Apple Shuts Down Dr.Web's Flashback Botnet Monitoring Tool in Unfortunate Cover-Up Attempt

“This seems to mean that Apple is not considering our work as a help,” says CEO

  Infected Mac
Apple has requested Russian Web registrar Reggi.ru to shut down one of three domains that security firm Dr. Web had been using as a spoofed command and control server to monitor the collection of hijacked Macintosh computers.

Apple has requested Russian Web registrar Reggi.ru to shut down one of three domains that security firm Dr. Web had been using as a spoofed command and control server to monitor the collection of hijacked Macintosh computers.

The move was, mildly put, very uninspired, according to Boris Sharov, chief executive of the Moscow-based security firm Dr. Web, which originally reported the infection of 600,000 Macs with the Flashback trojan, as a result of Apple failing to patch a Java vulnerability on time.

By monitoring the collection of infected machines, Dr. Web was able to assess the size of Apple’s botnet last week. Apple, however, acted a bit too promptly and shut down one of the domains. Sharov believes the Mac maker’s veil of secrecy downright clouded their judgement this time around.

“They told the registrar this [domain] is involved in a malicious scheme. Which would be true if we weren’t the ones controlling it and not doing any harm to users,” Sharov is quoted as saying in a piece by Forbes.

“This seems to mean that Apple is not considering our work as a help. It’s just annoying them.”

Sharov admits that Apple’s quick action can be regarded as an honest mistake. There’s also a good chance Apple’s actions were influenced by the fact that Dr. Web is not a big name in security.

However, there had already been confirmation from the far-better-known Kaspersky, which confirmed Dr. Web’s findings on Friday.

Kaspersky researcher Kurt Baumgartner said, “from what we’ve seen, Apple is taking appropriate action by working with the larger internet security community to shut down the Flashfake [also known as Flashback] C2 domains. Apple works vigorously to protect its brand and wants to rectify this.”

But Sharov outlines that “[Apple’s] response should have been much earlier when they should have updated their Java. Now calling registrars to shut down domains is not as important. The infection has already taken place. There are dozens of domains [controlling] the botnet. Shutting down one does nothing.”

“These are not pleasant days for them,” he added. “They’re not thinking about us. The safety of Macintosh computers is going down very quickly, and they’re thinking what to do next. They’re thinking about how to manage a future where the Mac is no longer safe.”

Comments