The latest version of the Flashback malware
that's infecting Macs has a new command-and-control infrastructure that
used Twitter as a fallback mechanism in case the normal C&C system
isn't available. This is not the first time a botnet has used Twitter
for some form of command and control, but it's a good example of the
ways in which attackers are always adapting to defenders' actions and
changing their tactics.
The most recent version of Flashback,
which infects Macs through the exploitation of Java vulnerabilities, has
the ability to communicate with two separate tiers of C&C servers.
The first type of server is used as a relay for redirecting traffic from
compromised machines. Those servers allow the attackers behind the
Flashback botnet to hijack users's Web search traffic and push it to
servers that they control. The second tier of servers is used to send
commands to the infected machines to perform specific actions on the
Macs.
Analysts at Dr. Web, a Russian security firm, found that
when infected Macs connect to the second type of C&C server, if they
don't receive a correctly formatted reply, they will then perform a
search on Twitter for a specially formatted string.
"If the
control server does not return a correct reply, the Trojan uses the
current date to generate a string that serves as a hash tag in a search
using http://mobile.twitter.com/searches?q=<string>. For
example, some Trojan versions generate a string of the "rgdgkpshxeoa"
format for the date 04.13.2012 (other bot versions can generate a
different string). If the Trojan manages to find aTwitter message
containing bumpbegin and endbump tags enclosing a control server
address, it will be used as a domain name. Doctor Web began to take over
domains of this category on April 13, but on the following day,
Saturday, April 14, the Twitter account registered by Doctor Web
analysts for this purpose was blocked," the company said in its analysis of the new version.
Bot
herders began using Twitter for C&C several years ago, with varying
degrees of success. Twitter security officials were somewhat slow to
catch on to that phenomenon, but have been quicker to respond of late.
Flashback
is by no means the first piece of Mac malware, or even the most
inventive. But it's turned out to be the most successful of them, having
infected several hundred thousand machines over the course of the last
six months or so. There are a number of different versions of Flashback
circulating but the one that's caused the most trouble is the one that
has been exploiting Java vulnerabilities for the last couple of months.
That version is being used in drive-by download attacks, which is a
classic attack method for Windows vulnerabilities but hasn't been seen
quite as much in the Mac world.
Courtesy by Dennis
No comments:
Post a Comment