Flashfake Mac OS X botnet confirmed

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

Flashfake Mac OS X botnet confirmed
Flashfake Mac OS X botnet confirmed.png
Botnet Flashback, Flashfake
Malware Flashback (bot)
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2012 / April 06 2012
Editor/Conference Kaspersky lab
Link http://www.securelist.com/en/blog/208193441/Flashfake Mac OS X botnet confirmed (Archive copy)
Author Igor Soumenkov


Earlier this week, Dr.Web reported the discovery of a Mac OS X botnet Flashback (Flashfake). According to their information, the estimated size of this botnet is more than 500, 000 infected Mac machines.

We followed up with an analysis of the latest variant of this bot, Trojan-Downloader.OSX.Flashfake.ab.

It is being distributed via infected websites as a Java applet that pretends to be an update for the Adobe Flash Player. The Java applet then executes the first stage downloader that subsequently downloads and installs the main component of the Trojan. The main component is a Trojan-Downloader that continuously connects to one of its command-and-control (C&C) servers and waits for new components to download and execute.

The bot locates its C&C servers by domain names, and these names are generated using two algorithms. The first algorithm depends on the current date, and the second algorithm uses several variables that are stored in the Trojan’s body and encrypted with the computer’s hardware UUID using RC4 cipher.

We reverse engineered the first domain generation algorithm and used the current date, 06.04.2012, to generate and register a domain name, "krymbrjasnof.com". After domain registration, we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots. Our logs indicate that a total of 600 000+ unique bots connected to our server in less than 24 hours. They used a total of 620 000+ external IP addresses. More than 50% of the bots connected from the United States.


   editor = {Kaspersky lab},
   author = {Igor Soumenkov},
   title = {Flashfake Mac OS X botnet confirmed},
   date = {06},
   month = Apr,
   year = {2012},
   howpublished = {\url{http://www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed}},