New Flashback Variant Using Twitter as Backup C&C Channel

The latest version of the Flashback malware that’s infecting Macs has a new command-and-control infrastructure that used Twitter as a fallback mechanism in case the normal C&C system isn’t available. This is not the first time a botnet has used Twitter for some form of command and control, but it’s a good example of the ways in which attackers are always adapting to defenders’ actions and changing their tactics.

The latest version of the Flashback malware that’s infecting Macs has a new command-and-control infrastructure that used Twitter as a fallback mechanism in case the normal C&C system isn’t available. This is not the first time a botnet has used Twitter for some form of command and control, but it’s a good example of the ways in which attackers are always adapting to defenders’ actions and changing their tactics.

The most recent version of Flashback, which infects Macs through the exploitation of Java vulnerabilities, has the ability to communicate with two separate tiers of C&C servers. The first type of server is used as a relay for redirecting traffic from compromised machines. Those servers allow the attackers behind the Flashback botnet to hijack users’s Web search traffic and push it to servers that they control. The second tier of servers is used to send commands to the infected machines to perform specific actions on the Macs.

Analysts at Dr. Web, a Russian security firm, found that when infected Macs connect to the second type of C&C server, if they don’t receive a correctly formatted reply, they will then perform a search on Twitter for a specially formatted string.

“If the control server does not return a correct reply, the Trojan uses the current date to generate a string that serves as a hash tag in a search using http://mobile.twitter.com/searches?q=<string>. For example, some Trojan versions generate a string of the “rgdgkpshxeoa” format for the date 04.13.2012 (other bot versions can generate a different string). If the Trojan manages to find aTwitter message containing bumpbegin and endbump tags enclosing a control server address, it will be used as a domain name. Doctor Web began to take over domains of this category on April 13, but on the following day, Saturday, April 14, the Twitter account registered by Doctor Web analysts for this purpose was blocked,” the company said in its analysis of the new version. 

Bot herders began using Twitter for C&C several years ago, with varying degrees of success. Twitter security officials were somewhat slow to catch on to that phenomenon, but have been quicker to respond of late. 

Flashback is by no means the first piece of Mac malware, or even the most inventive. But it’s turned out to be the most successful of them, having infected several hundred thousand machines over the course of the last six months or so. There are a number of different versions of Flashback circulating but the one that’s caused the most trouble is the one that has been exploiting Java vulnerabilities for the last couple of months. That version is being used in drive-by download attacks, which is a classic attack method for Windows vulnerabilities but hasn’t been seen quite as much in the Mac world.

Suggested articles