Diaz told a webinar last Thursday that between the end of February and early March, between 30,000 and 100,000 WordPress sites were hacked, with 85% of those located in the US, 18% in Canada, and 9% in Australia.
Computers were infected when Mac users visited the hacked site, were redirected to a malicious site controlled by the Flashback gang using the rr.nu domain, and had malware downloaded automatically on their machines via a Java vulnerability, Diaz said.
The Kaspersky Lab researcher said that in total 700,000 Mac users were infected by Flashback for the whole period that Kaspersky Lab maintained a sinkhole. However, the size of the Flashback botnet dropped precipitously in mid-April, to around 30,000 infected Macs as of April 19, Diaz noted. The biggest drop followed the release by Apple of a patch for the Java vulnerability and a removal tool for the Flashback malware.
According to Kaspersky statistics, of the 205,622 people who checked their Macs with the company, 3,624 computers were infected, or a 1.76% infection rate.
In a blog, Alexander Gostev of Kaspersky Lab wrote that Flashback, aka Flashfake, was able to spread so quickly because of the WordPress blog infection technique. The malware had been around since 2008, but the number of infections exploded when the WordPress delivery method was developed.
Flashback used a partnering program based on script redirects from a large number of legitimate WordPress sites that were hacked. “How this happened is unclear. The main theories are that bloggers were using vulnerable versions of WordPress or they had installed the ToolsPack plugin”, Gostev explained.
Diaz made a number of predictions about Mac infections. First, he said to expect more Mac OS X botnets because Mac’s increase in market share has made it more attractive for cybercriminals. Second, Mac users should expect more drive-by malware downloads and more cross-platform exploit kits with Mac-specific exploits.
Diaz cautions that Mac users need to employ anti-virus software to prevent infections. Flashback has exposed the myth of Mac OS X invulnerability, he added.