According to Russian anti-virus company Doctor Web, the Flashback botnet now includes more than 600,000 infected computers, the majority of them located in the U.S. and Canada.
"Once onboard the Trojan will search for files that it can use to install itself, then it will generate a list of control servers and send a notification of success to the bot herder," writes The Inquirer's Dave Neal. "Dr Web said that over time it will send consecutive queries to control server addresses."
"Dr. Web says it employed a sinkhole technique to intercept the bot installed by the newest Flashback trojan, and directed the bots to its own servers where it could analyse the traffic," The H Security reports. "Each bot includes a unique ID of the machine it has infected in the query string it sends to the command and control server; it is these unique IDs that Dr. Web has used to calculate the infection count."
"Apart from the alarming number of infections, Dr Web also notes that some of the compromised web pages that delivered the Trojan belong to D-Link," writes Geek.com's Lee Mathews. "That’s a pretty big black eye for a network hardware vendor, particularly one who offers a range of VPN and Firewall appliances."
"Flashback has been exploiting three different Java vulnerabilities in the last few months, and although Apple issued a patch for the most recent one on Tuesday, there likely still are plenty of vulnerable machines online," writes Threatpost's Dennis Fisher.