Eset on Flashback malware, interesting info to prevent further attacks

Pierluigi Paganini September 23, 2012

Reports from main security firms confirm the increasing growth of cyber attacks based on malware, in particular the large diffusion of Apple products has made them desirable targets.

The explosion of malicious agents designed for Apple OS X operating system as surprised Apple users that have found themselves suddenly vulnerable exactly such as users of the products that they have always hated.

In reality before OSX/Flashback attacks registered in April 2012 that infected over 500,000 computers there had been few cases of malicious agents targeting OS X.

But how much is known about Flashback?

In days is circulating the news that the dangerous malware has been finally eradicated but as usually I believe fundamental to share knowledge of the agent to facilitate further detections and analysis on cyber menaces.

Eset security company has published the results of its analysis on the agent revealing interesting information on the method of spying on network communications of the malware and on the algorithms used for dynamically generating domain names.

Geographic distribution of Flashback infections reveals that the majority of victims host was located in North America and that is aligned with the great diffusion of Apple products in the areas, no infections were discovered in the Asian continent.

The malware exploited the victims using different methods that evolved over the time:

  • Masked as a Flash player and requesting user’s authorization for execution.
  • Masked as a Java signed applet that requested user’s authorization for execution.
  • Exploiting a Java vulnerabilities to download without user’s interaction malicious code.

The methods are listed in temporal order and the most effective has been the one that has exploited flaws in Java noted as CVE- 2012-0507 or CVE-2011-3544, making possible the infection simply visiting a compromised website.


After the explosion of the epidemic principal security firms have analyzed the evution of malware, although today its operator have abandoned the control of the botnet shutting down its latest command and control server occurred in May this year.

Chronology of Events

Following the Chronology proposed by the Eset in the study:

  • September 2011: Emergence of the first variant
  • February 2012: Oracle makes available an update for Java which corrects a flaw exploited by Flashback [7]
  • March 2012: Rapid Spread via the feat Java
  • End of March 2012: First Sinkholes to be recorded by different anti-virus companies
  • April 3, 2012: Apple makes available the Java update with the corrected flaw
  • April 4, 2012: First statistics on sinkholes (DrWeb)
  • April 6, 2012: Apple publish a second update for Java
  • April 13, 2012: Apple publishes a tool to clean Flashback [8]
  • May 1, 2012: The control centers did not answer any more

A closer look to the malware

When the installation package is first run, the malware sends the device UUID from the infected system to the C&C server over HTTP.

Over time, the methods of obfuscation of each component became more complex, the malware itself is changed, for example the URL used for statistics in the first command has been removed from the executable file and a large part of the data section has completely changed.

Eset experts are convinced that authors haven’t release new version of the agent to avoid detection and to operate silently with new infrastructures.

The researchers have discovered that the malware polls a list of domains from which it can download and run a file.

The analysis indicates that the installation component purpose is to insert a second module for intercepting HTTP and HTTPS traffic allowing the injection of ads which are displayed to the user of the infected system.

The fields are derived from three separate sources:

  1. A domain list is hard-coded in the installation package (with the key 0x92be);
  2. 5 prefixes of domains are dynamically generated from constants found in the installation package (the three constants to the key 0x6192);
  3. Another domain prefix is generated dynamically based on the date.

The study reveals:

For each of the domain prefixes generated dynamically at point 2 and 3, the suffixes which will be added to each are in the key 0x1f91.
In all variantswe have analyzed, the same 5 top-level domains were contained. The prefixes in point 2 are pseudo-random strings of 11 to 13 letters. They differ
according to the variant. The prefix in point 3 is also a pseudo-random string but is unique according to the current date and is the same for all
variants. The 5 suffixes will also be appended to the daily prefix. By excluding the domains auto-generated based on the day at point 3, we have identified 185 domains from all the variants at our disposal.

Other singular characteristic of the malware is its component for interception that isn’t an executable code but a library dynamically loaded by the Mac OS X module called dyld. In order to load the library Flashback uses DYLD_INSERT_LIBRARY change its value with essentially two techniques.

Analyzing the malware it has been discovered that it make also use of Twitter as mechanism of communication to Command & Control servers, the code reveals the presence of and URL to search for a hashtag on Twitter, in this way botmaster could send order also via the social platform using specific tags.

A different hash-tag is generated each day. A search for this hashtag on Twitter reveals the IP address or the domain name of the new command and control server to use. In the tweet, the experts find the information between the delimiters « beginbump » and « endbump » (these delimiters are also part of the configuration).


Eset researchers haven’t identified the senders because probably they would have already been deleted if he had really used them, however they found that someone who  has tried to bring in traffic to their sinkhole by tweeting its address with the correct hashtag, maybe other security companies have identified the activities.

The study has demonstrated also a very interesting the way the malware used to protect the binary and how key information is removed from the first stage dropper to make tracking of the botnet harder.

How the malware was able to read data that is being sent on the network?

The agents hooked the CFReadStreamRead and CFWriteStreamWrite routines that provide interfaces for reading and writing a byte stream, technically every information sent on the network was trappable included an encrypted connection.

Interesting feature is the authentication method used to validate command and control instructions, that made use of asymmetric cryptography to avoid impersonation attacks.

As usually unfortunately it’s impossible to establish the authors and motivation behind the attack, unique certainty is that the malware has changed the perception of cyber threat of many Apple users.

Flashback teached to the MAC users that nobody is immune, the malware in fact is the first example of large-scale attack against the OS X platform that raised serious questions on the perception of cyber threat of Apple world.

The vulnerabilities impacted also MACs that have been exploited in different attacks, let’s remind for example the ones against Dalai Lama and Tibetan nongovernmental

The version of Java installed with Mac OS X cannot be updated by Oracle, that is really serious problem due the large windows of exposure of its users.

Since Mac OS X Lion (10.7), Apple no longer installs Java interpreters by default on its operating system, a move that can be seen as reducing avenues of attack. This might also be interpreted as an attempt to avoid the burden of updating software that is beyond its control.

Is it the correct approach?

Pierluigi Paganini

you might also like

leave a comment