Flashback’s latest version hitting Macs has a new command-and-control (C&C) infrastructure that used Twitter as a fallback mechanism in case the normal C&C system isn’t available.
While this is not the first time a botnet used Twitter for command and control, but it is on way attackers are always attempting to stay one step ahead of their potential victims. It also a case here users need to remain vigilant and remember today’s defense may not apply tomorrow.
The most recent version of Flashback, which infects Macs through the exploitation of Java vulnerabilities, has the ability to communicate with two separate tiers of C&C servers. The first type of server is a relay for redirecting traffic from compromised machines. Those servers allow the attackers behind the Flashback botnet to hijack users’ Web search traffic and push it to servers they control. The second tier of servers sends commands to the infected machines to perform specific actions on the Macs.
When infected Macs connect to the second type of C&C server, if they don’t receive a correctly formatted reply, they will then perform a search on Twitter for a specially formatted string, according to analysts at Dr. Web, a Russian security firm that has been following the Flashback case closely.
“If the control server does not return a correct reply, the Trojan uses the current date to generate a string that serves as a hash tag in a search using http://mobile.twitter.com/searches?q=
Bot herders began using Twitter for C&C several years ago, with varying degrees of success. Twitter security officials were somewhat slow to catch on to that phenomenon, but have been quicker to respond.
Flashback is by no means the first piece of Mac malware, or even the most inventive, but it is the most successful. The malware infected several hundred thousand machines over the course of the last six months.
There are a number of different versions of Flashback circulating but the one that’s caused the most trouble is the one that has been exploiting Java vulnerabilities for the last couple of months. That version is going out in drive-by download attacks, which is a classic attack method for Windows vulnerabilities but has not been a big vector in the Mac world.