Following the Flashback malware and the estimates of 600,000 Mac systems being infected, security companies have been steadily tracking the communications done by the malware on infected systems. In recent weeks, the data from these monitoring efforts have suggested that despite early reports of the malware levels sinking rapidly from efforts by Apple, news organizations, and anti-malware companies, the levels of infections appears to be remaining constant.
The spread Flashback malware was facilitated by a neglected security hole in Apple's Java runtime for OS X, and at its peak had infected around one percent of Mac systems. To tackle the spread of the malware, initially news organizations covered, followed by security companies issuing to facilitate this process. Apple then released a series of Java updates to close the vulnerability and also scan for and remove known instances of the malware.
During the time of these infections, security companies set up sinkhole servers and other techniques to monitor the network traffic from the Flashback infections, and determine how many unique computers had been infected with the malware. Following the peak of the malware infection on August 6, initial reports from the anti-malware efforts suggested the infection rates had dropped significantly, with the number of infected Macs decreasing to a reported low of 30,000 in 10 days. However, despite these claims the malware has remained active, and adjustments have had to be made to these numbers.
Following the reports of success at tackling the malware, security company Dr. Web revealed errors in the malware estimation calculations and suggested that the estimated 140,000 systems in late April.. Security companies followed this news with more conservative estimates that suggested a more shallow fall in the malware, to an
Despite the higher numbers, the number of malware infections did fall from its peak, though while some have hoped the number to fall far lower, the malware appears to have fallen to a revolving infection rate of just over 100,000 Mac systems. In a new report by Intego, the company claims that in the past week it has observed the following numbers from its sinkhole operation:
- 04/30/2012 - 102,769 infected Macs
- 05/01/2012 - 96,948 infected Macs
- 05/02/2012 - 103,779 infected Macs
- 05/03/2012 - 121,826 infected Macs
- 05/04/2012 - 102,375 infected Macs
- 05/05/2012 - 118,593 infected Macs
- 05/06/2012 - 113,909 infected Macs
Intego notes that these numbers are only the active infections it monitors on a day-to-day basis, and is not the total number of Macs infected. The malware is only active when a user logs in and thereby suggests that this activity difference reflects a steady state variance in when people are using their Macs, which will revolve as Macs are used more in some parts of the world than at others. Therefore the total number of infected systems will likely be much higher at around the 140,000 of previous recent estimates.
Intego further notes that despite the initial impact in the malware's activity by community efforts, the numbers appear to no longer be declining and show indications that they may even be increasing. Intego speculates the reason for this is that a small percentage of users have not taken any effort to either update their systems, but it may be more than just updating. Apple has only offered updates and malware removal options for OS X 10.6 and above (its supported versions). However, this malware will infect systems with older versions of OS X, so even if the older versions have been kept up to date, they will be left vulnerable without Apple issuing a proper Java fix. Not only can they still contain the malware, but they also will be subject to new infections by any of its variants.
Overall, the trend from the malware since it was found is that its infection rates have dropped, but that the decline has leveled off. Since many people will not update, upgrade, or otherwise address the problem, is unlikely that we will see this number decrease rapidly in the near future. For this steady state of infected users, it is far more likely that the infections will decline as they replace their Macs for newer models over the next few years. Even then, if these users upgrade their systems and migrate their data to new Macs, the malware installations will migrate with them and potentially continue to function.