The Flashback malware that's infected hundreds of thousands of Macs may be generating more than $10,000 a day for the hackers who made the Trojan horse, Symantec said.
The Flashback malware that's infected hundreds of thousands of Macs may be generating more than $10,000 a day for the hackers who made the Trojan horse, Symantec said Monday.
The malware steals clicks from ads that Google's search engine displays alongside search results.
In a blog entry posted today, Symantec published an analysis of Flashback's money-making capabilities, and concluded -- as others had earlier -- that the gang was turning a profit through click fraud.
Flashback.K surfaced in March and by early April had infected more than 600,000 Macs.
"Click fraud" describes campaigns where large numbers of people are silently redirected to online ads not normally served by the site the user is viewing. The criminals receive kickbacks from the sometimes-legitimate, sometimes-shady intermediaries for each ad clicked.
The clicks are "ghost clicks" in that they are not triggered by a human, but instead by the botnet.
That's exactly what Flashback.K does, said Symantec. After worming its way onto a Mac via an exploit of a since-patched Java vulnerability, Flashback.K loads an ad-clicking component into Apple's Safari, Google's Chrome and Mozilla's Firefox browsers.
"Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker's choosing, where they receive revenue from the click," said Symantec. "Google never receives the intended ad click."
In one code snippet shown by Symantec, a hijacked ad based on the user searching for "toys" would generate $0.008 per click, meaning that 1,000 clicks would earn the hackers $8, 10,000 clicks $80, and so on.
The Flashback gang is still earning this fraudulent revenue, even though much of the botnet has been "sinkholed" by Symantec and other antivirus companies, said Vikram Thakur, principal security response manager at Symantec. By registering as many potential command-and-control (C&C) domains used by the malware to receive instructions, security researchers prevent orders from reaching the infected Macs. The commands fall down a metaphoric "sinkhole" instead.
But in an interview today, Thakur confirmed that Flashback-infected Macs, even those that have been sinkholed by security firms, continue to produce revenue for the hackers.
"They're still making money," said Thakur, explaining that the ad-clicking component communicates to different C&C servers whose IP addresses are hard-coded into the malware. Those servers have not been sinkholed. "In fact, they're making a lot of money.
How much wasn't clear. Symantec hasn't been able to uncover the botnet revenue, but instead compared its size and money-making abilities to the 2011 "W32.Xpaj.B" botnet, a collection of 25,000 compromised Windows PCs that returned up to $450 per day to its handlers.
If Flashback's profit-making is as efficient, and with its size hovering around 600,000 Macs, by that example it could generate up to $10,800 per day, or $75,600 per week or $3.9 million over the course of a year. All tax free.
"That's a lot of money," Thakur said.
So as not to arouse suspicion, the Flashback ad-clicking component looks at a "whitelist" of websites that it will refuse to redirect. That whitelist includes major destinations -- on the level of Amazon and PayPal -- said Thakur. "That keeps things on a lower profile on the client side," Thakur said, referring to the infected Mac.
In any case, most users won't even notice that they've been shunted to a different ad than the one they clicked, Thakur maintained. And if they do, they probably don't care.
"From the [user's] perspective, very little has changed, even though they're shown a different ad," said Thakur. "It's the search providers and those paying for ads who are out the money."
Click fraud relies on the fact that the user is not the victim; instead its the search provider -- Google, for instance -- and the businesses paying for each time someone clicks on an ad.
"Suddenly they're being billed a lot more than they expected," said Thakur of the latter. "They may have expected to pay for 100 clicks per day, and then sell their product to one of that 100. But suddenly, they're being billed for 1,000 'ghost clicks,' and no one is buying anything."
Symantec has notified Google of the scam that Flashback is running, but frankly, there's not a lot the search giant can do. "Everything is happening on the client side," said Thakur, talking about the ad-click redirection.
Mac owners running either OS X 10.7 or 10.6 -- Lion and Snow Leopard, respectively -- can protect themselves from Flashback attacks by updating Java using their machines' Software Update tool.
Because Apple has stopped shipping security updates for older editions -- OS X 10.5, or Leopard, and its predecessors -- those users must disable Java in their browsers.
About 18% of Mac owners ran Leopard or earlier on their systems last month, according to the most recent statistics from Internet metrics company Net Applications. However, Snow Leopard has been the most-infected OS X edition, accounting for 63.4% of all Macs in the botnet.
In its analysis of Flashback's monetization strategy, Symantec also took a swipe at Apple for helping the hackers.
"Unfortunately for Mac users, there was a large window of exposure since Apple's patch for this vulnerability was not available for [seven] weeks," said Symantec. "This window of opportunity helped the Flashback Trojan to infect Macs on a large scale ... [and] the Flashback authors took advantage of the gap between Oracle and Apple's patches."
Oracle patched the Java bug on Feb. 14 for Windows and Linux users, but Apple, which still maintains Java for OS X, didn't issue its update until April 3.
Later this year, Oracle will release Java 7 for OS X; Mac users who upgrade to Java 7 will then receive security updates directly from Oracle, not from Apple.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
Copyright 2009 IDG Magazines Norge AS. All rights reserved
Postboks 9090 Grønland - 0133 OSLO / Telefon 22053000
Ansvarlig redaktør Henning Meese / Utviklingsansvarlig Ulf Helland / Salgsdirektør Tore Harald Pettersen