OSX.Flashback.K – Suffering a Slashback – Infections Down to 270,000


OSX.Flashback initially arrived on the scene in late 2011. It has come a long way from its humble beginnings as a social-engineering scam trying to pass off as a fake Flash update using digital certificates purporting to come from Apple. Flashback is now leveraging the latest Java vulnerability (BID 52161 - Oracle Java SE Remote Java Runtime Environment Denial Of Service Vulnerability ) in order to deliver its payload. This latest attack wave is testament to how criminal elements can take advantage of un-patched vulnerabilities in order to install their wares on a large scale.

Malware authors have targeted the Mac OS for quite some time; however, the recent OSX.Flashback.K infections indicate a very significant shift to the current threat landscape, which is dominated by malware on the Windows operating system. What sets this threat apart from typical Mac Trojans is the sheer size of Mac computers that have been infected. Initial estimates according to Dr. Web report OSXFlashback.K infections to be in the region of 550,000.

This figure has decreased significantly since then and from our sinkhole data, we have estimated that the number of computers infected with this threat in the last 24 hours is in the region of 270,000, down from 380,000. We will keep a close eye on the amount of these infections over the coming weeks. The current distribution of Flashback as of today is shown in the following heat-map, where North America, Australia, and the UK have the highest concentrations of the Trojan.

The figure below illustrates the top 10 countries affected by Flashback and their percentage as an overall total of Flashback infections.


OSX.Flashback.K uses a domain name generator (DNG) algorithm that allows it to generate a new domain each day in order to contact the command-and-control (C&C) server. The domains for the next few days can be seen below. These domains are currently sink-holed by Symantec Security Response so that we can gather more statistics data on the size of the infection over the course of the week and in effect prevent Flashback from contacting the C&C server to receive further instructions.

We have also identified a number of distinct IP addresses that are used in the OSX.Flashback.K variant.

The “.com” domains were registered on March 26th and April 4th. These dates fall in line with the preparation for the recent Flashback attack. These IP addresses hosted the exploit itself (CVE-2012-0507) in order to install OSX.Flashback.K, serve up additional payloads, and record statistical data sent to the server from the Flashback Trojan. The IP addresses are no longer serving malicious content related to OSX.Flashback.K; however, we are monitoring the situation closely should the Flashback gang decide to redistribute their operations.

Last week, Apple released a patch that fixes the Java security flaw for systems running OS X v10.7 and Mac OS X v10.6. Older systems (v10.5 and below) remain vulnerable and the official recommendation from Apple is to disable Java to prevent infection. It is recommended to initiate an update if this has not been done already or to download the update manually from Apple if your OS is vulnerable to the attack.

Update [April 12, 2012]
Symantec Security Response has developed a removal tool for OSX.Flashback.K.