The Latest in IT Security

Flashback Cleanup Still Underway-Approximately 140,000 Infections

18
Apr
2012

Today’s blog is a quick follow up to the OSX.Flashback.K issue. The statistics from our sinkhole are showing declining numbers on a daily basis. However, we had originally believed that we would have seen a greater decline in infections at this point in time, but this has proven not to be the case. Currently, it appears that the number of infected computers has tapered off, but remains around the 140,000 mark.

As there have been tools released by Symantec and other vendors in the past few days concerning this threat, the infection numbers should have seen a dramatic decrease by now. If you suspect that your Mac has been infected with OSX.Flashback.K, it is recommended to install the latest patches, ensure that your antivirus is up to date with the latest signatures, and to use the free Norton Flashback Detection and Removal Tool.
 

Sinkhole


Please note, the sinkhole domain was unavailable on April 12th
 

Command-and-control (C&C) servers

Further analysis on the domain name generator (DNG) algorithm has revealed that Flashback does not limit itself to using “.com” as the top level domain (TLD).

It chooses from the following five TLDs:

  • .com
  • .in
  • .info
  • .kz
  • .net

The graphic below lists the upcoming C&C servers that are to be contacted by OSX.Flashback.K over the coming week.


 

Vulnerability

The recent Oracle Java SE Remote Java Runtime Environment Denial Of Service Vulnerability (CVE-2012-0507, BID 52161) used to distribute the Flashback Trojan has now also been seen to be distributing another Mac threat: OSX.Sabpab.

OSX.Sabpab has also been seen in targeted attacks distributed with malicious Word documents exploiting the Microsoft Word Record Parsing Buffer Overflow Vulnerability (CVE-2009-0565, BID 35190).

Again, it is paramount that you have the latest antivirus signatures installed and have applied the latest available patches for both the operating system and third-party applications.
 

Payload C&C server

The Flashback payload is considerably larger than the initial stage downloading component. Analysis is ongoing; however, one of the new features of the Trojan is that it can now retrieve updated C&C locations through Twitter posts by searching for specific hashtags generated by the OSX.Flashback.K hashtag algorithm.
 

Removal tool

Please visit our website for more information about this threat and how to protect your computers from harm at www.symantec.com. A free detection and removal tool for the OSX.Flashback.K issue, “Norton Flashback Detection and Removal Tool”, is freely available for download.

Leave a reply


Categories

SATURDAY, DECEMBER 07, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments