Monday, April 9, 2012

Kaspersky Lab Confirms Flashback Botnet Infected More Than 600,000 Mac OS X Computers

Via Kaspersky Lab News -

Kaspersky Lab’s experts recently analyzed Flashfake, a massive botnet that infected more than 600,000 computers worldwide, and concluded that more than 98% of the infected computers were most likely running a version of Mac OS X. To infect victims’ computers, the cyber criminals behind the Flashfake botnet were installing a Flashfake Trojan that gained entry into users’ computers without their knowledge by exploiting vulnerabilities in Java. To analyze the botnet, Kaspersky Lab’s experts reverse-engineered the Flashfake malware and registered several domain names which could be used by criminals as a C&C server for managing the botnet. This method enabled them to intercept and analyze the communications between infected computers and the other C&Cs.

The analysis showed that there were more than 600,000 infected machines, with the largest regions being the United States (300,917 infected computers), followed by Canada (94,625), the United Kingdom (47,109) and Australia (41,600). Using a heuristic “OS fingerprinting” method, Kaspersky Lab’s researchers were able to gauge which operating systems the infected computers were running, and found that 98% were most likely running Mac OS X. It is anticipated that the other 2% of machines running the Flashfake bot are very likely to be Macs as well.


Flashfake is a family of OS X malware that first appeared in September 2011. Previous variants of the malware relied on cyber criminals using social engineering techniques to trick users into downloading the malicious program and installing it in their systems. However, this latest version of Flashfake does not require any user-interaction and is installed via a “drive-by download,” which occurs when victims unwittingly visit infected websites, allowing the Trojan to be downloaded directly onto their computers through the Java vulnerabilities. After infection the Trojan uploads additional payload which hijacks victims’ search results inside their web browsers to conduct a “click-fraud” scam.

Although no other malicious activities have currently been detected by the Trojan, the risk is still significant because the malware functions as a downloader on users’ computers, which means the cyber criminals behind Flashfake can easily issue new, updated malware - capable of stealing confidential information such as passwords or credit card details - and install it onto infected machines.

Although Oracle issued a patch for this vulnerability three months ago, Apple delayed in sending a security update to its customer base until 2 April. Users who have not updated their systems with the latest security should install and update immediately to avoid infection.


Earlier this week, Dr.Web reported the discovery of a Mac OS X botnet Flashback (Flashfake). According to their information, the estimated size of this botnet is more than 500, 000 infected Mac machines.

Individual Mac OS X users, can query Dr. Web's database of infected Macs to determine if their machine was seen in the collected data....

After sinkholing one of the Flashback C2, Kaspersky created - which can be used in a similar fashion to Dr. Web above.


Corporations can check their the user-agent data collected at their outbound proxies.

The bots can be identified by a unique variable in their User-Agent HTTP header named “id”, the rest of the User-Agent is statically controlled by the Trojan. See example below:
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id:9D66B9CD-0000-5BCF-0000-000004BD266A) Gecko/20100101 Firefox/9.0.1"

The 'id' variable would contain the Hardware UUID of the infected OSX system.


F-Secure Lab’s has released a free removal tool -


10 Simple Tips for Boosting The Security Of Your Mac

No comments:

Post a Comment