Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Technology Stocks : Apple Tankwatch -- Ignore unavailable to you. Want to Upgrade?

To: iggyl who wrote (18376)	4/6/2012 6:11:09 PM
From: zax	Read Replies (1) \| Respond to of 32692

zax before you do too much gloating you might wait for a little more confirmation than one Russian researcher. Kaspersky Confirms Widespread Mac Infections Via Flashback Trojan Chloe Albanesius April 6, 2012 04:53 pm EST pcmag.com Security firm Kaspersky Lab today weighed in on the Flashback Trojan controversy, confirming that the flaw likely infected more than half a million Macs. In a blog post, Kaspersky Lab expert Igor Soumenkov said the firm analyzed the latest variant of the botnet - dubbed Flashfake - to try and nail down where the infected computers resided and how many were affected. "We reverse engineered the first domain generation algorithm and used the current date, 06.04.2012, to generate and register a domain name, 'krymbrjasnof.com,'" Soumenkov wrote. "After domain registration, we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots." Kaspersky's analysis saw more than 600,000 unique bots connect to its servers in less than 24 hours, using a total of 620,000 external IP addresses. More than 50 percent came from the United States. That's in line with Wednesday data from anti-virus firm Doctor Web, which said that about 550,000 Macs were likely infected by the Java flaw, known as the Flashback Trojan. Approximately 300,917 of the active bots were located in the U.S., followed by 94,625 in Canada, 47,109 in the U.K., and 41,600 in Australia, Kaspersky said. A smaller number of devices in France, Italy, Mexico, Spain, Germany, and Japan were also affected. Soumenkov said Kaspersky could not confirm or deny that all the bots were running Mac OS X, but the firm was able to get a "rough estimation" using passive OS fingerprinting techniques. "More than 98 percent of incoming network packets were most likely sent from Mac OS X hosts," he wrote. "Although this technique is based on heuristics and can't be completely trusted, it can be used for making order-of-magnitude estimates. So, it is very likely that most of the machines running the Flashfake bot are Macs." Yesterday, Apple issued a second update to address this issue, though it did not appear to be too in depth. Security experts are suggesting that Mac users, particularly those on older versions of OS X, update their software as soon as possible. For the technically inclined, F-Secure also has instructions on how to locate a Flashback infection. For more from Chloe, follow her on Twitter @ChloeAlbanesius. *For the top stories in tech, follow us on Twitter at @PCMag.*

To: iggyl who wrote (18376)	4/6/2012 6:27:23 PM
From: zax	Respond to of 32692

Are you a believer yet? X-D Wednesday, Doctor Web estimated that more than half a million Macs had been infected with Flashback, a Trojan horse installed through drive-by attacks when users surf to compromised websites, making the ensuing collection of computers -- a "botnet" in security vernacular -- the largest ever for Apple's machine. Doctor Web's researchers were able to "sinkhole" part of the Flashback botnet -- hijack some of the domains used to issue commands to infected computers -- and calculated the size of the botnet by counting the UUIDs (universally unique identifiers) presented by OS X to the controlling servers. Thursday, Doctor Web upped its estimate to just over 613,000. Skepticism about the number of infected Macs is probably unwarranted, said several security professionals interviewed today by Computerworld, citing circumstantial evidence that Flashback could have been this successful. Among the clues, they said, were the Flashback gang's use of a zero-day Java vulnerability that Apple patched only this week, the tactic the cybercriminals used to infect unwary Mac owners and the availability of operating-system-independent, Web-based exploit kits. "A lot of things happened at the same time," said Mike Geide, senior security researcher at Zscaler ThreatLabZ. "There have been mass compromises of WordPress sites, and the controllers [for those hijacked websites] match the domain structure Doctor Web described. That's been ongoing since at least early March." WordPress is a popular open-source blogging and content management platform used by about one in seven websites. Those usurped WordPress sites have been redirecting users to malicious URLs, where hackers have hosted the Blackhole exploit kit. Blackhole tries multiple exploits, including several aimed at Java bugs on Macs, to compromise machines. The sheer size of the WordPress installed base and the scope of the WordPress injection campaign means that it would not have been impossible for hackers to poison more than 600,000 Macs. "The number is entirely feasible," said Brett Stone-Gross, a security researcher with the Counter Threat Unit of Dell SecureWorks. Atlanta-based SecureWorks is well-known for its botnet research. "In fact, I'm actually kind of surprised that Macs aren't targeted more frequently," added Stone-Gross. "[Exploit] toolkits include exploits that could be easily modified to run on any OS, especially those for vulnerabilities in Java, Flash Player and other software that runs on any operating system. They're all vulnerable to the same exploits." None of the researchers or companies contacted by Computerworld were able to definitively confirm Doctor Web's numbers, however. That would require the same kind of access to the Flashback command-and-control infrastructure that the Russian firm claimed to have obtained. But several companies said they were working on the problem, including Kaspersky, SecureWorks and Symantec.