The FlashBack Trojan, which affects a greater percentage of Mac users than the infamous Conficker worm did (and occasionally still does) for Windows users, connects to a limited number of IP addresses for its "Call Home". Although millions of URLs are used as droppers, it appears that the actual malware connects to only two IP addresses:
220.127.116.11 and 18.104.22.168
ThreatSTOP is blocking both of these IPs using our "Emergency" feed.
ThreatSTOP users who get hits on their logs from these IPs should check to verify infection using Dr. Web's utility:
You can then clean up the systems identified using one of the freeware cleaners available:
The world owes a debt of gratitude to the guys @ Dr. Web who discovered this:
Until now, attackers have (mostly) ignored Macs, but this is clearly not the case anymore.
Outbreaks like this are the “rule” and not the “exception.” While typical protection methods have to block millions of easily changed URLs in an attempt to block this sort of malware, ThreatSTOP is able to quickly locate, isolate, and block the limited number of IP addresses used by attackers. Our customers are able to rest easy when reports like this surface. They know they’re already protected, enabling them to sleep soundly at night.
We offer a free trial that will provide insight into what is going on in your network. If you are interesting in sleeping as well as our customers are, give it a try: https://www.threatstop.com/index.php?page=index&action=trial