Symantec Reports Mac Flashback Infections Falls to 270,000

| News

The number of Macs infected with the Flashback malware has fallen rapidly in the last few days. Antivirus firm Symantec reported on Wednesday that its data shows that the number of infected Macs has declined from some 600,000 on April 5th to 270,000 on April 11th.

Symantec Infographic

“From our sinkhole data, we have estimated that the number of computers infected with this threat in the last 24 hours is in the region of 270,000, down from 380,000,” Symantec said in its report.

Flashback is the biggest malware epidemic to hit the Mac platform, ever. It relies on a vulnerability in Java, a vulnerability that Apple has been criticized for moving to slowly to patch.

The problem is related to a trojan that was first discovered in September of 2011. As noted in the comments below, earlier in 2012, the bad guys found a way to exploit a Java vulnerability that allowed them to remotely install the same malware without user intervention.

It was that vulnerability for which Apple released a patch for Snow Leopard and Lion on April 4th. The company said on Tuesday that it was also developing an app to remove the infection on Macs already infested.

In the meanwhile, The Mac Observer published instructions for detecting and removing the malware manually.

The decrease in the number of infected Macs tracks with the release of Apple’s patches last week and increased awareness of the problem brought by Dr. Web’s initial report of 600,000 Macs.

Popular TMO Stories



The numbers were probably exaggerated a lot. I’ve checked my system and I didn’t get it. Good way for Symantec and other anti-virus companies to get business. Doesn’t help when Dr. Bott’s site promotes the malware either. If he knows about it why does he keep letting it through.

The Skeptic


The Flashback outbreak of September 2011 fit not exploit any vulnerability of the OS - it was pure User Engineering via a dodgy Flash Installer.

The Flashback epidemic for this year is from a Java vulnerability that was fixed by Oracle on Feb 17, but which was left open by Apple until April 4. 

It is that six week delay by Apple which has caused the epidemic.  Your article inaccurately suggests that Apple delayed by 7 months.

The short time frame for exploitation is actually quite scary, and is a tremendous wake up call for Apple.  Anything more than a 1 week delay in patching an open source component for a published security vulnerability is going to lead to unacceptable security risks for Mac users..

Bryan Chaffin

Thanks for the note, Skeptic, and you are entirely right. I corrected the text to read more accurately.



“The number of Macs infected with the Flashback malware has fallen rapidly in the last few days. Antivirus firm Symantec reported on Wednesday that its data shows that the number of infected Macs has declined from some 600,000 on April 5th to 270,000 on April 11th.”

Well, maybe not, according to today’s AppleInsider article: “Flashback discoverer bucks claims of malware’s decline”:

  “In a status report released on Friday, the Russian security firm that first discovered the Flashback trojan disagrees with recent findings from Symantec and Kaspersky Labs, warning that the number of machines affected by the malware is not declining.
  Citing data from its own analysis of the largest Mac botnet to date, Dr. Web notes that around 650,000 computers are still affected, which is stark contradiction to the 30,000 number provided by well-known security companies Symantec and Kaspersky.
  Analysts from the Russian firm researched the discrepancy and found that the raw data coming in from the larger companies’ servers were likely inaccurate due to Flashback’s use of complex domain name creation techniques and a unique TCP connection operation that effectively masks bots from command and control servers.
  “BackDoor.Flashback.39 uses a sophisticated routine to generate control server names: a larger part of the domain names is generated using parameters embedded in the malware resources, others are created using the current date. The Trojan sends consecutive queries to servers according to its pre-defined priorities.”
  When the malware was first discovered in early April, Dr. Web registered for the main domains used as Flashback command servers while other security firms most likely use “hijacked servers” that are in this case less reliable. The report explains that Flashback’s mode of operation allows its network of bots to go largely unnoticed by the hijacked servers which could be the reason for the precipitous drop reported this week that saw the number of affected machines fall from 140,000 to 30,000.
  ‘On April 16th additional domains whose names are generated using the current date were registered. Since these domain names are used by all BackDoor.Flashback.39 variants, registration of additional control server names has allowed to more accurately calculate the number of bots on the malicious network, which is indicated on the graph.’
  Dr. Web notes that the trojan send requests to a server run by an unidentified third party, which in turn communicates with the bots but fails to close the TCP connection. This action is critical to researchers as it puts the bots in standby mode which means they do not communicate with other command servers monitored by information security specialists.”

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account