Mac Security —

Flashback bots search Twitter for controllers, hit Snow Leopard hardest

Snow Leopard users often fail to keep up with patches, leaving door open to Java exploit.

Malware investigators for the Russian antivirus company Dr. Web report that the latest version of Flashback, the backdoor malware targeting Macs through a Java exploit, is using Twitter as a backup command and control network.

Dr. Web was the first to report on the rapidly growing Flashback botnet—the largest recorded malware attack ever focused on Macs. In an analysis of current variants of the malware, Dr. Web’s team found that the Trojan software installed through the Java exploit is initially configured with a list of servers through which it can receive additional commands and configuration updates. If the malware doesn’t get a correct response from one of the control servers in its own internal generated list, it will search Twitter for posts containing a string of text generated from the current date, and look for a control server address embedded in the posts.

“For example, some Trojan versions generate a string of the ‘rgdgkpshxeoa’ format for the date 04.13.2012,” the Dr. Web team wrote in their blog post. “If the Trojan manages to find aTwitter message containing bumpbegin and endbump tags enclosing a control server address, it will be used as a domain name.”

The Dr. Web team started using Twitter posts in an effort to “sinkhole” the botnet on April 13. But by the next day, the Twitter account they were using was blocked.

As ComputerWorld’s Greg Keizer reports, the largest percentage of Flashback-infected Macs—63.4 percent of them—are running Mac OS X 10.6 (Snow Leopard). Snow Leopard was the last version of Mac OS X to ship with Java installed. It represents just over 40 percent of the Mac OS installed base, according to data from the market share metrics firm Net Applications. Lion (Mac OS X 10.7), by comparison, accounted for nearly as many systems, but only for 11.2 percent of Flashback-infected systems. It doesn’t come with Java pre-installed.

The connection may have less to do with Java being pre-installed, and more to do with user habits. As Ed Bott pointed out in a Friday blog post on ZDNet, the Dr. Web data also showed that users of older versions of Mac OS X were less likely to have applied software updates. “Nearly 24 percent of all infected Macs running Snow Leopard in this sample were at least one version out of date, and more than 10 percent of those users had skipped three or more major updates,” Bott wrote.

Channel Ars Technica