Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Flashback Botnet Updated to Include Twitter as C&C

Attackers have updated the Flashback Trojan targeting Macs to use Twitter as a command and control mechanism, security researchers have found.

Attackers have updated the Flashback Trojan targeting Macs to use Twitter as a command and control mechanism, security researchers have found.

This is not the first time Twitter or other social networks have been utilized as command and control systems. In fact, in 2010, researchers at Sunbelt Software uncovered a botnet creation tool called TwitterNet Builder that used the micro-blogging site for this very purpose. In the case of Flashback, Twitter appears to be a secondary means of communication for attackers if the normal command and control server is not available.

Flashback Using Twitter as C&C Server“If the control server does not return a correct reply, the Trojan uses the current date to generate a string that serves as a hash tag in a search using http://mobile.twitter.com/searches?q=,” according to Dr. Web, the Russian security firm that first reported the mammoth size of the Flashback botnet earlier this month. “For example, some Trojan versions generate a string of the “rgdgkpshxeoa” format for the date 04.13.2012 (other bot versions can generate a different string). If the Trojan manages to find a Twitter message containing bumpbegin and endbump tags enclosing a control server address, it will be used as a domain name.”

The firm said it began to take over domains of this category on April 13, but the following day, the Twitter account registered by Dr. Web analysts had been blocked.

Attackers are increasingly on the lookout for stealthy ways to issue commands to their zombie computers. In a recent conversation with SecurityWeek, Trend Micro Vice President of Cybersecuity Tom Kellermann noted that recent advanced persistent threats (APTs) had actually used compromised computers within corporate networks to control armies of bots inside the enterprise in order to stay under the radar by limiting communication with outside servers.

Still, the use of Twitter as a malware command and control however is rarity, said Kaspersky Lab Senior Researcher Roel Schouwenberg.

“We see Twitter being used as a (back-up) C&C now and then,” he said. “The Flashback malware is a very recent example of this. I think the main reason cyber-criminals aren’t using it as often is because Twitter is very much out in the open, which is somewhat counter-intuitive to their nature – criminals prefer to hide. Twitter will be quite responsive in taking down offending accounts when the criminals’ activities are discovered. Most bad guys will want something that’s more concealed and reliable for their infrastructure.”

In the past several weeks, Flashback has claimed hundreds of thousands of Mac computers as victims on the back of a Java vulnerability (CVE-2012-0507) patched earlier this year. However, while many Mac users have not deployed the patch for the bug and left the systems vulnerable, the patch rate for Java vulnerabilities among Mac users tends to be higher than Windows users due to Apple building Java updates into updates for Mac OS X, said Marcus Carey, security researcher with Rapid7.

“Mac users have been patching Java 8-12 weeks after Oracle officially releases the Java patches,” he said. “The numbers I’ve seen indicate that a much higher percentage of Mac users were safe because Java updates were built directly into the Apple updates. The number of vulnerable PCs is much worse. Macs only account for around 10-15 percent of all users, but with this higher ratio of patched users, Mac users make up about 43 percent of overall patched systems. This means that while Macs have been vulnerable in the short term, their Java is more likely to be patched in the long term.”

Advertisement. Scroll to continue reading.

Related: Everything You’ve Always Wanted to Know About Flashback

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.