Old Botnets Never Die, They Just Fade Away...
[Patrick, our botnet guru, was collecting botnet traffic statistics last month for an upcoming report. In reviewing some of the early drafts, I noticed that he said we were still seeing "Flashback" bot traffic, which I thought was interesting. We blogged on Flashback several months ago when it made the news as a significant threat to Macs, and after looking at his data, I thought it was worth posting an update... --C.L.]
Based on WebPulse's traffic analysis modules, here are some interception counts (where WebPulse returned a malware category) for the Mac OS-based Flashback exploit and the corresponding Flashfake botnet. To show a bit of trending, I have presented them in weekly ranges:
- 04/09/2012 - 04/15/2012: 18086
- 04/16/2012 - 04/22/2012: 53475
- 04/23/2012 - 04/29/2012: 67956
- 04/30/2012 - 05/06/2012: 60990
- 05/07/2012 - 05/13/2012: 48484
- 05/14/2012 - 05/20/2012: 60356
- 05/21/2012 - 05/27/2012: 48629
- 05/28/2012 - 06/03/2012: 45668
- 06/04/2012 - 06/10/2012: 40229
- 06/11/2012 - 06/17/2012: 34363
- 06/18/2012 - 06/24/2012: 27526
- 06/25/2012 - 07/02/2012: 33446
In other words, from around the time that a lot of press attention was given to the Mac botnet producing Trojan (1st and 2nd week), and notably in the weeks that followed, we saw an increase in activity. This is in spite of the fact that AV updates were released, more end-users were presumably "made aware" of the threat, etc. We continue to see traffic characteristic of the bot in our logs every day, although it is trending down since May.
The FLASHBACK/FLASHFAKE botnet comes in at number thirteen on our list of Botnets in the first half of 2012. Quite a rise for Mac Malware.
As for the C&C domains, some were still up when I checked, such as fzwiozlzxqs.com (i.e., they responded to pings....) Others appear to have been registered by Apple (in an attempt to study or shut down the botnet), e.g., jikxpjkhhiau.in... (Interestingly enough they did not respond to pings; perhaps Apple never attempted to sinkhole the botnet???) Others were down and/or unregistered (e.g., moasgwmtujpa.net).
So, it appears, at least according to WebPulse, that the botnet is still very much alive.
[Long after AV software vendors have updated their tools to recognize and remove a particular "bot", there will always be some users who never download the update, or who were never running AV software in the first place. Typical bot software will continue to attempt to "phone home" to its controller, long after the controller has shut down the mission and moved on. I like to imagine a lonely little robot, roaming the desolate reaches of some distant planet, faithfully collecting data, pointing its antenna at Earth, and beaming back messages, day after day... --C.L.]