Symantec researchers have successfully reverse engineered components of the OS X Flashback malware that had recently infected more than 600,000 Mac OS X systems.
The analysis reveals that the malware was designed in part as a highly profitable ad-clicking operation that could be netting the Trojan's creators a hefty sum.
"Ad-clicking Trojans are nothing new and in an analysis of W32.Xpaj.B last August a botnet measuring in the region of 25,000 infections could generate the author up to $450 per day. Considering the Flashback Trojan measures in the hundreds of thousands, this figure could sharply rise to the order of $10000 per day... the end goal of this Trojan is revenue generation," Symantec's analysis concludes.
Previous analysis of Flashback had determined the Trojan exploited several Java vulnerabilities to gain remote access to the infected systems and likely included a keylogger capability to capture authentication credentials.
Oracle had patched the vulnerability back in February, but the long period between the discovery of the exploit and remediation lead to the large number of infected units.
"This window of opportunity helped the Flashback Trojan to infect Macs on a large scale. The Flashback authors took advantage of the gap between Oracle and Apple's patches by exploiting vulnerable websites using Wordpress and Joomla to add malicious code snippets... If a user visited a compromised site on an unpatched Mac, OSX.Flashback.K would be installed," Symantec states.
Symantec researchers go on to provide a fairly detailed explanation of the ad-clicking mechanism Flashback utilizes.
"The Flashback ad-clicking component is loaded into Chrome, Firefox, and Safari where it can intercept all GET and POST requests from the browser. Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker's choosing, where they receive revenue from the click. The ad click component parses out requests resulting from an ad click on Google Search and determines if it is on a whitelist. If not, it forwards the request to the malicious server..." the Symantec blog explains.
Flashback utilizes a "specially crafted user agent in these requests" with a "universally unique identifier (UUID) encoded in base64" in what the researchers deemed an attempt to "thwart 'unknown' parties from investigating the URL with unrecognised user-agents."
The researchers identified the hijacked ad-click as being a user searching for "toys" generating nearly a penny per instance.
"We can clearly see a value of 0.8 cents for the click and the redirection URL... This redirected URL is subsequently written into the browser so that the user is now directed to the new site, in effect hijacking the ad click Google should have received... This ultimately results in lost revenue for Google and untold sums of money for the Flashback gang."
Apple released a malware removal tool for the most common variant of the Flashback Trojan back in April, as well as security updates to mitigate the vulnerability exploited by the malware.