The Flashback malware that infected over 600,000 Macs at the beginning of April netted its creators somewhere around $10,000 per day, according to recent data. The Flashback variant was discovered at the beginning of April and was one of the most widespread outbreaks of malware ever to hit the Mac platform.
The Flashback malware took advantage of an unpatched vulnerability in Java to install on users’ Macs if they visited an infected website. Unlike most Mac-targeted malware, it required no interaction of any kind by the user, making it especially dangerous. Apple quickly released an update to Java that patched the exploit, then released another update that would remove Flashback from infected machines.
In all the hubbub over Flashback, though, it was never quite clear what Flashback did, what its purpose was. While some people write malware just for the fun of it, there is usually some deeper (i.e., monetary) purpose behind it. Well, according to a recent report by Symantec, Flashback is no different. When a user visited an infected website, the Flashback malware was installed, and then downloaded an ad-clicking component. Here’s how Symantec explains it:
The Flashback ad-clicking component is loaded into Chrome, Firefox, and Safari where it can intercept all GET and POST requests from the browser. Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker’s choosing, where they receive revenue from the click . (Google never receives the intended ad click.)
The ad click component parses out requests resulting from an ad click on Google Search and determines if it is on a whitelist. If not, it forwards the request to the malicious server in the following form:
Flashback uses a specially crafted user agent in these requests, which is actually the clients universally unique identifier (UUID) encoded in base64. This is already sent in the “ua” query string parameter, so it is likely that this is an effort to thwart “unknown” parties from investigating the URL with unrecognised user-agents.
Upon further investigation, Symantec found that each individual click recorded was worth about $0.008 to whoever created Flashback. Given the rate of infection, they estimate that the malware made its creators as much as $10,000 per day, while costing Google a similar amount of money in lost revenues.
Unfortunately, creating malware is an extremely profitable business. Though Mac users have been largely immune to malware concerns in the past, the Flashback incident proves that they are not as safe as they might think. What’s more, even when a Mac is free of Mac-targeted malware (which is still relatively rare), as many as 20% of Macs are carriers for Windows-targeted malware. The moral of the story, then, is that if you don’t want your Mac infected and you don’t want your Mac to infect your friends’ Windows-based computers, then it’s probably time to bite the bullet and install some anti-virus software.