Wednesday, May 2, 2012

Latest on Flashback Malware: The Malware’s Purpose, Current Botnet Size & Macs to Get Updates from Oracle

What’s the latest on the Flashback malware story?

The Motivation Behind Flashback Malware

Up until recently, it was only reported how many Macs had been infected with Flashback (aka Flashfake) without any say on what the malware actually did after making its way onto Apple machines.

According to Symantec researchers, Flashback was generating revenue for its authors via click fraud using an ad-clicking component that was loaded into Chrome, Firefox & Safari upon infection.

When the user went to conduct a search on Google, the malware would go to work by stealing clicks from paid Google ads:
Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker's choosing, where they receive revenue from the click. (Google never receives the intended ad click.)

The ad click component parses out requests resulting from an ad click on Google Search and determines if it is on a whitelist. If not, it forwards the request to the malicious server in the following form:

http://[FLASHBACK_DOMAIN]/search?q=[QUERY]&ua=[USER AGENT]&al=[LANG]&cv=[VERSION]

Symantec researchers discovered that each hijacked click was valued around $0.08 for the attackers, which quickly added up given the number of infected machines.

Symantec estimated that Flashback was capable of easily earning the attackers upwards of $10,000 per DAY. I know Google can’t be happy about that, especially since the infected Macs can continue to make the cybercrooks money even if they’re not communicating with the command & control servers.

There is a bit of good news, though.

The Flashback Botnet is Shrinking!

Dr. Web Flashback Infection ChartForbes reports that Dr. Web has provided new data indicating that around 100,000 Macs are dropping from the botnet per week, which is likely the result of users applying the system updates from Apple that remove the malware or installing antivirus software.

On top of that, new Flashback infections are said to have tapered off thanks to those same Apple updates patching the Java security hole that contributed to a large number of the infections.

Despite things moving slowly, Dr. Web’s chief executive, Boris Sharov estimates that in a month, it will all be over.

Oracle Will Provide Java Updates Directly to Mac

Malware aside, Ars Technica says that Oracle will begin deploying Java security updates directly to Mac OS X in addition to Windows, Linux and Solaris, allowing Mac users to get the updates directly from the source vs. waiting for Apple.

Oracle has already issued its first release for OS X users, although it's only for the Java Runtime Environment and not the Java browser plug-in or Web Start application.

And as noted by Ars Technica:
Until the Web plugin is available from Oracle, however, Mac users may still be vulnerable to attacks based on Java exploits. Users who don't update to Oracle's version and still rely on Apple's deprecated version, could face a similar security vulnerability. The good news is that Oracle offers automated update tools, so applying patches should be a no-brainer for Lion users and beyond from now on.

Oracle releases 4-6 updates for Java per year and plans on releasing a consumer version of Java SE 7, including the Java Runtime Environment (JRE) for OS X later this year.  (Read the related press release.)

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

No comments:

Post a Comment