Fighting a OSX/Flashback Hydra
The biggest Mac botnet ever encountered, a OSX/Flashback botnet, is being strike hard. On Apr 12th, Apple expelled a third Java update given a Flashback antagonistic formula outbreak. This refurbish includes a new apparatus called MRT (Malware Removal Tool) that allows Apple to quick pull malware dismissal formula to their user base. The initial goal of MRT: mislay Flashback.
A lot of researchers and confidence companies have been meddlesome in OSX/Flashback. Many have published observations and prejudiced results, generating a lot of buzz. ESET has been actively questioning a OSX/Flashback botnet. ESET was one of a initial companies to exercise a sinkhole to guard a botnet. We can endorse a bulk of a infection widespread reported by other companies: we have seen some-more than 491,793 singular IDs entrance from over 749,113 singular IP addresses joining to a sinkhole. We are actively collaborating with a confidence community, pity a formula of a retreat engineering efforts and sinkhole data.
The OSX/Flashback malware can taint computers by mixed means. In a final integrate of months, we have seen it widespread as a feign Adobe Flash actor (hence a name) and by exploits. The bulk of a infections happened recently when a organisation of websites started distributing a malware by drive-by download, exploiting a CVE-2012-0507 disadvantage in Java.
The initial theatre member of OSX/Flashback is a dropper, a usually functionality is to hit a authority and control server, download additional components and run them. Some of a variants of a dropper we have seen would also bucket a library. When installed, a library will bucket with any focus on a system. It hooks a complement functions obliged for communication and is in a position to change web pages and view on users’ internet activity and behaviour. It is still misleading to us if this espionage is used to arrangement unsolicited advertisements in a browser of putrescent computers or to take information.
When it comes to disclosing a picturesque series of singular putrescent hosts, we essay to be as accurate and design as possible. Defining a singular horde is not trivial, even if OSX/Flashback uses hardware UUIDs. Our information indicates many UUIDs that connected to a sinkhole (a server we set adult to constraint incoming trade from bot-infected machines perplexing to promulgate with their command-and-control servers), came from a large operation of IP addresses, indicating that there competence be UUID duplicates. Virtual Machines or supposed Hack-intosh installations competence explain this.
When browsing Hack-intosh forums, we found out that everybody who is regulating a fourth recover claimant of a special placement has a same hardware UUID (XXXXXXXX-C304-556B-A442-960AB835CB5D) and even plead ways to arbitrarily cgange it.
Oddly enough, we found this UUID connected to a sinkhole from 20 opposite IP addresses. This indicates that those who deliberate UUID to count a series of graphic putrescent hosts substantially have underestimated a botnet size.
Flashback developed a lot in a final few months. The authors changed quick and combined obfuscation and fallback methods in box a categorical CC server is taken down. The dropper now generates 5 domain names per day and tries to get an executable record from those websites. The latest variants of a dropper and a library encrypt a critical strings with a Mac hardware UUID. This creates it formidable for researchers to investigate a various reported by a patron if they don’t also have entrance to a UUID.
The fallback resource that Flashback uses when it is incompetent to hit a CC servers is utterly interesting. Each day, it will beget a new Twitter hashtag and hunt for any twitter containing that hashtag. A new CC residence can be supposing to an putrescent complement this way. Intego reported this final month, though a latest chronicle uses new strings. Twitter has been told of a new hashtags and are operative on remediations to make certain a user of a botnet can't take behind control of his botnet by Twitter.
To strengthen your Mac OS X computers we rarely suggest requesting a latest refurbish from Apple. In addition, users can also download a (free) hearing chronicle of ESET Cybersecurity for Mac to indicate their mechanism for infection and purify any hazard that competence be found on a system.
Thanks to Marc-Etienne Léveillé and Alexis Dorais-Joncas for their grant to this research.
Pierre-Marc Bureau
Security Intelligence Program Manager
.