Bidvert-advert

Stay Update - ICT Security

Enter your email address:

We hate spam as much as you do and we will never sell, barter, or rent your email address to any unauthorized third party.

Most Frequently Used Software


CURL / XPertMailer / AutoBlogger / (Parser - PHP Simple HTML DOM)

lunedì 23 aprile 2012

Flashback still strong, as statistics show not all infections were known about

The Flashback Mac botnet still has around 650,000 endpoints under its control, despite reports claiming it had shrunk.

A blog post by Russian anti-virus firm Dr Web said there were no "significant decrease" within the number under control by Flashback, saying that 817,879 bots had connected to Flashback at one time or another, and a standard of 550,000 infected machines interact with a control server on a 24-hour basis.

A report by SC Magazine from last week said that around 140,000 Macs remain infected with the Flashback Trojan, but Dr Web said that research was in keeping with analysis of statistics acquired from hijacked botnet control servers.

Doctor Web's analysts conducted research to establish the explanations for this discrepancy and located that Flashback uses a refined routine to generate control server names, with a bigger component to the domains generated using parameters embedded within the malware resources. Others are created using the present date. The Trojan then sends consecutive queries to servers in accordance with its pre-defined priorities.

It further said that when communicating with servers controlled by Doctor Web, Trojans send requests to the server at 74.207.249.7, controlled by an unidentified third party. This server communicates with bots but doesn't close a TCP connection, so bots switch to the standby mode and await the server's reply and not reply to further commands.

As they don't communicate with other command centres, lots of that have been registered by information security specialists, that is the reason for some statistics showing it to be reducing.

Kaspersky Lab told computerworld.com that it was looking into its statistics, while Symantec said that statistics from its sinkhole were showing declining numbers every day; it had originally believed that this meant a better decline in infections, but admitted that "this has proven to not be the case".

A Symantec blog post said: “A recent Dr Web blog post reveals our sinkholes are receiving limited infection counts for OSX.Flashback.K. Our current statistics for the last 24 hours indicate 185,000 universally unique identifiers were logged by our sinkhole.

“A sinkhole registered at IP address 74.207.249.7 is causing Flashback connections to hold because it never closes the TCP handshake, in effect preventing Flashback from hitting subsequent domains.”



Pubblicato da alle 03:41

Nessun commento:

Posta un commento

Comments links could be nofollow free

Iscriviti a: Commenti sul post (Atom)