The number of Mac’s that have infected with the Flashback Trojan is already halved this week. According to Symantec there are ‘only’ 270,000 infected Mac’s connected to the Internet, compared with 600,000 last week. This is likely the result of the release of a number of removal tools and updates.
The researchers of Symantec calculated that the number of infected Mac on 11 April dropped from 380,000 to 270,000 the day after. Symantec expects that the decline will continue. Last week DrWeb reported that there were 600,000 Mac’s infected with the Flashback-malware. The Flashback malware is making use of a Java exploit that was already discovered in September last year, it is capable of intercepting passwords and other private data.
Many security companies have released removal tools in the past week, and this is likely the cause of the sudden drop in infected systems. The decline is likely to continue because Apple has released a removal tool on their own yesterday, which removes most variants of the Flashback Trojan and reconfigures java to stop these problems from happening again in the near future. One of the main changes is that Java applets will no longer be automatically executed.
Symantec can calculate the number of infected Mac’s by analyzing the botnet-traffic via a so-called sinkhole-domain. Infected systems are trying to contact the management servers that are given out commands. The domain that the researchers are using is a spoofed management service, which is capable of intercepting traffic between the bots. One of the things that the researchers found out is that the malware is using a domain name generator every day to contact the management server through another domain.