Macs are no longer safe from malware.
It is a family of malware that affects Mac OS X. The first versions of this type of threat were detected in September 2011. In March 2012 over 600 000 computers worldwide were infected by FlashBack.
The infected computers have been combined into a botnet, which enables cybercriminals to install additional malicious modules on them at will. One of these modules is known to generate fake search engine results, displaying false results for users and generating profits for cybercriminals via ‘click fraud’. It is quite possible that, in addition to intercepting search engine traffic, cybercriminals could upload other malicious modules to infected computers – e.g. for data theft or spam distribution.
While browsing the Internet, users may find themselves on an apparently legitimate website which has, however, been compromised or specially created by cybercriminals. The user is invited to install or update a new version of Flash Player. If the user agrees, FlashBack requests the admin password and is installed on the system.
Most of the March 2012 infections came from exploiting Java vulnerabilities. The authors of Flashback use numerous websites which, when accessed, automatically download and launch malicious files on the users computer. Read on to find out if your computer is at risk from this Java vulnerability.
Once the system has been infected, FlashBack runs automatically every time the computer is switched on.
When it is running, FlashBack tries to connect to 30 sites every day. One of those sites (randomly chosen) hosts the botnet’s command-and-control (C&C) server as deployed by the cybercriminals. Having established a connection, the malicious program passes the victim computer’s IP address and hardware UUID to the C&C.
Kaspersky Lab has discovered the operation algorithm of the malicious program, and created a dedicated server that imitates the C&C server that infected computers are supposed to connect to. For several days, this server registered all the infected computers that communicated with it, and recorded their UUIDs in a dedicated database. Thus, we can check if your computer’s UUID is in this database; if so, your computer was (and may still be) infected with FlashBack.
