Symantec: Flashback Infections Update

OSX.Flashback is a Trojan horse that gathers information from the compromised computer.

It was started in late 2011.

It has come a long way from its humble beginnings as a social-engineering scam trying to pass off as a fake Flash update using digital certificates purporting to come from Apple. Flashback is now leveraging the latest Java vulnerability (BID 52161 - Oracle Java SE Remote Java Runtime Environment Denial Of Service Vulnerability ) in order to deliver its payload.

It works on the basis of generating dynamic URLs as a form of reporting-back-to-the -HQ. These URLs are known as C& C (command and control) server addresses.

Analysis is ongoing; however, one of the new features of the Trojan is that it can now retrieve updated C&C locations through Twitter posts by searching for specific hashtags generated by the OSX.Flashback.K hashtag algorithm.

The statistics from our sinkhole are showing declining numbers on a daily basis. However, we had originally believed that we would have seen a greater decline in infections at this point in time, but this has proven not to be the case. Currently, it appears that the number of infected computers has tapered off, but remains around the 140,000 mark.



Command-and-control (C&C) servers

Further analysis on the domain name generator (DNG) algorithm has revealed that Flashback does not limit itself to using “.com” as the top level domain (TLD).

It chooses from the following five TLDs:
  • .com
  • .in
  • .info
  • .kz
  • .net
Vulnerability

The recent Oracle Java SE Remote Java Runtime Environment Denial Of Service Vulnerability (CVE-2012-0507, BID 52161) used to distribute the Flashback Trojan has now also been seen to be distributing another Mac threat: OSX.Sabpab.

OSX.Sabpab has also been seen in targeted attacks distributed with malicious Word documents exploiting the Microsoft Word Record Parsing Buffer Overflow Vulnerability (CVE-2009-0565, BID 35190).  

Removal tool

Please visit our website for more information about this threat and how to protect your computers from harm at www.symantec.com.

A free detection and removal tool for the OSX.Flashback.K issue, “Norton Flashback Detection and Removal Tool”, is freely available for download. For more information, refer to Flashback Cleanup Still Underway—Approximately 140,000 Infections

Comments