Malware + Recommended

Flashback Mac Malware Uses Twitter as Command and Control Center

Posted on March 5th, 2012 by

The Flashback malware, which Intego pointed out was infecting an increasing number of Macs, turns out to be using a novel technique to operate. Many types of malware use command and control servers that they connect to, in order to get instructions from the creators of the malware. The problem with using these servers is that their IP addresses are specified in the malware code, and the servers can generally be taken down.

Flashback, however, uses an interesting method of getting commands: it uses Twitter. And rather than use a specific Twitter account, which can be removed, it queries Twitter for tweets containing specific hashtags. These hashtags aren't as simple as, say, #Flashback or #MacMalwareMaster, but are seemingly random strings of characters that change each day. Intego's malware research team cracked the 128-bit RC4 encryption used for Flashback's code and discovered the keys to this system.

The hashtags are made up of twelve characters. There are four characters for the day, four characters for the month, and four characters for the year. The characters used are in the following table:

 

0 gbqj 18 kudd
1 dljt 19 nwal
2 yfad 20 hmca
3 kpsh 21 dqyo
4 igaw 22 kkag
5 pepb 23 viqt
6 ezcn 24 wpld
7 hwpd 25 nsiy
8 drir 26 myvo
9 rnwp 27 rgel
10 updw 28 zlxl
11 jsng 29 djno
12 xeoa 30 beti
13 rgdg 31 ewof
14 aofl 32 mqan
15 oeur 33 xsco
16 dspu 34 jfiq
17 jyuv

 

The following is a screenshot of output from a network packet analyzer when the Flashback malware was searching mobile.twitter.com for the hashtag #pepbyfadxeoa, for today, March 5, 2012:


In addition, in order to ensure that people checking logs don't spot the malware, it uses a number of different user agents. Here are some examples:

  • Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0; HTC; 7 Mozart T8698)
  • Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0; HTC; mwp6985)
  • Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0; SAMSUNG; SGH-i917)
  • Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3
  • Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A5302b Safari/7534.48.3
  • Mozilla/5.0 (PWNED iPod; U; CPU iPhone OS 4_2_1 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5

There is no guarantee that there will be tweets every day, but Intego is monitoring Twitter, looking for these specific hashtags, and Intego VirusBarrier X6's web threat protection has been updated to block searches using these combinations of characters.

It's worth noting that the people behind the Flashback malware most likely to not send commands every day, and certainly delete their tweets, as Intego has found no past tweets in its searches. However, the malware clearly sends these HTTP requests, looking for such tweets.

  • floatingbones

    The claim is interesting. I see no evidence that #pepbyfadxeoa is actually being used for communicating of anything on Twitter. Intego’s claim would have a lot more credibility if they told us a past hashtag that actually had some real traffic on it.

    • http://www.intego.com Intego

      The tweets have obviously been deleted.

      • floatingbones

        Your sniffer output shows that some [alleged] malware was [allegedly] searching for a particular hashtag. It is a huge leap of faith to presume that searching for hashtags means that there were actually C&C tweets coming from the malware vendor.

        Have you actually been searching for tweets containing the hashtag-du-jour? Have you found any? If you have found any, please say that. If you have, please provide a few samples. Thanks!

        AFAICT, the only thing that’s obvious about this story is that the claim grabbed a lot of media attention. Unfortunately, I’m old enough to remember the old Wendy’s commercial. We want to know: 

        Where’s the tweets?

  • alvarnell

    Can you confirm that this is disabled by disabling / deleting the five installed files that we know about?

  • Stinkbob Robrob

    Nice work. Also, what packet analyzer do you use?

  • microsaurio

    hmmm… the code means 5 FEBRUARY 2012, according to your table, ’cause yfad is for “2”.If table begins as 0=1, then is for MARCH 6 (pepb).But nice work, anyway.

  • http://www.intego.com Intego

    No. A file in Safari is altered, and that cannot be easily repaired.

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}