When the word virus comes up, the first thing that might come to mind is “why are people doing this?!” Oftentimes, malicious hackers distribute this kind of code out of anger or maybe just for the sake of vandalism – but more times than not, malware is distributed with a rewarding goal in mind – making some cash.
At first glance, Flashback seems to fit into more of the ‘vandalism’ category – probably inspired by the Mac users who walk around boasting about their computer’s bulletproof protection against any and all viruses. Obviously that’s not true, so the authors must have released it just to spite Mac users – right? Not exactly.
Upon further analysis, it starts to seem a little fishy that the malware would probe so deep into the user’s personal data – like PayPal and Facebook accounts – but it was still unclear as to what exactly Flashback does with this information.
In a blog post made earlier today, Intego announced that the motivation behind the malware isn’t just an attack on Mac users – but a way to earn a pretty generous pile of cash, through ad hijacking. I’m not exactly an expert on computer viruses, but according to Intego, it’s actually a pretty common trend in malicious software.
Considering the huge grey area between Oracle’s fix for the Java vulnerabilities and Apples (over a month), the Flashback team had more than enough time to implement some lucrative ideas into the code – taking advantage of self-hosted WordPress blogs as well as Joomla sites.
This window of opportunity helped the Flashback Trojan to infect Macs on a large scale. The Flashback authors took advantage of the gap between Oracle and Apple’s patches by exploiting vulnerable websites using WordPress and Joomla to add malicious code snippets. – Intego
Intego explained how the whole ad hijacking component works:
- A user visits a compromised website.
- The browser is redirected to an exploit site hosting numerous Java exploits.
- CVE-2012-0507 is used to decrypt and install the initial OSX.Flashback.K component.
- This component downloads a loader and an Ad-clicking component.
After the ad-clicking components are imbedded in Firefox, Chrome and/or Safari, Flashback works behind the scenes of the browser to redirect users to a variety of different sites – which will credit the revenue to their accounts, essentially pick-pocketing Google. Needless to say, with the sheer volume of infected Macs, these guys were making a killing off of the operation. Half-a-million computers clicking through ads – each at around $0.08 a piece – can add up pretty quick.
So, to recap on the Flashback dilemma thus far – it’s taken advantage of Twitter, Google, WordPress, Oracle and lets not forget the owners of the infected machines – all while reeling in cash on a daily basis.
Intego has been one of the driving forces behind cracking the code and putting Flashback to rest, and hopefully we’ll be more prepared for such malicious schemes in the future. Still though, this type of thing usually always comes as somewhat of a surprise.
If you still haven’t made 100 percent sure that your Mac isn’t infected – be sure to install all system updates and double check with Apples Flashback Malware Removal Tool. Stay safe!