We are STILL not seeing large numbers of people reporting finding the malware existing on their computers. This simply does not compute with the reports of what Kaspersky and Dr. Web are reporting... I would be more suspicious of a false bombing attack with a few computers forging signatures than that many Macs being infected from the few non-popular website so far identified carrying the Trojan such as:
godofwar3.rr.nu
ironmanvideo.rr.nu
killaoftime.rr.nu
gangstasparadise.rr.nu
mystreamvideo.rr.nu
bestustreamtv.rr.nu
ustreambesttv.rr.nu
ustreamtvonline.rr.nu
ustream-tv.rr.nu
ustream.rr.nu
Can you conceive of hundreds of thousands of Mac users—no make that millions of Mac users (counting the immune ones without JAVA installed), visiting THOSE websites—in just a couple of months, and either being tricked into, or drive by installing, the Trojan? Frankly. I can't.
And what's with 98% of the signatures being OSX???? This is a JAVA script vulnerability! When have you known Windows users to have such a complete install of a patch to any vulnerability that almost ALL hits from a cross platform bot are from a non-Windows source??? Doctor Web on first report said 56% were Macs... now, suddenly Kaspersky says 98% are Macs? What gives? I simply don't believe it.
I think the OS signatures are being spoofed by the Trojan, an easy thing to do—since Mac users are NOT reporting finding the Trojan in large numbers on the forums! Mac users are notorious for reporting problems when they find them—and they simply are not reporting this.
But their (ahem) enthusiasm doesn't invalidate the actual facts (whatever they are) behind the stories.
For example, I don't think that list of infected websites is complete, or that that is the only mechanism for infection. We still have more to learn about this malware. And it's POSSIBLE that the low number of user reports of infections could just be that (like myself) most Mac users tend to not bother much with anti-virus software and testing.
Now, as you know, I'm skeptical by nature, suspicious of marketers' motives, and cynical as hell about virus writers and the companies that make money "fighting" them.
We'll all know in a few months whether this was real or not. In the meantime, it appears to me that it COULD be real. We won't know for a while how it progresses. Perhaps like the Y2K event, if it is handled sufficiently well, the aftermath will be minimal and most people will say, "What was that all about? Nothing went wrong!". That would be a nice outcome for this malware.
But that requires action. I'm of the opinion that this COULD be the first successful widespread attack, and that it's worth a reasonable effort to pound it back down into oblivion, on the off chance that if we don't take it seriously enough, we'll learn in a few months that it was worse than we thought.
I'd rather be wrong in the safe direction. :)