Kaspersky Lab‘s latest analysis of the Mac OS X Flashback botnet reveals that the botnet’s malware was spread via drive-by downloads on hacked WordPress web sites.
From September 2011 until February 2012, the Flashback creators distributed the trojan through compromised WordPress sites that prompted users to download various iterations of a fake Adobe Flash Player update that was, in actuality, the Mac trojan.
The attacks started using social engineering lures and it wasn’t until February that the Flashback authors began using exploits to grow the botnet. They exploited known Java vulnerabilities, at least two of which date back as far as June 2009. More importantly, though, Flashback’s creators took advantage of the window of exposure between Oracle and Apple’s patch schedules.
According to Kaspersky’s Alex Gostev, Apple creates its own patches to fix Java vulnerabilities instead of using Oracle’s. So, the bugs had already been patched by Oracle, but Apple had not yet deployed its own patches. Gostev notes that on average, historically speaking, there is a two month delay between Oracle’s fixes, which come first, and Apple’s.
In March 2012, Flashback’s authors started making use of a Russian partner program that somehow injected redirect scripts into legitimate websites. Gostev writes that tens of thousands of WordPress sites were in late February and early March and notes that other estimates have the number as high as 100,000 infected sites. It’s unclear how the sites became infected, but Gostev believes bloggers were either using vulnerable versions of WordPress or had installed the ToolsPack plugin.
Read a more detailed analysis at Securelist.