More than 30,000 Australian Macs and over 600,000 Macs worldwide are believed to be infected with Trojan horse.
The infected websites listed by the company are mainly in the .nu domain (assigned to the island state of Niue), ranging from URLs related to movies and TV streaming services to a domain called Gangstasparadise.
How the vulnerability works
It appears the attackers began to exploit vulnerabilities to spread malware in February, and after 16 March they switched to another exploit. Apple closed the vulnerability 3 April, and users are advised to update their OS in case they haven’t already (get the update here).
Dr. Web says the exploit saves an executable file onto the hard drive of the infected Mac, which is used to download malicious payload from a remote server and to launch it. The firm used sinkhole technology to redirect the botnet traffic to their own servers to count infected hosts, and more than 300,000 appear to be from the U.S. – 274 of which are in Cupertino, Calif., Ivan Sorokin, a malware analyst at Dr. Web, said on Twitter.
How to find out if you’re infected
If you suspect your Mac could be infected, F-Secure has a set of instructions to find out via the Terminal. The firm also explained how the Trojan horse works, so keep an eye out for when you are asked for the admin password: “On execution, the malware will prompt the unsuspecting user for the administrator password. Whether or not the user inputs the administrator password, the malware will attempt to infect the system, though entering the password will affect how the infection is done.”
Mac infection rate debated
Information security consultant Adrian Sanabria wrote on his blog that he is unconvinced about Dr. Web’s findings: “So far, I haven’t seen any other reports numbering the victims of Flashback, but if accurate, such a large infection rate on Macs may change common perception of OS X as ‘virus-proof’ and could result in a spike in Mac antivirus software sales.
“However, given that the company reporting these numbers is in the business of selling antivirus software, I think we need to see their claims corroborated before we get too excited,” he added. Mikko Hypponen from F-Secure commented on Twitter on Dr. Web’s findings, saying: “We can’t confirm or deny the figure.”
Read everything you need to know about the Flashback trojan here.