600,000 Infected Macs Found In Botnet

A Mac trojan horse spotted by security analysts since last year has infected more than 600,000 Apple computers, says Dr. Web, a Russian antivirus vendor. Apple only patched the vulnerability this week, around a month after hackers began spreading the BackDoor.Flashback.39 trojan, with most infected Macs located in the United States and Canada.

More than 56 percent of the infected computers are in the U.S., almost 20 percent in Canada, and almost 13 percent in the U.K. Other European countries, as well as Japan and Australia, reportedly have infection rates of below 1 percent.

“Systems get infected after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system,” the Russian antivirus vendor said. “JavaScript code is used to load a Java-applet containing an exploit. Dr. Web’s virus analysts discovered a large number of websites containing the code.”

The infected websites listed by the company are mainly in the .nu domain (assigned to the island state of Niue), ranging from URLs related to movies and TV streaming services to a domain called Gangstasparadise.

How the Vulnerability Works

It appears the attackers began to exploit vulnerabilities to spread malware in February, and after March 16 they switched to another exploit. Apple closed the vulnerability April 3, and users are advised to update their OS in case they haven’t already (get the update here).

Dr. Web says the exploit saves an executable file onto the hard drive of the infected Mac, which is used to download malicious payload from a remote server and to launch it. The firm used sinkhole technology to redirect the botnet traffic to their own servers to count infected hosts, and more than 300,000 appear to be from the U.S. – 274 of which are in Cupertino, Calif., Ivan Sorokin, a malware analyst at Dr. Web, said on Twitter.

How to Find Out if You’re Infected

If you suspect your Mac could be infected, F-Secure has a set of instructions to find out via the Terminal. The firm also explained how the trojan works, so keep an eye out for when you are asked for the admin password: “On execution, the malware will prompt the unsuspecting user for the administrator password. Whether or not the user inputs the administrator password, the malware will attempt to infect the system, though entering the password will affect how the infection is done.”

Mac Infection Rate Debated

Information security consultant Adrian Sanabria wrote on his blog that he is unconvinced about Dr. Web’s findings: “So far, I haven’t seen any other reports numbering the victims of Flashback, but if accurate, such a large infection rate on Macs may change common perception of OS X as ‘virus-proof’ and could result in a spike in Mac antivirus software sales.

“However, given that the company reporting these numbers is in the business of selling antivirus software, I think we need to see their claims corroborated before we get too excited,” he added. Mikko Hypponen from F-Secure commented on Twitter on Dr. Web’s findings, saying: “We can’t confirm or deny the figure.”

Follow Daniel Ionescu and Today @ PCWorld on Twitter