Doctor Web the Russian anti-virus vendor on Wednesday published information that 550,000 Macintosh computers were infected by a spreading Mac botnet. The Trojan BackDoor.Flashback that infects computers running Mac OS X. Flashback botnet infected machines which are located in the United States and Canada. This once again refutes claims by some experts that there are no cyber-threats to Mac OS X.
Doctor Web's virus analysts discovered a large number of web-sites containing the code. The recently discovered ones include:
According to some sources, links to more than four million compromised web-pages could be found on a Google SERP at the end of March. In addition, some posts on Apple user forums described cases of infection by BackDoor.Flashback.39 when visiting dlink.com.
Attackers began to exploit CVE-2011-3544 and CVE-2008-5353 vulnerabilities to spread malware in February 2012, and after March 16 they switched to another exploit (CVE-2012-0507). The vulnerability has been closed by Apple only on April 3 2012.
The exploit saves an executable file onto the hard drive of the infected Mac machine. The file is used to download malicious payload from a remote server and to launch it. Doctor Web found two versions of the Trojan horse: attackers started using a modified version of BackDoor.Flashback.39 around April 1. Similarly to the older versions, the launched malware first searches the hard drive for the following components:
- /Library/Little Snitch
- /Applications/VirusBarrier X6.app
- /Applications/Packet Peeper.app
If the files are not found, the Trojan uses a special routine to generate a list of control servers, sends an installation success notification to intruders' statistics server and sends consecutive queries at control server addresses.
It should be noted that the malware utilizes a very peculiar routine for generating such addresses. It can also switch between several servers for better load balancing. After receiving a reply from a control server,BackDoor.Flashback.39 verifies its RSA signature and then, if successful, downloads and runs payload on the infected machine. It may get and run any executable specified in a directive received from a server.
Each bot includes a unique ID of the infected machine into the query string it sends to a control server. Doctor Web's analysts employed the sinkhole technology to redirect the botnet traffic to their own servers and thus were able to count infected hosts.
F-Secure has published instructions on how to determine whether a Mac is infected with Flashback Botnet or not. F-Secure also published Manual Removal Instructions.
Hv gr8 day!