A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #12543  by rkhunter
 Fri Apr 06, 2012 5:45 pm
Over 550 000 infected machines running Mac OS X have been a part of the botnet on April 4. These only comprise a segment of the botnet set up by means of the particular BackDoor.Flashback modification. Most infected computers reside in the United States (56.6%, or 303,449 infected hosts), Canada comes second (19.8%, or 106,379 infected computers), the third place is taken by the United Kingdom (12.8% or 68,577 cases of infection) and Australia with 6.1% (32,527 infected hosts) is the fourth.
http://news.drweb.com/?i=2341&c=5&lng=en&p=0

Image

Kaspersky confirms information.

http://www.securelist.com/en/blog/20819 ... _confirmed
We reverse engineered the first domain generation algorithm and used the current date, 06.04.2012, to generate and register a domain name, "krymbrjasnof.com". After domain registration, we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots. Our logs indicate that a total of 600 000+ unique bots connected to our server in less than 24 hours. They used a total of 620 000+ external IP addresses. More than 50% of the bots connected from the United States.
Image

Kaspersky guy -
We used passive OS fingerprinting to confirm the Flashfake botnet victims are mostly MacOS X computers.
http://news.cnet.com/8301-13579_3-57410 ... g-problem/
 #12594  by EP_X0FF
 Tue Apr 10, 2012 9:15 am
Sure, it doesn't knows who is Dr.Web. Cannot be expected something else from company that somehow (few percents of market) known even in it own native region.
 #12595  by rkhunter
 Tue Apr 10, 2012 9:16 am
EP_X0FF wrote:Sure, it doesn't knows who is Dr.Web. Cannot be expected something else from company that somehow (few percents of market) known even in it own native region.
Exactly.
 #12607  by Xylitol
 Tue Apr 10, 2012 8:58 pm
No idea if there is already sample available on the net, i'm just back on the net and not checked these files but they are all detected as Trojan-Downloader.OSX.Flashfake.ab by KAV.
cf here ~ http://www.securelist.com/en/blog/20819 ... _confirmed
Samples in attach (25)

Some others sample requested from the same family: http://www.kernelmode.info/forum/viewto ... 430#p12604

edit: ah sorry i've not see this thread http://www.kernelmode.info/forum/viewto ... =16&t=1572 if a mod can merge my thread to the post ? ;)
Attachments
infected
(504.19 KiB) Downloaded 70 times