Malware

Why the Flashback Botnet is a Threat

Posted on January 16th, 2014 by

Last week, Intego's Malware Research Team released new details about OSX/Flashback, which shows that the Flashback botnet is adrift with at least 22,000 infected machines. With our latest report we received a number of questions from readers and security journalists, so we would like to offer a bit more information and explain why the Flashback botnet is a threat. We'll also answer the top questions concerning the Mac malware.

Not everyone agrees with our current assessment of the threat. Larry Seltzer at ZDNet suggested that the Flashback botnet is “not a big concern.” Seltzer wrote:

In isolation, this number may look impressive, but considering the latest research on what versions of OS X are in use in the wild, it's not at all surprising. […] Even if we only consider the approximately 5% of Mac users running versions 10.5 and earlier, 22,000 is still well below 5% of the 600,000 said to be infected. Also, clearly some 10.6 users (still 20% of Macs) would have been infected before XProtect blocked Flashback, but never got a removal tool. This is all assuming that everyone applies updates all the time, and only 10.9 users are going to be getting those from now on.

While the 22,000 Mac botnet is relatively small compared to the original 600,000 infected machines, it’s still a very large number of computers forming a botnet, and even more so with them being Macs. According to Computerworld, an estimated 20,000 bots can blast out 5 billion spam messages a day.

Others are also skeptical of the threat. In response to our latest research, Gene Steinberg at Tech Night Owl discussed his take on Mac malware, and wrote, “All right, so it's still around, but, as I said, if your Mac has the latest version of Java, and you keep up with OS X updates, your [sic] not susceptible to the infection. If you can avoid anything that requires Java, you won't have to worry.” However, the issue isn’t whether new or clean Macs will be infected specifically with Flashback; there’s an imminent threat for those who remain infected if a malicious entity took control of future domain names, and it could include new Mac malware.

Dan Goodin over at Ars Technica commented on the risks the botnet poses, saying, “Those machines could be maliciously controlled by anyone who has access to one of the many domain names programmed into a Flashback algorithm, assuming they know how the internals of the malware works.” There is good news, however, as Goodin found through correspondence with one of our malware researchers:

Apple countered the threat by reverse engineering the domain-generation algorithm and buying all of the names through the end of 2013. That prevented [Intego] or anyone else outside of Apple from monitoring the Flashback botnet. […] Over the past few days, Apple has bought all of the 2014 domains.

Since Apple purchased the domain names for an additional year through 2014, the botnet will be quiet for another year. That's a good thing for the safety of those who remain infected. But after January 1, 2015, the server domains that Flashback-infected computers report to is up for grabs—and this presents a real threat.

That said, as Larry Seltzer pointed out, this might not be a big deal. Counter-action against the malware is relatively simple. Apple or other good guys can basically register a ton of domains to keep the botnet from being monitored by the bad guys. But it will be a big deal if nobody buys the domains before a malware author.

To further clarify why the Flashback botnet is a threat, Intego’s Malware Research Team has provided answers to some of the top questions concerning the malware:

Why was Intego only able to determine the number of machines infected with Flashback now if the malware is more than a year and a half old?

Intego was able to register the domain names requested by infected Macs, which allowed us to analyze the traffic to these domains and the number of machines connecting to them. Without access to these domain names, the botnet's activity is invisible to us.

Will Intego be able to analyze Flashback again?

Unless we purchase available domains before anyone else, no. We hope that Apple will do so and purchase the domains for 2015 after getting all those for 2014. The longer they wait, the more chances there are that these domains will be acquired by malicious entities. A hacker won't do it a year in advance though, since we would notice a domain is taken and not under Apple's control, and may be able to track them through the domain's registrar.

Why do Intego's sinkhole server logs show machines appearing as Windows NT 6.1?

The malware uses user-agent spoofing to hide its identity on the network. The next bit of user agent info in the logs is "WOW64," which corresponds to activity coming from World of Warcraft’s can refer to 64-bit Windows (hat tip to Josh Long for the correction), but appears to be random as well. That string is not to be mistaken as a Windows string.

While that string is also used in a version of Internet Explorer (IE) on Windows and can be used elsewhere in other products which use HTTP, in this case, the string was not set and fixed by the user's browser. It's not a user-agent string like a browser would send through a normal HTTP request to a server. The C&C server recognizes that string because the malware author randomly decided to recognize that string (in a literal sense), not because the string is used by IE in Windows.

To clarify, that string is part of the communication protocol between the malware and its server. The string is transmitted from the infected machine to its C&C companion server for it to be authenticated. If the string is not sent to the C&C server, or a different string is sent, the machine sending it is blacklisted by the C&C server.

What are the solutions to counter Flashback?

Buying all the available domain names generated for every day with five TLDs (.com, .net, .info, .in, .kz) assures that no new instructions are delivered to infected machines, but it doesn't get rid of the malware on those Macs. The only way to get rid of it is to keep the OS up-to-date (OS versions, security updates, etc.), or install security software (award-winning VirusBarrier, for example).

What could happen if a malicious entity took control of future domain names?

A hacker could deliver new instructions to the botnet to render it invisible from us in the future. Since we cracked the algorithm that generates the domain names we can see which will be requested and when, but an update to that algorithm could change which domains are requested next. This means we would lose the chance to get in front of it by registering more domains until we figure out the new algorithm.

The malware could also erase a user's hard drive, access their files, install key loggers to steal passwords and credit card info, or even worse, deliver the payload for a new malware.


Intego strongly encourages all Mac users to verify that their machine is not infected with Flashback. Mac users can download our top ranked antivirus product, Intego VirusBarrier, to find and remove any variant of Flashback, and any other malware on your Mac.