Security provider Doctor Web has completed analysis of the large-scale botnet created by the BackDoor.Flashback trojan.
Previously, Doctor Web discovered that the Flashback Trojan had infected more than 600,000 Mac OS X systems. The Trojan exploited three Java vulnerabilities to gain remote access to the infected systems and likely included a keylogger capability to capture authentication credentials.
Researchers noted that nearly two out of three infected systems are running Snow Leopard OS X 10.6 which included Java preinstalled. Less vulnerable to Flashback are the systems running Lion OS X 10.7, unless users manually downloaded Java after purchase.
"BackDoor.Flashback.39 exploits a Java vulnerability to save an executable and configuration file, responsible for its automatic launching by launched, onto a hard drive of the compromised Mac. Then BackDoor.Flashback.39 connects to a control server, downloads an executable onto the infected machine and installs it in the system. At this moment the Trojan brings up a dialogue window prompting the user to enter an administrator password. If the user does enter the password, the malicious program runs with elevated privileges, but even if they don't, the Trojan will be saved in the user's home directory and launched with the current user permissions. It will be enough to perform its malicious tasks," Doctor Web explains in a blog posted last week.
Doctor Web identified two types of Command and Control (C&C) servers - one that conducts malicious redirects of web traffic, and the the other which is responsible for payload and botnet control instructions.
Researchers at the company successfully took control of domains for C&C servers responsible for the second category of C&C servers and analyzed the requests issued by the bots.
"Control server names of the first group are generated using the list found in the Trojan’s configuration data; in addition, another domain name list is created where resulting names are determined by the current date. The second level domain name is the same, while a top-level domain name can be org,. com,. co.uk,. cn,. in. The Trojan horse sends consecutive requests to control servers according to its generated list. An /owncheck/ or /scheck/ GET request sent to a server contains the infected Mac's UUID in the useragent field. If the reply contains a SHA1 hash value of the domain name, this domain will become trusted and from this moment on will be considered to be a command server name. First domains in this category have been successfully taken over by Doctor Web since April 12, 2012," the company stated.
The malware begins to search for a domain of the second type after if has identified one belonging to the first.
"The bot uses the list found in its configuration data to send the /auupdate/ GET-request to a number of control servers. The useragent field in these requests contains detailed information on the infected system," the researchers determined.
An example of the generated request provided by Doctor Web looks like the following:
If the C&C server replies with an incorrect response, the malware performs a different task, according to the researchers.
"The Trojan uses the current date to generate a string that serves as a hash tag in a search using http://mobile.twitter.com/searches?q=. For example, some Trojan versions generate a string of the "rgdgkpshxeoa" format for the date 04.13.2012 (other bot versions can generate a different string). If the Trojan manages to find aTwitter message containing bumpbegin and endbump tags enclosing a control server address, it will be used as a domain name. Doctor Web began to take over domains of this category on April 13, but on the following day, Saturday, April 14, the Twitter account registered by Doctor Web analysts for this purpose was blocked," the company explaned.
The researchers recorded 95,563 requests being sent to containing UUID the BackDoor.Flashback payload C&C servers between April 12 and April 26. The statistical analysis of that traffic can be obtained in graphical format at Doctor Web's site here: