Security Firm Symantec Analyzes the Profitability of the OSX.Flashback Botnet

[ristlin]

So cool that we can more easily define the hacker "profession" now. But careful kids, looks like annual salary is only about $20,000 with the risk of not being paid and getting sent to jail.

I wonder how much the professionals make.

 

[NAG]

That was yesterday. Does that count as "the next story"? Headline: "'Catastrophic' Avira antivirus update bricks Windows PCs"

http://www.theregister.co.uk/2012/05/16/avira_update_snafu/

This "anti-virus" software thought it had found viruses in essential parts of Windows, that are actually signed by Microsoft. Someone commented "Either the bad guys cracked Microsoft's code signing; in that case we can just give up. Or they didn't, in that case the anti-virus software was wrong. In either case, the anti-virus software shouldn't touch anything that is code-signed by Microsoft".

Well I was looking for an OS X story but thanks for the update. Good to see those AV companies still know how to be worse than the disease.

 

[Diode]

Thanks StrikerShoot, I love a good infographics, but I have a good understanding of the threats Malware poses, and likewise the criminal mind behind a hacker. I'm thinking Godfather 3 style, going legit.

I was thinking without all the malicious aspects, voluntary opt-in Adnets where you technically farm all their clicks, think of it as an investment opportunity with micro returns. Micro input, micro returns. Still returns!

It sounds heaps like a scheme/existing web advertising but with the user opted-in, subscription based system.

A lot of malware / phishing scams are run by organized crime in Russia.

 

[justperry]

Why use Apple's Security Icon instead of Symantec's Icon

Still remember those old days, got it on My Powerbook but got rid of it quickly.

And I always tell my friends not to use Symantec/Norton on Windows, what a resource hog and even finds it's own files as Viruses, installs lots of stuff everywhere on the disk and hard to uninstall.

First Kaspersky and now Symantec, it's less severe as they like you to believe.

 

[charlituna]

Security firm Symantec previously estimated that the authors of the Flashback malware that affected hundreds of thousands of Macs at its peak could have been generating up to $10,000 per day by hijacking users' ad clicks.

I'm still waiting for them to explain how this trojan affected users directly. How did it cost me money, jack up my computer etc.

Hijacking ad hits so that George got the money from Fred's referrals doesn't negatively impact me so why are they making it out like it does. Other than perhaps to hype how much I need their anti-malware software and update subscription to protect my OS. When in fact the issue was never my OS at all but janked up Java and Flash software that I don't have installed anyway.

----------

I'd estimate the OS X install base at ~50M, so 10k/50M is 0.02%. Using common sense, 0.02% infection does not an susceptible OS make, but remember, there's always money in fear.

In my book a malware that comes from a 3rd party software the lack of which means zero chance of infection doesn't not a susceptible OS make.

Find me something that can get on your Mac without needing a jacked up version of whatever and then we can talk.

 

[soundguyami]

No way

It would be a cold day in hell before I would ever buy a Symantec product for mac. Their PC editions are resource killing crap. I would put MSE up against them any day.

 

[314631]

The Symantec Norton One security suite would have protected you from Flashback Botnet. And it runs beautifully on both Macs and PCs.

 

[StrikerShoot]

So cool that we can more easily define the hacker "profession" now. But careful kids, looks like annual salary is only about $20,000 with the risk of not being paid and getting sent to jail.

I wonder how much the professionals make.

A lot of malware / phishing scams are run by organized crime in Russia.

About a year ago, the FBI arrested some people from Latvia distributing fake antiviruses over the internet. The FBI seized computers, servers and bank accounts believed to have defrauded people for more than $72 million. http://www.fbi.gov/news/pressrel/pr...ional-cybercrime-rings-distributing-scareware

 

[ristlin]

About a year ago, the FBI arrested some people from Latvia distributing fake antiviruses over the internet. The FBI seized computers, servers and bank accounts believed to have defrauded people for more than $72 million. http://www.fbi.gov/news/pressrel/pr...ional-cybercrime-rings-distributing-scareware

Damn, looks like it's a career with respectable income.

 

[munkery]

Considering how Flashback infects Macs, seems like a hackers' basic business model to me..

This malware does require password authentication to install the component that modifies ad-clicks in Safari so sources saying that it installs invisibly are fear mongering.

Some components are installed without authentication but the payload that generates the revenue via the botnet requires password authentication.

Those adds are misleading.

 

[StrikerShoot]

Some components are installed without authentication but the payload that generates the revenue via the botnet requires password authentication.

According to Macworld: http://www.macworld.com/article/116...t_the_flashback_trojan.html#lsrc.twt_Macworld

Flashback is the name for a malicious software program discovered in September 2011 that tried to trick users into installing it by masquerading as an installer for Adobe Flash. (Antivirus vendor Intego believes Flashback was created by the same people behind the MacDefender attack that hit last year.) While the original version of Flashback and its initial variants relied on users to install them, this new form is what’s called in the security business a drive-by download: Rather than needing a user to install it, Flashback uses an unpatched Java vulnerability to install itself.

[...]

After initial infection, Flashback pops open a Software Update window to try and obtain your administrative password, but it does so only to embed itself more deeply into your Mac. Even if you aren’t fooled at this point, you are still infected.

Once it succeeds in infecting your Mac, Flashback inserts itself into Safari and (according to F-Secure) appears to harvest information from your Web browsing activities, including usernames and passwords. It then sends this information to command-and-control servers on the Internet.

The significant thing is that, unlike almost all other Mac malware we’ve seen, Flashback can insinuate itself into your system if you merely visit an infected webpage and are using vulnerable software. You do not need to enter your administrative password or to manually install anything.

It sounds like you're right in that some components of the malware are installed without authentication. I'm not seeing any mention about the payload aspect of the malware. Where did you hear that the payload that generates the revenue via the botnet requires password authentication?

 

[munkery]

It sounds like you're right in that some components of the malware are installed without authentication. I'm not seeing any mention about the payload aspect of the malware. Where did you hear that the payload that generates the revenue via the botnet requires password authentication?

All that info is in another thread in this forum.

Safari requires elevated privileges to modify on disk (at least in Snow Leopard and Lion it does). This malware doesn't include privilege escalation to gain those privileges so password authentication is required to install the Safari payload.

Also, no methods currently exist to bypass the runtime security mitigations in Mac OS X Lion. So, Lions users had to both accept a self signed certificate for a Java applet and password authenticate to be infected by this malware. This is why the infection rate for Lion users is so low. About half the Mac user base is now running Lion.

This malware isn't as nearly stealthy as those articles make it seem to be. This is why both the successful infection rate of Safari and revenue generated are so low.

 

[AidenShaw]

iAntivirus free app in Mac App Store

http://www.iantivirus.com/product/

 

[munkery]

Correcting a previous post

The variants of Flashback that utilized CVE-2012-0507 prior to being patched could install without user interaction but with only ad-click hijacking functionality to generate revenue. The CVE-2012-0507 exploit allows the untrusted Java applet to perform functions outside the Java security sandbox without user interaction. It should be noted that the Java sandbox is self contained and part of the Java implementation; it is not an implementation of the sandboxing used with other client side apps within OS X.

This Java exploit does not utilize memory corruption but instead leverages a logical error in the Java reference array to achieve code execution. The runtime security mitigation in OS X Lion don't prevent these types of exploits that rely on logical errors. This type of vulnerability is rare but does lead to reliable exploits when found.

Infecting Safari occurs in two ways:

1) Safari is infected when the info.plist file contained in its app bundle is modified; this requires password authentication. Specifically, the LSEnvironment entry in the info.plist file is modified. The payloads are loaded into Safari when launched.

2) The ~/.MacOSX/environmental.plist file is modified so that a filtering payload is loaded into every app that then loads the ad-click payload into the browser when the browser is launched. This method does not require password authentication. The modification to environment.plist includes adding DYLD launch variables.

It should be noted the environment variables added to environment.plist don't take affect until the user has logged out and then logged back in. This could be why so many machines reported themselves as infected to the C&C servers despite only 10,000 machines actively having Safari modifying ad-clicks to generate revenue. I do not believe that this limitation occurs with installation method #1, which could be why method #1 is the prioritized installation method.

Given that password authentication is not required to install the ad-click hijacking payload, the request for password authentication in method #1 may also have been intended for functions included in subsequent versions of Flashback. For example, logging keystrokes protected by NSSecureTextField (masked text entry such as passwords and banking credentials) would require password authentication given that Flashback didn't include a privilege escalation exploit within OS X.

Luckily, the ability to load DYLD launch variables from environment.plist has now been removed from Mac OS X as well as the issue with Java being patched.

http://support.apple.com/kb/TS4267

Subsequent patches to Java for Mac are going to be produced by Oracle and will be released along side patches for other operating systems.