14 DAY TRIAL // The Russian security firm that originally acknowledged the Flashback botnet spread across 650,000 Macs continues to analyze the behavior of the Trojan, as “Files downloaded by the Trojan horse from servers controlled by criminals have become one of the main subjects for analysis.”
“Doctor Web virus analysts continue to study the first-ever large-scale botnet created by means of BackDoor.Flashback and comprised of computers running Mac OS X,” says the firm.
The malicious code resulted from the download searches for two types of control servers. One type of servers intercepts web search traffic and redirects the user to malicious sites controlled by cyber-criminals.
The other sends out commands to bots instructing them to perform backdoor tasks in the system that’s just been infected.
“Doctor Web analysts managed to take over control server domain names known to BackDoor.Flashback payload malware and analysed requests sent by bots to servers,” reads the company’s latest report.
They’ve found two new and noteworthy aspects regarding the first-ever large-scale botnet created by means of BackDoor.Flashback.
One is that most of the infected computers were running Mac OS X Snow Leopard, the last shipping version of OS X pre-installed with Java. As avid Softpedia readers should already know, the Flashback Trojan relies on a Java vulnerability to compromise systems.
The second thing they found was that the Trojan will use Twitter to talk to its servers, if the control server does not return a correct reply.
In Dr. Web’s own words, “…the Trojan uses the current date to generate a string that serves as a hash tag in a search using http://mobile.twitter.com/searches?q=<string>.” An example is then provided:
“For example, some Trojan versions generate a string of the ‘rgdgkpshxeoa’ format for the date 04.13.2012 (other bot versions can generate a different string). If the Trojan manages to find a Twitter message containing bumpbegin and endbump tags enclosing a control server address, it will be used as a domain name.”
Doctor Web says it began to take over domains of this category on April 13th. The Twitter account registered by Doctor Web analysts for this purpose had been blocked the next day.