Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/1/2012
02:27 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Apple Mac Flashback Trojan Gang Still Making Money

Meanwhile, a 3-year-old patched bug in Microsoft Office for Macintosh is still being exploited

The prolific Flashback Trojan that has infected anywhere from a half a million to nearly 1 million Macintosh machines worldwide remains active despite Apple's emergency security update, and its owners continue to rake in revenue from the click-fraud operation -- possibly as much as $10,000 a day, according to new research.

Symantec researchers came up with that estimate based on new information they mined from the Flashback Trojan's payload. "Part of that communication was a number that represents the dollar amount they would make when [they] display or click on that ad," says Vikram Thakur, principal response manager for Symantec.

The $10,000 per day estimate is based on the 0.8 cent value per click the researchers found in the payload, as well as an extrapolation of what such a fraud scheme would make in a Windows-based botnet. "We took that number and mapped it using the information we knew about different threats in PC land. Since we can't determine the exact currency that number corresponds to, we are extrapolating it," he says.

Flashback infections began slowly receding late last month after Apple issued a patch for the Java vulnerability that the Trojan was exploiting on Mac machines. The infections originated from hacked and malware-rigged WorldPress blog sites that silently redirected users to a malicious server that loaded the exploit, according to Kaspersky Lab.

The initial count of infected Macs from Russian AV firm Doctor Web -- which first reported the rare Mac botnet -- was some 817,879 Mac bots having connected with the Flashback Trojan botnet, with an average of about 550,000 doing so per day. The last count published by the firm was 566,773 infected Macs as of April 20.

So it appears few Mac users are actually applying the available patch from Apple. "At this point in time, however, the numbers being reported by Dr. Web are all that is available, and we don't see any reason to doubt them at this time. The underlying issue that this all highlights is that it appears not many end users have cleaned up their infected machines," Symantec's Thakur says. "This could be for various reasons, but one of which could certainly be the fact that there is a limited visible impact on end users, thus resulting in them not taking any action."

The Mac attack scare started last month when researchers at Russian antivirus firm Dr. Web announced they had spotted a botnet of 500,000 to 700,000 Macs, a finding that later was confirmed by Kaspersky Lab and Unveillance. The news was a painful wake-up call for the Mac user community, which long has been spared the bull's eye of botmasters who traditionally have gone after Windows machines. It was no surprise to security experts, however, who for some time have warned that with the Mac's growing popularity -- especially in enterprise circles -- it was only a matter of time before attackers would more aggressively zero in on the Mac.

But Flashback isn't the only stubborn Mac infection out there. Microsoft says a security update it released nearly three years ago, MS09-027, which patched a remote code execution vulnerability in the Mac version of Microsoft Office, is being exploited today because users have not applied the patch. One of the exploits studied by Microsoft targets Snow Leopard or earlier versions of Mac OS X.

"Fortunately, our data indicates that this malware is not widespread," wrote Jeong Wook Oh of Microsoft's Malware Protection Center in a blog post yesterday. "Statistically speaking, as this operating system gains in consumer usage, attacks on the platform will increase. Exploiting Mac OSX is not much different from other operating systems. Even though Mac OSX has introduced many mitigation technologies to reduce risk, your protection against security vulnerabilities has a direct correlation with updating installed applications."

[ Mac users might not have a lot of exploits to worry about, but their lack of security worries makes them an APT attacker's dream come true. See Anatomy Of A Mac APT Attack. ]

Why does Flashback keep coming back? For one thing, Mac users who get infected with the Trojan hardly notice it. "There's definitely some performance issues, but as a general user, you tend to blame performance on all sorts of matters. Malware isn't the first reaction," Thakur says. The users still get ads, too, he says.

It's the search engines such as Google and other providers that get hurt financially from the click-fraud scam, as well as owners of the ads. "They are seeing their ads displayed in a lot more computers, but with fewer people following through and buying [anything]," he says. "It's definitely a gray area on who takes the lead to follow up on these [scams]," he says.

Symantec is studying whether the Flashback campaign maps to another click-fraud scam in the PC world, but hasn't come up with any conclusions as yet.

"We do know the people behind the [Flashback] threat are still active, using an updated control server for providing ads, Thakur says.

The servers supporting the botnet use hard-coded IP addresses, which Symantec has reported to the appropriate hosting providers. And the Flashback gang appears to be pretty savvy, according to Thakur: They don't hijack any clicks to high-profile websites, such as Wikipedia or PayPal. "They do this to make sure no one thinks something's amiss. The Flashback gang knows to increase their life span, they will want to fly under the radar," Thakur says, so they go after lower-profile site traffic.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18238
PUBLISHED: 2020-02-26
Moxa ioLogik 2542-HSPA Series Controllers and IOs, and IOxpress Configuration Utility ioLogik 2500 series firmware, Version 3.0 or lower IOxpress configuration utility, Version 2.3.0 or lower. Sensitive information is stored in configuration files without encryption, which may allow an attacker to a...
CVE-2019-17274
PUBLISHED: 2020-02-26
NetApp FAS 8300/8700 and AFF A400 Baseboard Management Controller (BMC) firmware versions 13.x prior to 13.1P1 were shipped with a default account enabled that could allow unauthorized arbitrary command execution via local access.
CVE-2019-17275
PUBLISHED: 2020-02-26
OnCommand Cloud Manager versions prior to 3.8.0 are susceptible to arbitrary code execution by remote attackers.
CVE-2020-3169
PUBLISHED: 2020-02-26
A vulnerability in the CLI of Cisco FXOS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with a privilege level of root on an affected device. The vulnerability is due to insufficient validation of arguments passed to a spe...
CVE-2020-3170
PUBLISHED: 2020-02-26
A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an NX-API system process to unexpectedly restart. The vulnerability is due to incorrect validation of the HTTP header of a request that is sent to the NX-API. An attacker could expl...