Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple reportedly tries to shut down Flashback discoverer's server

Last updated

In what may be a case of mistaken identity, it was revealed on Tuesday that Apple attempted to shut down a server belonging to the security firm that first discovered the Flashback malware, giving insight into how the Cupertino, Calif., company handles third-party assistance.

Boris Sharov, chief executive of the relatively unknown Russian security firm Dr. Web, was notified by web registrar Reggi.ru on Monday that Apple had requested the shut-down of a domain belonging to the Moscow company on claims that it was being used as a "command and control" for Macs affected by Flashback, reports Forbes.

“They told the registrar this [domain] is involved in a malicious scheme. Which would be true if we weren’t the ones controlling it and not doing any harm to users,” Sharov said. “This seems to mean that Apple is not considering our work as a help. It’s just annoying them.”

The domain in question was one of three Dr. Web was using to monitor the spread of Flashback in what researchers call a "sinkhole," or a spoofed command and control server. This technique allowed the firm to first uncover the trojan that has so far rooted into an estimated 600,000 machines, more than one percent of all operating Macs.

Apple may have prematurely requested the shutdown, which is standard practice in this type of security scenario, before further investigating the background of the server and Sharov believes that the move was merely a mistake.

Adding to the confusion is Apple's notoriously secretive nature. Sharov said that his company has dealt with the oft-maligned Microsoft on similar situations which, unlike Apple, has fostered fruitful working relationships with outside security firms. Apple has not seen a botnet of this scope and therefore does not share the same ties with outside security sources, he adds.

“For Microsoft, we have all the security response team’s addresses,” Sharov said. “We don’t know the antivirus group inside Apple.”


Dr. Web chief executive Boris Sharov. | Source: Forbes

By shutting down command and control servers, Apple is looking to quash Flashback, which in its current iteration has created a worldwide botnet by exploiting an unpatched Java vulnerability.

Apple recently pushed out two successive Java updates last week in an attempt to catch up with the malware, but some see the move as too little too late.

“Their response should have been much earlier when they should have updated their Java,” Sharov said. “Now calling registrars to shut down domains is not as important. The infection has already taken place. There are dozens of domains [controlling] the botnet. Shutting down one does nothing.”

Apple remains closed for comment, and hasn't released any official statement regarding Flashback.

“These are not pleasant days for them,” Sharov said. “They’re not thinking about us. The safety of Macintosh computers is going down very quickly, and they’re thinking what to do next. They’re thinking about how to manage a future where the Mac is no longer safe.”



28 Comments

prof. peabody 14 Years · 2858 comments

This part here: (the actual basis for this being a "story" BTW)

Quote:
Originally Posted by AppleInsider

... Sharov said. ?This seems to mean that Apple is not considering our work as a help. It?s just annoying them.? ...

Would seem to be a huge leap/assumption that isn't backed up by any facts and is actually quite unlikely.

drblank 18 Years · 3384 comments

Why wouldn't Apple want those servers to be shut down. If they are hosting some malware, then they SHOULD be shut down. They aren't helping anyone by having that crap available to be used. They should simply find out who posted it in the first place and go after the people that put the crap out there in the first place.

emacs72 14 Years · 355 comments

Quote:
Originally Posted by drblank

Why wouldn't Apple want those servers to be shut down. If they are hosting some malware, then they SHOULD be shut down.

those servers were used to attract botnet attacks. it's like catching living specimens in a test lab so you have a controlled environment with which to study them. some botnet attacks thrive on live hosts in a peer-to-peer environment. if you purposely join the environment (in hopes of fooling everyone that you're just a innocent target of the trojan), you can quietly remain infected while you diagnose the problem and kill the trojan.

emacs72 14 Years · 355 comments

Quote:
Originally Posted by Prof. Peabody

This part here: (the actual basis for this being a "story" BTW) ...

the entire article is, in fact, newsworthy. i doubt most people, here, knew how security firms track down and ultimately eliminate threats. the Forbes article gives some insight into the legitimate tactics deployed by Dr Web and other security firms.

Quote:
Would seem to be a huge leap/assumption that isn't backed up by any facts and is actually quite unlikely.

while i agree the assumption is a bit arrogant, the bigger picture is people shouldn't necessarily be equally as arrogant to dismiss the notion that OS X can be victims of certain kinds of digital threats.

mstone 18 Years · 11503 comments

I checked all our machines when this first made news a few days ago and they were clean. I have not heard where the exploit is hosted, but apparently all you have to do is visit a hacked website without any other user interaction whatsoever.

One of our printers recently got their website hacked. Somehow they were able to compromise the http file uploader using php. Perhaps they target businesses that are known to be popular with Macs like printers. They hack the website then distribute their malware to the company's regular clients.