While it tries to deal with a growing Mac Botnet, Apple has tried to shut down one of the domains of Dr. Web, the security firm that first revealed that the Flashback Trojan had taken control of 600,000 Macs last week.
According to Dr. Web CEO Boris Sharov, the domain was being used as a spoofed command and control server, also known as a “sinkhole”, designed to monitor the hijacked machines in order to understand their behaviour. It was through this research that the security firm was able to report the size of Apple’s botnet last week. (More below)
Sharov told Forbes that Apple had reported the domain to Russian Web registrar Reggi.ru, claiming it was being used as a “command and control” server for the infected computers.
Sharov suggested: “This seems to mean that Apple is not considering our work as a help. It’s just annoying them,” although he goes on to suggest that Apple made an honest mistake.
Sharov noted that this was the first “contact” that Dr. Web had had with Apple, despite the fact that his company had shared its findings with Apple. “We’ve given them all the data we have,” he said. “We’ve heard nothing from them until this.”
600,000 Macs are said to be infected with Flashback. The botnet is said to be being used for click fraud.
Apple has issued a second security update aimed at Flashback. Intego notes, the Java for OS X 2012-002 update appears to be same as the one Apple issued earlier this week, but the latest update is aimed only at Max OS X Lion users. It's possible, Intego says, that Apple found a glitch in the first update that would make a new release necessary.
You can check if your Mac is infected for free. A Mac developer has posted a tool that detects a Flashback malware infection by automating a tedious process first described by security firm F-Secure