Apple Flashback Trojan infection shows weekend decline

The Flashback Trojan could be on the wane despite infecting as many as 50,000 Apple computers in the UK at its peak, an analysis of the malware’s bot traffic by Kaspersky Lab has concluded.

Kaspersky’s peak infection numbers were 670,000, it said, a verification of the roughly 600,000 figure put out by security company Dr. Web last week. This still makes the incident the largest confirmed Mac malware outbreak yet recorded.

Using traffic ‘captured’ from the botnet by reverse engineering its Command and Control infrastructure, Kaspersky now estimates that roughly 300,000 of the infections were in the US, 94,000 in Canada, 47,000 in the UK, and almost 42,000 in Australia.

A clutch of countries in the EU, plus Mexico and Japan showed levels under 10,000 that probably reflect the website hosts used to spread it.

Exactly what is happening to the botnet now that it is famous is not clear. Kaspersky said it had seen an encouraging decline in the number of active bots to 237,000 over the Easter weekend, but this could reflect only those machines that were trying to connect to the C&C servers during the measured time period.

Falling or not, the outbreak has alarmed Apple sufficiently for a company infamous for its tardy security response to issue a Java update for OS X v10.7 and Mac OS X v10.6, recommending that those running earlier versions simply disable the software altogether through the browser.

The company has also said it is planning to issue a tool to detect and remove Flashback (or ‘Flashfake’ as Kaspersky calls it).

Not everyone is impressed with Apple’s response and that criticism is likely to grow if Flashback turns out to be merely chapter one of a new age of (relative) Mac insecurity.

“Apple knew about this Java vulnerability for three months, and yet neglected to push through an update in all that time. The problem is exacerbated because up to now Apple has enjoyed a mythical reputation for being ‘malware free’,” said Kaspersky Lab’s chief security expert, Alexander Gostev.

“Too many users are unaware that their computers have been infected, or that there is a real threat to Mac security.”

Worried Apple users should by updating their Java software, after which they can check for infection at Kaspersky’s site. The company has offered its own Flashback removal tool.

As long predicted by experts working at security companies sometimes criticised for spreading FUD, Apple’s first major malware problem has come through a weakness routinely used to target Windows users, namely Java. Patching the vulnerability won’t make future attack less likely – as in the PC world new Java flaws keep appearing, demanding continuous vigilance.

Flashback, which can appear as the offer of a fake Flash update, has been around for more than six months although recent versions work using drive-by downloads requiring no user interaction.