'Dead' Flashback botnet descibed as the most widespread Mac malware to date

News by Dan Raywood

The Flashback botnet, which captured around 400,000 Apple Mac users earlier this year, was a game-changer due to its use of drive-by-download techniques.

The Flashback botnet, which captured around 400,000 Apple Mac users earlier this year, was a game-changer due to its use of drive-by-download techniques.

According to the IBM X-Force 2012 mid-year trend and risk report, the emergence of Flashback was predicted in its earlier reports and after it was discovered in September 2011, the early tactics relied on social engineering to lure users to install them; the newer variants also employed drive-by-download techniques that are common in the Windows malware world.

The report said: “In the last report, we mentioned that the technical difficulty in exploiting OS X software is a major factor in preventing mass exploitation. Flashback works around this by using multi-platform exploits through Java vulnerabilities. That is, the exploitation technique and most of the code involved is the same, regardless of whether the target is Windows or Mac.”

It also commented that despite Apple issuing a software update for Java in order to remove the most common variants of the Flashback malware, the exploits were patched so the variant never achieved widespread infection.

“Things changed, however, when Flashback started using a CVE-2012-0507 (Java Atomic Reference Array Type Violation Vulnerability) exploit in March. This vulnerability was already patched by Oracle the month before, but the Apple version of Java was not updated yet, leaving a lot of Mac machines vulnerable to this exploit. The resulting mass infection was enormous, and Flashback became the most widespread Mac malware to date,” the report said.

Research released this week by ESET also said that Flashback was the most widespread malware it had seen targeting Mac systems, but the last C&C (command and control) server went offline in May and since then, it could say that the botnet is effectively dead.

Pierre-Marc Bureau, ESET senior malware researcher, said: “A real spike in infection started in March 2012, when this threat started propagating by exploiting vulnerability in the Java interpreter shipped with Apple's OS X. During the first days of April, we deployed monitoring systems to gain a better understanding of the size of the infected population.”

Bureau said that given the scale of Flashback, it wanted to inform users about the malware and it also allowed collaboration with the security industry to register as many of the domain names created by the botnet's domain name generation algorithm as possible, thus preventing the botnet master from sending update commands to already-infected systems.

Clinton McFadden, senior operations manager for IBM X-Force research and development, said: “We've seen an increase in the number of sophisticated and targeted attacks, specifically on Macs and exposed social network passwords. As long as these targets remain lucrative, the attacks will keep coming and in response, organisations should take proactive approaches to better protect their enterprises and data."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews