A Look Back (and Forward) at the Flashback Attack

April 20, 2012 - By Chris Larsen, Patrick Cummins

[I sneaked an occasional peak at my e-mail last week while on vacation, and saw that there was a lot of discussion happening about the "Flashback" attack. Since I could see that the team was already researching, I didn't worry much, and figured I'd catch up on the story when I got back. As it turns out, there was a lot to catch up on.... Special thanks to Patrick, who heads our botnet team, and who did much of the research legwork that I used as a starting point. --C.L.]

 

April has seen the emergence of the first major Mac botnet (commonly labeled as either "Flashback" or "Flashfake"). Good historical overview on the ZeroDay blog, which notes that the Flashback bot software has been around since at least September 2011. The ZD blog also contains a link to the post from Dr Web that really caused the media frenzy when it broke the story (on 4/04) -- most of the coverage choosing to play up the "Macs can get malware after all!" angle. And it's hard to fault the media for seeing this as a newsworthy event, since the published estimates placed the number of infected Macs at over 670,000 -- or roughly 1 in 100 Macs worldwide.

(The attack also brought to light some revelations about Apple's relative slowness in responding to vulnerabilities compared to other OS vendors, which they need to address, as the Bad Guys have been ramping up their "Mac attacks" for some time now.)

Another article explained how the bot software was attempting to "phone home" to its command-and-control (C&C) servers, by generating random domain names (an old trick for botnets). This provides a good opportunity to cover some of the domains that we saw in our logs over the last few weeks (the oldest of these began showing up on 3/24, a couple of weeks before the media firestorm broke):

 

cdqwwkndatvt.* (.com, .net, .info, .in, .kz):  4395 URLs

cvsqsmuiaaiyh.* (.com, .net, .info, .in, .kz):  1156 URLs

iqkydbxjfodro.* (.com, .net, .info, .in, .kz):  3319 URLs

rfffnahfiywyd.* (.com, .net, .info, .in, .kz):  1808 URLs

scfoijdccqtmj.* (.com, .net, .info, .in, .kz):  1626 URLs

vyqhdtnsfrie.* (.com, .net, .info, .in, .kz):  3582 URLs

vxvhwcixcxqxd.* (.com, .net, .info, .in, .kz):  5524 URLs

 

This should be seen as a representative list of domains used, not an exhaustive one, but I wanted to highlight that all of these URLs (and many others) were dynamically flagged as either Botnet or Suspicious in real-time by WebPulse: some via the Background Checker, as the Bad Guys chose to re-use a server from an earlier malnet operation, but most courtesy of a module we haven't blogged about before. (Fondly nicknamed "The Weirdo Detector", it uses a statistical-linguistic process to compare new domain names to the millions of domain names in our historical database that goes back over a decade. Since "all the good names have been taken", the Bad Guys who need lots of domain names have to come up with names that, well, don't look much like real domain names. They're "weirdos"...)

[In the interest of full disclosure, I did find some domains where we missed URLs, so we weren't perfect, but overall I'm very happy with our early detection against a new/unknown botnet. For botnets like this, if you catch 80-90% of the initial wave of C&C domains, there are more than enough detections that show up in the reports to identify infected machines. Then the other defenses come on-line...]

 

It was interesting to look at the top traffic to the C&C servers, to get a sense of who the main victims of this attack were. When I pulled out one set of C&C domains, and totaled up the traffic, 45 out of the top 50 licenses belonged to K9 users. (Since these are largely home users, in shall we say "non-security aware environments", and since they have the additional ability to put in their admin password to bypass warning pages, this lends some credence to the argument that a lot of infected Mac users may have been feeling invulnerable to malware...)

 

As with any new botnet, the WebPulse team gathered data about the attack and the botnet, and began researching the specific requests sent by the bot to its C&C servers. Five characteristics unique to Flashback were identified, and specific traffic detectors were deployed. In recent days, the amount of Flashback botnet traffic they see has been trending down:

4/14    11,883
4/15    14,304
4/16    13,635
4/17     8,770
4/18     5,190
4/19     7,192
 

This matches with reports that the number of affected Macs has dropped considerably, as AV companies like Kaspersky have released free detection and removal tools for Flashback/Flashfake.

 

Going forward, the three WebPulse modules doing the heavy lifting on this attack should continue to provide excellent overlapping detection of the C&C servers as new ones come on line.

 

--P.C. & C.L.