Flashback malware, Apple had little experience working with the community of security researchers who aim to dissect and shut down botnets. And according to the firm that discovered this new outbreak, it could use a lesson in teamwork.

[dickmc]

Boris Sharov, chief executive of the Moscow-based security Dr. Web says he learned Monday from the Russian Web registrar Reggi.ru that Apple had requested the registrar shut down one of its domains, which Apple said was being used as a “command and control” server for the hundreds of thousands of PCs infected with Flashback. In fact, that domain was one of three that Dr. Web has been using as a spoofed command and control server–what researchers call a “sinkhole”–to monitor the collection of hijacked machines and try to understand their behavior, the technique which allowed the firm to first report the size of Apple’s botnet last week.

[dickmc]

From the article...."In fact, Sharov says that since Dr. Web first contacted Apple to share its findings about the unprecedented Mac-based botnet, it hasn’t received a response. “We’ve given them all the data we have,” he says. “We’ve heard nothing from them until this.”"

[Mount Athos]

I think paranoia is warranted here.

Russians and Chinese develop all the most sophisticated viruses. Yes, a lot of it is stupidity by pranksters with egos, but at the top end with rootkits and botnets, I’m not so sure...

I think it’s a serious game with national security implications and if you think about it, they might be doing dry runs and live tests for more sophisticated versions they are keeping for a special occasion.

If there are government agencies behind some of the top virus, wouldn’t it make sense they would also want to measure its success and progress? No I wouldn’t trust this agency

[driftdiver]

gotta destroy the evidence

[driftdiver]

They are doing it for many reasons. To steal money and information. The industrial espionage is just as valuable as the national security information. They are able to rapidly increase their own technology by stealing it from others, without any significant investment.

[TheBattman]

more than half a million Macs were infected with Flashback malware

This was never the case. These so-called "experts" took an uninformed guess... and WAY over-stated the case (by upwards of 90%).

[donozark]

I downloaded "Flashback Checker" from Github.com Easy/quick/free download.

Result? "No Infection Found."

I cannot find anyone I know who picked up this nasty on their Mac...

[dangerdoc]

My wife has been complaining that our Mac has been acting flakey for the last few months. I’ll use your link to check it, thanks.

[Bob]

This was never the case. These so-called "experts" took an uninformed guess... and WAY over-stated the case (by upwards of 90%).

Have you got a cite for that information? According to whom? Some friends who use Apple are freaking out over this whole thing.

[Jonty30]

PC’s are very hard to infect with viruses now.

Just so you know.:)

[Jonty30]

It is possible, if Tim Cook asks nicely and buys the dinner, Microsoft might lend its expertise to Apple.

[ace2u_in_MD]

Well, my 5 Macs are fine. Would like to get some authoritative, non biased estimates of the supposed infection. From what I understand, it requires you to enter your Admin password. Since I run “Click-to-Flash”, i very rarely run Flash anymore. And I know my 9 iOS devises are immune...

[dangerdoc]

I just checked our Mac, no virus.

It was suffering from random reboots for a while, seems to be better now.

[Swordmaker]

Apple has taken legal action to take down Doctor Web's sinkhole server... which so far is the only identified FLASHBACK server on the web—PING!

Mac users are notorious for complaining when something goes wrong. If there WERE a 600,000 member Macbot out there, the number of infected users would be all over the forums announcing their machines infected and asking for help in removing it. I have been diligently searching to tech and non-tech forums seeking users who are reporting that THEY have Macs that have been infected by this Flashback Trojan... and I am simply NOT seeing them saying they are using the tools provided and found their computers infected. Even on the Apple help forums, at the peak of the news, there were only 217 comments, most asking how do "I detect this?" and reports back about "My computer is clean!" The few that I have found are obvious non-Mac using trolls...

So, WHERE ARE THE INFECTED MACS? I am simply NOT FINDING THEM!

Do any of you Freeper Mac user's have it?

Apple Security Ping!

Please, No Flame Wars!
Discuss technical issues, software, and hardware.
Don't attack people!
Don't respond to the Anti-Apple Thread Trolls!
PLEASE IGNORE THEM!!!

If you want on or off the Mac Ping List, Freepmail me.

[PA Engineer]

Do any of you Freeper Mac user's have it?

Nope. Clean. Some could argue that Flash itself is a destructive virus because of the resource hogging. The only place I have heard of the "virus" is here of FR by non-mac users. SSDD.

[Sir_Ed]

None of my Macs have it.

Ed, hoping for a Mac Pro refresh!!!

[dayglored]

So far out of about 20 Macs owned by friends and family, ZERO infections. And not one of those people knows anyone who has found it. No one has even heard about anybody who has it who is identifiable.

NOT EVEN ONE CONFIRMED INFECTION YET OUT HERE. Still looking around, of course...

[Swordmaker]

NOT EVEN ONE CONFIRMED INFECTION YET OUT HERE. Still looking around, of course...

Frankly, I think it really doesn't exist in the wild. I think we are seeing a concentrated spoof attack on these servers... perhaps orchestrated FUD??? I have yet to find ANYONE with a confirmed infection! I have over 200 clients with Macs... all running bare... and not one has had an infection. There should be at least two.

I have not seen one on the major news media comment sections, except the obvious trolls who don't even know how to spell Mac. . . claiming their MACs were infected, or others feigning bitterness that their $3000 and $4000 iMacs they bought to avoid virus infections were a waste of money because they are now infected and how they were going to buy a much more economical and powerful Windows 8 computer for their next computer for under $500!

What I have seen are numerous people using the Terminal commands or the now ubiquitous downloadable Flashback check programs, reporting their machines are "CLEAN!" Not even once have I seen someone post, "I ran the check and found my computer was infected!"

[dayglored]

I gotta admit, Swordmaker, this is looking more and more like a fraud, for the purpose of... what? Hoping to drive Apple's stock price down? Preparation for Windows 8 launch? or just some stupid A/V researcher getting bored and deciding to kick up some dust?

Here's my current take on it:

1. The Java vulnerability is very REAL.

2. The vulnerability is exploitable and malware exists that uses it.

3. Apple took an inordinately long time to produce an appropriate security update.

4. Somebody decided it was an opportunity to attack Apple and announced a huge botnet.

I actually hope that it's either REAL (i.e. that there are real infected Macs out there), or that it's an HONEST mistake.

Because the only other possibility -- that the A/V community has stooped to fabricating huge, worldwide lies -- is extremely troubling. These are the people we trust our computers to, to keep them safe. WTF???!?!!!!

[Swordmaker]

NEWS FLASH!

"Symantec said today the number of bots had been cut to 270,000 as of 11 April, whilst yesterday Kaspersky said the number had been reduced to 237,103 as of 8 April. Almost all infected machines are Apple Macs."

WOW! Kaspersky was widely quoted on the 10th as confirming the 600,000 number... but they KNEW on the 8th that it was only 237,103??? I smell FISH! Rotten fish!

I am still not finding ANY infected Macs... not one. If true, the infection rate is less than 0.4%...