Flashback Uses Twitter as Backup C&C

Thursday, May 3, 2012 @ 04:05 PM gHale


Flashback’s latest version hitting Macs has a new command-and-control (C&C) infrastructure that used Twitter as a fallback mechanism in case the normal C&C system isn’t available.

While this is not the first time a botnet used Twitter for command and control, but it is on way attackers are always attempting to stay one step ahead of their potential victims. It also a case here users need to remain vigilant and remember today’s defense may not apply tomorrow.

RELATED STORIES
Snow Leopard Falls to Flashback Infection
One Site can end up a Malicious Hive
Flashback Variant Hits Macs
Attack Vector: Phishing Real or Phony?

The most recent version of Flashback, which infects Macs through the exploitation of Java vulnerabilities, has the ability to communicate with two separate tiers of C&C servers. The first type of server is a relay for redirecting traffic from compromised machines. Those servers allow the attackers behind the Flashback botnet to hijack users’ Web search traffic and push it to servers they control. The second tier of servers sends commands to the infected machines to perform specific actions on the Macs.

When infected Macs connect to the second type of C&C server, if they don’t receive a correctly formatted reply, they will then perform a search on Twitter for a specially formatted string, according to analysts at Dr. Web, a Russian security firm that has been following the Flashback case closely.

“If the control server does not return a correct reply, the Trojan uses the current date to generate a string that serves as a hash tag in a search using http://mobile.twitter.com/searches?q=. For example, some Trojan versions generate a string of the “rgdgkpshxeoa” format for the date 04.13.2012 (other bot versions can generate a different string). If the Trojan manages to find a Twitter message containing bumpbegin and endbump tags enclosing a control server address, it will end up used as a domain name. Dr. Web began to take over domains of this category on April 13, but on the following day, April 14, the Twitter account registered by Dr. Web analysts for this purpose was blocked,” the company said.

Bot herders began using Twitter for C&C several years ago, with varying degrees of success. Twitter security officials were somewhat slow to catch on to that phenomenon, but have been quicker to respond.

Flashback is by no means the first piece of Mac malware, or even the most inventive, but it is the most successful. The malware infected several hundred thousand machines over the course of the last six months.

There are a number of different versions of Flashback circulating but the one that’s caused the most trouble is the one that has been exploiting Java vulnerabilities for the last couple of months. That version is going out in drive-by download attacks, which is a classic attack method for Windows vulnerabilities but has not been a big vector in the Mac world.



Leave a Reply

You must be logged in to post a comment.