Flashback botnet is still active, Mac users are warned

Intego Malware Research Team discovered that OSX Flashback trojan is still active with sinkholing activity. Mac users must be aware.

Flashback Trojan is a cyber threat known since 2011, it is a trojan horse that targeted a Java vulnerability on Mac OS X machines, early 2012 it spread to infect up to 600,000 machines as new variants were using Java exploits and drive-by downloads.  One of the most interesting analyses on the Flashback botnet was issued by Eset security firm.

The malware exploited the victims using different methods that evolved over the time:

• Masked as a Flash player and requesting user’s authorization for execution.
• Masked as a signed Java applet that requested user’s authorization for execution.
• Exploiting a Java vulnerability to download without user interaction malicious code.

The data stealing mechanism implemented by the Flashback authors is the code injection web browser and other applications including Skype, with this technique the cyber crooks are able to steal user credentials other data from the victim’s machine.

The Trojan targets a known vulnerability in Java on Mac OS X systems, to infect a machine it is sufficient to visit a compromised website hosting a malicious javascript used to serve the exploit with Java applets.

Flashback creates a backdoor on the machine allowing an attacker to gain complete control of any infected system, the malware Ad-clicking feature generated millions of dollars in fraudulent ad revenue redirecting victims on sponsored links.

“Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker’s choosing, where they receive revenue from the click,” Symantec wrote in a blog post. “Google never receives the intended ad click.”

The proposed scheme lets the creators implement a revenue process really profitable already implemented in similar scams. On August 2011 W32.Xpaj.B Trojan realized daily profits of $450 placing on 25,000 pc infected, proceeding with a deductive mechanism the experts estimated that with a botnet composed of 650,000 infected machines the creators of Flashback could rises a revenue of $10,000 per day.

The Flashback botnet  was also used for spamming and engaging in denial-of-service attacks.

Researchers at maltego published a blog post to alert Apple users confirming that Flashback Botnet is still active.

“The Apple Product Security Response team took serious actions in 2012 to mitigate the threat using XProtect and other security updates (including a Malware Removal Tool), however, the botnet count was only divided by six according to our sinkhole.”

“Intego purchased some of the command and control (C&C) server domain names to monitor the Flashback threat that infected hundreds of thousands of Macs. Beginning January 2, we studied those domains and our sinkhole servers recorded all connections from Macs where Flashback is still active and trying to contact the C&C servers.Below is a screenshot of the Apache Server log:”

The researchers proposed results observed after five days of sinkholing, at least 22,000 infected machines tried to contact the C&C servers and were detected 14,248 unique identifiers of the latest Flashback variants:

Version	Count
sv:1	1,556
sv:2	1,813
sv:4	955
sv:5	9,924

Intego experts strongly encourage Mac users to verify the presence of Flashback on their machines and to adopt an antivirus product, unfortunately within the Mac community is widespread the wrong belief that Apple system are immune from malware

To remove Flashback from infected PC download Apple’s latest software update or use Apple’s official ‘Flashback malware removal tool‘.

Pierluigi Paganini

(Security Affairs –  Flashback, Malware)