Gradually, the ins and outs of the latest Flashback malware outbreak are becoming clearer. In the article Security firm offers more Flashback details, free tools Dan Moren of MacWorld summarizes some of the findings so far.
Briefly, Kaspersky Labs, a Russia-based computer security company, managed to reverse-engineer the latest Flashback (aka Flashfake) trojan, and in particular the way a computer infected with it (a 'bot') interacts with its command & control server(s). Like Dr. Web (the Russian computer security vendor who first provided numbers of infected Macs) before them, this allowed Kaspersky to impersonate such a C&C server, and eavesdrop on the ongoing communications between Flashback bots and their C&C servers. Such a monitoring setup is called a 'sinkhole'. Since each bot calling 'home' identifies itself with a code incorporating its unique hardware identifier (UUID, see System Profiler), this allows for a bot count. Depending on the exact UUID format used in combination with OS fingerprinting of the bots, this allows a platform estimate (Macs vs computers running another OS). Hence the conclusion that at least 98% of over 600.000 computers infected are Macs.
Another important issue is where exactly those infected computers picked up the Flashback malware. It appears that this is related to the recent and widespread compromise of sites using WordPress, a popular blogging software. While the details of this subversion are not entirely clear, what happened to visitors of affected blogs is: they were redirected to several malicious sites that hosted malware 'kits' including the Flashback trojan. It turns out that the C&C servers of the subverted WordPress blog sites closely match those of the Flashback trojan, clearly suggesting a link between the two.
