In April 2012, Kaspersky Lab’s experts released “The Anatomy of Flashfake, Part 1”, which was a detailed analysis of the Mac OS X malware’s infection and distribution mechanisms. The analysis shared technical details about how Flashfake (also known as Flashback) infected more than 748,000 Mac OS X computers by the end of April. The malware was being used to conduct click-fraud scams, which was done by hijacking the search results of victims’ computers.
Today Kaspersky Lab’s experts released “The Anatomy of Flashfake Part 2”, which examines the malware’s additional functions and provides an in-depth analysis of the technical methods that the Flashfake cyber criminals are using to generate money through click-fraud scams.
Method of Operation
The Flashfake malicious program is made up of multiple modules that inject malicious code into the infected victim’s browser. Once the malicious code is injected, it connects the infected computer to the list of Flashfake’s active Command & Control (C&C) servers. Now when the victim uses Google’s search engine to browse websites, the legitimate advertisements and links on the websites are substituted with fraudulent ones by the Flashback C&C servers. By having users click on the fraudulent links or ads, the cyber criminals are tricking them into committing click-fraud.
In March 2012, the Flashfake group created a new version of the dynamic library with more functions. Notably, this included a new search method for Flashfake C&C servers using Twitter, and most recently, Firefox browser add-on. The malicious Firefox browser add-on is disguised as an Adobe Flash Player add-on, and performs the same functionalities to communicate with the C&Cs and execute the click-fraud scam.
“Flashfake is currently the most widespread malicious program for Mac OS X, and this incident shows that Mac OS X is now a definitive target for cyber criminals moving forward,” said Costin Raiu, Director, Global Research & Analysis Team, Kaspersky Lab. “Not only did cyber criminals evolve their attack methods to incorporate zero-day vulnerabilities, but they also created a program that is resilient. Flashback checks for anti-virus solutions, has integrated self-protection measures, and uses encryption to communicate with the C&Cs. The additional functionality for Twitter and Firefox also demonstrates their willingness to invest time and effort into improving the scale and efficiency of the malware.”
Although Flashfake had infected more than 748,000 Mac OS X computers by the end of April, the botnet’s size has significantly decreased. In May the number of active bots was estimated at 112,528.
The full version of “The Anatomy of Flashfake Part 2,” by Sergey Golovanov, can be found here on Securelist.