Six months ago, Flashback was attracting a lot of attention from researchers and media due to its wide spread and interesting features. Since then, we have witnessed its operator abandoning control of the botnet by shutting down its latest command and control server. This happened in May this year. The number of infected systems has significantly decreased since we last talked about it, thanks to the remediation efforts by the security community and to the security updates issued by Apple.
It appears that the operators of Flashback did not release any new binary to avoid detection and continue their operation with a new infrastructure. With the extinction of this threat, we are taking some time to wrap things up and publish a technical analysis of this threat.
In the paper, we give further details on how the binary is protected and how key information is removed from the first stage dropper to make tracking of the botnet harder. An example of a command and control address being removed from the binary is shown in the screenshot below.
The paper also explains how Flashback uses the __interpose section to hook the CFReadStreamRead and CFWriteStreamWrite. These hooks allow the malware to read data that is being sent on the network, even when using an encrypted connection, and change search results that are received on network connections. We also explain the format of the Flashback configuration and how the malware decrypts it using RC4 and decodes it with base64.
Finally, we detail how the authenticity of the command and control server is validated using RSA, making it much more resistant to impersonation attacks.
Many questions remain about OSX/Flashback: who were its authors, how much money did they make while running the malware, and did they move on to a new operation we have yet to learn about?
Author Pierre-Marc Bureau, ESET