Malware + Recommended

Flashback Mac Malware Uses Twitter as Command and Control Center

Posted on March 5th, 2012 by

The Flashback malware, which Intego pointed out was infecting an increasing number of Macs, turns out to be using a novel technique to operate. Many types of malware use command and control servers that they connect to, in order to get instructions from the creators of the malware. The problem with using these servers is that their IP addresses are specified in the malware code, and the servers can generally be taken down.

Flashback, however, uses an interesting method of getting commands: it uses Twitter. And rather than use a specific Twitter account, which can be removed, it queries Twitter for tweets containing specific hashtags. These hashtags aren't as simple as, say, #Flashback or #MacMalwareMaster, but are seemingly random strings of characters that change each day. Intego's malware research team cracked the 128-bit RC4 encryption used for Flashback's code and discovered the keys to this system.

The hashtags are made up of twelve characters. There are four characters for the day, four characters for the month, and four characters for the year. The characters used are in the following table:


0 gbqj 18 kudd
1 dljt 19 nwal
2 yfad 20 hmca
3 kpsh 21 dqyo
4 igaw 22 kkag
5 pepb 23 viqt
6 ezcn 24 wpld
7 hwpd 25 nsiy
8 drir 26 myvo
9 rnwp 27 rgel
10 updw 28 zlxl
11 jsng 29 djno
12 xeoa 30 beti
13 rgdg 31 ewof
14 aofl 32 mqan
15 oeur 33 xsco
16 dspu 34 jfiq
17 jyuv


The following is a screenshot of output from a network packet analyzer when the Flashback malware was searching for the hashtag #pepbyfadxeoa, for today, March 5, 2012:

In addition, in order to ensure that people checking logs don't spot the malware, it uses a number of different user agents. Here are some examples:

  • Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0; HTC; 7 Mozart T8698)
  • Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0; HTC; mwp6985)
  • Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0; SAMSUNG; SGH-i917)
  • Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3
  • Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A5302b Safari/7534.48.3
  • Mozilla/5.0 (PWNED iPod; U; CPU iPhone OS 4_2_1 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5

There is no guarantee that there will be tweets every day, but Intego is monitoring Twitter, looking for these specific hashtags, and Intego VirusBarrier X6's web threat protection has been updated to block searches using these combinations of characters.

It's worth noting that the people behind the Flashback malware most likely to not send commands every day, and certainly delete their tweets, as Intego has found no past tweets in its searches. However, the malware clearly sends these HTTP requests, looking for such tweets.

  • floatingbones

    The claim is interesting. I see no evidence that #pepbyfadxeoa is actually being used for communicating of anything on Twitter. Intego’s claim would have a lot more credibility if they told us a past hashtag that actually had some real traffic on it.

    • Intego

      The tweets have obviously been deleted.

      • floatingbones

        Your sniffer output shows that some [alleged] malware was [allegedly] searching for a particular hashtag. It is a huge leap of faith to presume that searching for hashtags means that there were actually C&C tweets coming from the malware vendor.

        Have you actually been searching for tweets containing the hashtag-du-jour? Have you found any? If you have found any, please say that. If you have, please provide a few samples. Thanks!

        AFAICT, the only thing that’s obvious about this story is that the claim grabbed a lot of media attention. Unfortunately, I’m old enough to remember the old Wendy’s commercial. We want to know: 

        Where’s the tweets?

        • Stephen Akaka

          I think my weird ex girlfriend is using this to manipulate my phone. She has a Twitter account she’s never used. She used to send pics through email that had UNIX command files embedded in them where she was able to remotely purchase things through my Amazon account causing hundreds in overdraft fees. I’ve spent hours trying to figure this out and am still lost but I’m getting closer. I remember one night she grabbed my phone and disappeared for about 45 minutes.ive tried factory wipe and it didn’t help. I now don’t even open her emails I simply delete them and cut all ties. I’m thinking I’ll have to trash this 7 month old iPhone 6 cause I can’t get rid of the thing she put on. One more note, it has something to do with the SIM card and the number sequence stamped on it. Any help out there?

          • Al Varnell

            Well, it certainly has nothing to do with Flashback which has been extinct for over three years now and never was used to infect iPhones. From what you have said I seriously doubt that anything on you iPhone is the cause of this. Much more likely to be a hack of your iCloud account.

          • Stephen Akaka

            After much thought into this I believe your right.. I’m in my logs list and its showing “addressbooksourcesync”and this is weird @6:15 am “fmfd:I utilized sandbox” then “remote error: the operation couldn’t Äôt be completed( error 2) .. The next morning after I changed my Apple ID and password. Is that indicative of some kind of remote access?

          • Stephen Akaka

            This was on my metric logs. I have a Twitter account and the app but haven’t used it in 6 months

            “os_version”:”iPhone OS 9.0 (13A344)”,”bug_type”:”167″,”timestamp”:”2015-09-22 17:40:15.15 -1000″}
            Incident ID:B0B67970-D2EE-426C-ACD3-3726FCB85E8E
            Hardware Model: iPhone5,1
            OS Version: iOS 9.0 (13A344)
            System ID:
            2015-09-22 12:55:39 -1000 accountsd[88]: com.TapMediaLtd.QRReader:1;response:0;kTCCServiceTwitter:1;jitVisible:0;jitVisibleTime:0

            I wonder what it means. I apologize for my ignorance but I’m really new to all this hacker stuff. It is facinating though.

  • alvarnell

    Can you confirm that this is disabled by disabling / deleting the five installed files that we know about?

  • Stinkbob Robrob

    Nice work. Also, what packet analyzer do you use?

  • microsaurio

    hmmm… the code means 5 FEBRUARY 2012, according to your table, ’cause yfad is for “2”.If table begins as 0=1, then is for MARCH 6 (pepb).But nice work, anyway.

  • Intego

    No. A file in Safari is altered, and that cannot be easily repaired.