Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/1/2012
02:27 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Apple Mac Flashback Trojan Gang Still Making Money

Meanwhile, a 3-year-old patched bug in Microsoft Office for Macintosh is still being exploited

The prolific Flashback Trojan that has infected anywhere from a half a million to nearly 1 million Macintosh machines worldwide remains active despite Apple's emergency security update, and its owners continue to rake in revenue from the click-fraud operation -- possibly as much as $10,000 a day, according to new research.

Symantec researchers came up with that estimate based on new information they mined from the Flashback Trojan's payload. "Part of that communication was a number that represents the dollar amount they would make when [they] display or click on that ad," says Vikram Thakur, principal response manager for Symantec.

The $10,000 per day estimate is based on the 0.8 cent value per click the researchers found in the payload, as well as an extrapolation of what such a fraud scheme would make in a Windows-based botnet. "We took that number and mapped it using the information we knew about different threats in PC land. Since we can't determine the exact currency that number corresponds to, we are extrapolating it," he says.

Flashback infections began slowly receding late last month after Apple issued a patch for the Java vulnerability that the Trojan was exploiting on Mac machines. The infections originated from hacked and malware-rigged WorldPress blog sites that silently redirected users to a malicious server that loaded the exploit, according to Kaspersky Lab.

The initial count of infected Macs from Russian AV firm Doctor Web -- which first reported the rare Mac botnet -- was some 817,879 Mac bots having connected with the Flashback Trojan botnet, with an average of about 550,000 doing so per day. The last count published by the firm was 566,773 infected Macs as of April 20.

So it appears few Mac users are actually applying the available patch from Apple. "At this point in time, however, the numbers being reported by Dr. Web are all that is available, and we don't see any reason to doubt them at this time. The underlying issue that this all highlights is that it appears not many end users have cleaned up their infected machines," Symantec's Thakur says. "This could be for various reasons, but one of which could certainly be the fact that there is a limited visible impact on end users, thus resulting in them not taking any action."

The Mac attack scare started last month when researchers at Russian antivirus firm Dr. Web announced they had spotted a botnet of 500,000 to 700,000 Macs, a finding that later was confirmed by Kaspersky Lab and Unveillance. The news was a painful wake-up call for the Mac user community, which long has been spared the bull's eye of botmasters who traditionally have gone after Windows machines. It was no surprise to security experts, however, who for some time have warned that with the Mac's growing popularity -- especially in enterprise circles -- it was only a matter of time before attackers would more aggressively zero in on the Mac.

But Flashback isn't the only stubborn Mac infection out there. Microsoft says a security update it released nearly three years ago, MS09-027, which patched a remote code execution vulnerability in the Mac version of Microsoft Office, is being exploited today because users have not applied the patch. One of the exploits studied by Microsoft targets Snow Leopard or earlier versions of Mac OS X.

"Fortunately, our data indicates that this malware is not widespread," wrote Jeong Wook Oh of Microsoft's Malware Protection Center in a blog post yesterday. "Statistically speaking, as this operating system gains in consumer usage, attacks on the platform will increase. Exploiting Mac OSX is not much different from other operating systems. Even though Mac OSX has introduced many mitigation technologies to reduce risk, your protection against security vulnerabilities has a direct correlation with updating installed applications."

[ Mac users might not have a lot of exploits to worry about, but their lack of security worries makes them an APT attacker's dream come true. See Anatomy Of A Mac APT Attack. ]

Why does Flashback keep coming back? For one thing, Mac users who get infected with the Trojan hardly notice it. "There's definitely some performance issues, but as a general user, you tend to blame performance on all sorts of matters. Malware isn't the first reaction," Thakur says. The users still get ads, too, he says.

It's the search engines such as Google and other providers that get hurt financially from the click-fraud scam, as well as owners of the ads. "They are seeing their ads displayed in a lot more computers, but with fewer people following through and buying [anything]," he says. "It's definitely a gray area on who takes the lead to follow up on these [scams]," he says.

Symantec is studying whether the Flashback campaign maps to another click-fraud scam in the PC world, but hasn't come up with any conclusions as yet.

"We do know the people behind the [Flashback] threat are still active, using an updated control server for providing ads, Thakur says.

The servers supporting the botnet use hard-coded IP addresses, which Symantec has reported to the appropriate hosting providers. And the Flashback gang appears to be pretty savvy, according to Thakur: They don't hijack any clicks to high-profile websites, such as Wikipedia or PayPal. "They do this to make sure no one thinks something's amiss. The Flashback gang knows to increase their life span, they will want to fly under the radar," Thakur says, so they go after lower-profile site traffic.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17537
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file deletion via the web/polygon/problem/deletefile?id=1&name=../ substring.
CVE-2019-17538
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
CVE-2019-17535
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647.
CVE-2019-17536
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move.
CVE-2019-17533
PUBLISHED: 2019-10-13
Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed.