02:27 PM
Connect Directly

Apple Mac Flashback Trojan Gang Still Making Money

Meanwhile, a 3-year-old patched bug in Microsoft Office for Macintosh is still being exploited

The prolific Flashback Trojan that has infected anywhere from a half a million to nearly 1 million Macintosh machines worldwide remains active despite Apple's emergency security update, and its owners continue to rake in revenue from the click-fraud operation -- possibly as much as $10,000 a day, according to new research.

Symantec researchers came up with that estimate based on new information they mined from the Flashback Trojan's payload. "Part of that communication was a number that represents the dollar amount they would make when [they] display or click on that ad," says Vikram Thakur, principal response manager for Symantec.

The $10,000 per day estimate is based on the 0.8 cent value per click the researchers found in the payload, as well as an extrapolation of what such a fraud scheme would make in a Windows-based botnet. "We took that number and mapped it using the information we knew about different threats in PC land. Since we can't determine the exact currency that number corresponds to, we are extrapolating it," he says.

Flashback infections began slowly receding late last month after Apple issued a patch for the Java vulnerability that the Trojan was exploiting on Mac machines. The infections originated from hacked and malware-rigged WorldPress blog sites that silently redirected users to a malicious server that loaded the exploit, according to Kaspersky Lab.

The initial count of infected Macs from Russian AV firm Doctor Web -- which first reported the rare Mac botnet -- was some 817,879 Mac bots having connected with the Flashback Trojan botnet, with an average of about 550,000 doing so per day. The last count published by the firm was 566,773 infected Macs as of April 20.

So it appears few Mac users are actually applying the available patch from Apple. "At this point in time, however, the numbers being reported by Dr. Web are all that is available, and we don't see any reason to doubt them at this time. The underlying issue that this all highlights is that it appears not many end users have cleaned up their infected machines," Symantec's Thakur says. "This could be for various reasons, but one of which could certainly be the fact that there is a limited visible impact on end users, thus resulting in them not taking any action."

The Mac attack scare started last month when researchers at Russian antivirus firm Dr. Web announced they had spotted a botnet of 500,000 to 700,000 Macs, a finding that later was confirmed by Kaspersky Lab and Unveillance. The news was a painful wake-up call for the Mac user community, which long has been spared the bull's eye of botmasters who traditionally have gone after Windows machines. It was no surprise to security experts, however, who for some time have warned that with the Mac's growing popularity -- especially in enterprise circles -- it was only a matter of time before attackers would more aggressively zero in on the Mac.

But Flashback isn't the only stubborn Mac infection out there. Microsoft says a security update it released nearly three years ago, MS09-027, which patched a remote code execution vulnerability in the Mac version of Microsoft Office, is being exploited today because users have not applied the patch. One of the exploits studied by Microsoft targets Snow Leopard or earlier versions of Mac OS X.

"Fortunately, our data indicates that this malware is not widespread," wrote Jeong Wook Oh of Microsoft's Malware Protection Center in a blog post yesterday. "Statistically speaking, as this operating system gains in consumer usage, attacks on the platform will increase. Exploiting Mac OSX is not much different from other operating systems. Even though Mac OSX has introduced many mitigation technologies to reduce risk, your protection against security vulnerabilities has a direct correlation with updating installed applications."

[ Mac users might not have a lot of exploits to worry about, but their lack of security worries makes them an APT attacker's dream come true. See Anatomy Of A Mac APT Attack. ]

Why does Flashback keep coming back? For one thing, Mac users who get infected with the Trojan hardly notice it. "There's definitely some performance issues, but as a general user, you tend to blame performance on all sorts of matters. Malware isn't the first reaction," Thakur says. The users still get ads, too, he says.

It's the search engines such as Google and other providers that get hurt financially from the click-fraud scam, as well as owners of the ads. "They are seeing their ads displayed in a lot more computers, but with fewer people following through and buying [anything]," he says. "It's definitely a gray area on who takes the lead to follow up on these [scams]," he says.

Symantec is studying whether the Flashback campaign maps to another click-fraud scam in the PC world, but hasn't come up with any conclusions as yet.

"We do know the people behind the [Flashback] threat are still active, using an updated control server for providing ads, Thakur says.

The servers supporting the botnet use hard-coded IP addresses, which Symantec has reported to the appropriate hosting providers. And the Flashback gang appears to be pretty savvy, according to Thakur: They don't hijack any clicks to high-profile websites, such as Wikipedia or PayPal. "They do this to make sure no one thinks something's amiss. The Flashback gang knows to increase their life span, they will want to fly under the radar," Thakur says, so they go after lower-profile site traffic.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

Published: 2014-07-09
Adobe Flash Player before and 14.x before on Windows and OS X and before on Linux, Adobe AIR before on Android, Adobe AIR SDK before, and Adobe AIR SDK & Compiler before allow attackers to bypass intended access restrictions via uns...

Published: 2014-07-09
Adobe Flash Player before and 14.x before on Windows and OS X and before on Linux, Adobe AIR before on Android, Adobe AIR SDK before, and Adobe AIR SDK & Compiler before allow attackers to bypass intended access restrictions via uns...

Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.