English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Flashfake Mac OS X botnet confirmed

Igor Soumenkov
Kaspersky Lab Expert
Posted April 06, 16:54  GMT
Tags: Apple MacOS, Botnets, Apple, Flashfake
0.9
 

Earlier this week, Dr.Web reported the discovery of a Mac OS X botnet Flashback (Flashfake). According to their information, the estimated size of this botnet is more than 500, 000 infected Mac machines.

We followed up with an analysis of the latest variant of this bot, Trojan-Downloader.OSX.Flashfake.ab.

It is being distributed via infected websites as a Java applet that pretends to be an update for the Adobe Flash Player. The Java applet then executes the first stage downloader that subsequently downloads and installs the main component of the Trojan. The main component is a Trojan-Downloader that continuously connects to one of its command-and-control (C&C) servers and waits for new components to download and execute.

The bot locates its C&C servers by domain names, and these names are generated using two algorithms. The first algorithm depends on the current date, and the second algorithm uses several variables that are stored in the Trojan’s body and encrypted with the computer’s hardware UUID using RC4 cipher.

We reverse engineered the first domain generation algorithm and used the current date, 06.04.2012, to generate and register a domain name, "krymbrjasnof.com". After domain registration, we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots. Our logs indicate that a total of 600 000+ unique bots connected to our server in less than 24 hours. They used a total of 620 000+ external IP addresses. More than 50% of the bots connected from the United States.

Geographical distribution of active Flashfake bots

We cannot confirm nor deny that all of the bots that connected to our server were running Mac OS X. The bots can be only identified by a unique variable in their User-Agent HTTP header named “id”, the rest of the User-Agent is statically controlled by the Trojan. See example below:

"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id:9D66B9CD-0000-5BCF-0000-000004BD266A) Gecko/20100101 Firefox/9.0.1"

We have used passive OS fingerprinting techniques to get a rough estimation. More than 98% of incoming network packets were most likely sent from Mac OS X hosts. Although this technique is based on heuristics and can’t be completely trusted, it can be used for making order-of-magnitude estimates. So, it is very likely that most of the machines running the Flashfake bot are Macs.

Approximate distribution of OSes used to connect to our server

4 comments

Newest first
Table view
 

Donna J.Marn

2012 Apr 08, 05:40
0
 

Computer Ignorance

RT @INTERPOL_HQ Have a Safe..And Happy Easter.If You haven't been told..Today,How important You all are to the universe..Let me be first..To Tell You.What you do is..Very,very,Important.I depend on your Anti Virus Company..To keep my Computer Safe.I have a
War-Conflict,Name Change.I have a Hard time Just Logging onto the Internet,Everyday.I have a Hard Time,Emailing for help.My computer becomes a Target.Just because of "Who I Am'.So..Thank You All.Very Much.Lots Of Love,From Northeast,Ohio(USA)

Reply    

rkhunter

2012 Apr 07, 13:59
0
 

Thank you for the research

Guys, can you attach a couple of MD5 of this Flashfake?
Thx.

Reply    

Aleks

2012 Apr 07, 01:12
2
 

Re: Are there any other OSes vulnerable to this?

Windows also vulnerable for such Java exploits but they were patched in November'11 and February'12. Unfortunatelly, Apple released the patch for OSX only few days ago.
So, i highly recommend you install official patch for Java
http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html

Reply    

StarBaseONE2

2012 Apr 07, 00:29
1
 

Are there any other OSes vulnerable to this?

I ask because my Win7 did something I thought peculiar today. Java wanted to update, I gave permission to do it. Then it said the software had already been installed and asked if I wanted to reinstall it...
That is the first time that had happened...

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Related Links

Analysis

Blog