Flashback Cleanup Still Underway—Approximately 140,000 Infections

Today’s blog is a quick follow up to the OSX.Flashback.K issue. The statistics from our sinkhole are showing declining numbers on a daily basis. However, we had originally believed that we would have seen a greater decline in infections at this point in time, but this has proven not to be the case. Currently, it appears that the number of infected computers has tapered off, but remains around the 140,000 mark.

As there have been tools released by Symantec and other vendors in the past few days concerning this threat, the infection numbers should have seen a dramatic decrease by now. If you suspect that your Mac has been infected with OSX.Flashback.K, it is recommended to install the latest patches, ensure that your antivirus is up to date with the latest signatures, and to use the free Norton Flashback Detection and Removal Tool.
 

Sinkhole


Please note, the sinkhole domain was unavailable on April 12th
 

Command-and-control (C&C) servers

Further analysis on the domain name generator (DNG) algorithm has revealed that Flashback does not limit itself to using “.com” as the top level domain (TLD).

It chooses from the following five TLDs:

  • .com
  • .in
  • .info
  • .kz
  • .net

The graphic below lists the upcoming C&C servers that are to be contacted by OSX.Flashback.K over the coming week.


 

Vulnerability

The recent Oracle Java SE Remote Java Runtime Environment Denial Of Service Vulnerability (CVE-2012-0507) used to distribute the Flashback Trojan has now also been seen to be distributing another Mac threat: OSX.Sabpab.

OSX.Sabpab has also been seen in targeted attacks distributed with malicious Word documents exploiting the Microsoft Word Record Parsing Buffer Overflow Vulnerability (CVE-2009-0565).

Again, it is paramount that you have the latest antivirus signatures installed and have applied the latest available patches for both the operating system and third-party applications.
 

Payload C&C server

The Flashback payload is considerably larger than the initial stage downloading component. Analysis is ongoing; however, one of the new features of the Trojan is that it can now retrieve updated C&C locations through Twitter posts by searching for specific hashtags generated by the OSX.Flashback.K hashtag algorithm.
 

Removal tool

Please visit our website for more information about this threat and how to protect your computers from harm at www.symantec.com. A free detection and removal tool for the OSX.Flashback.K issue, “Norton Flashback Detection and Removal Tool”, is freely available for download.
 

Update [April 20, 2012]

A recent Dr. Web blog post reveals our sinkholes are receiving limited infection counts for OSX.Flashback.K.

Our current statistics for the last 24 hours indicate 185,000 universally unique identifiers (UUIDs) have been logged by our sinkhole.

A sinkhole registered at IP address 74.207.249.7 is causing Flashback connections to hang as it never closes the TCP handshake, in effect preventing Flashback from hitting subsequent domains.