Flashback Botnet Updated to Include Twitter as C&C

Attackers have updated the Flashback Trojan targeting Macs to use Twitter as a command and control mechanism, security researchers have found.

This is not the first time Twitter or other social networks have been utilized as command and control systems. In fact, in 2010, researchers at Sunbelt Software uncovered a botnet creation tool called TwitterNet Builder that used the micro-blogging site for this very purpose. In the case of Flashback, Twitter appears to be a secondary means of communication for attackers if the normal command and control server is not available.

“If the control server does not return a correct reply, the Trojan uses the current date to generate a string that serves as a hash tag in a search using http://mobile.twitter.com/searches?q=,” according to Dr. Web, the Russian security firm that first reported the mammoth size of the Flashback botnet earlier this month. “For example, some Trojan versions generate a string of the “rgdgkpshxeoa” format for the date 04.13.2012 (other bot versions can generate a different string). If the Trojan manages to find a Twitter message containing bumpbegin and endbump tags enclosing a control server address, it will be used as a domain name.”

The firm said it began to take over domains of this category on April 13, but the following day, the Twitter account registered by Dr. Web analysts had been blocked.

Attackers are increasingly on the lookout for stealthy ways to issue commands to their zombie computers. In a recent conversation with SecurityWeek, Trend Micro Vice President of Cybersecuity Tom Kellermann noted that recent advanced persistent threats (APTs) had actually used compromised computers within corporate networks to control armies of bots inside the enterprise in order to stay under the radar by limiting communication with outside servers.

Still, the use of Twitter as a malware command and control however is rarity, said Kaspersky Lab Senior Researcher Roel Schouwenberg.

“We see Twitter being used as a (back-up) C&C now and then,” he said. “The Flashback malware is a very recent example of this. I think the main reason cyber-criminals aren’t using it as often is because Twitter is very much out in the open, which is somewhat counter-intuitive to their nature – criminals prefer to hide. Twitter will be quite responsive in taking down offending accounts when the criminals’ activities are discovered. Most bad guys will want something that’s more concealed and reliable for their infrastructure.”

In the past several weeks, Flashback has claimed hundreds of thousands of Mac computers as victims on the back of a Java vulnerability (CVE-2012-0507) patched earlier this year. However, while many Mac users have not deployed the patch for the bug and left the systems vulnerable, the patch rate for Java vulnerabilities among Mac users tends to be higher than Windows users due to Apple building Java updates into updates for Mac OS X, said Marcus Carey, security researcher with Rapid7.

“Mac users have been patching Java 8-12 weeks after Oracle officially releases the Java patches,” he said. “The numbers I’ve seen indicate that a much higher percentage of Mac users were safe because Java updates were built directly into the Apple updates. The number of vulnerable PCs is much worse. Macs only account for around 10-15 percent of all users, but with this higher ratio of patched users, Mac users make up about 43 percent of overall patched systems. This means that while Macs have been vulnerable in the short term, their Java is more likely to be patched in the long term.”

Related: Everything You’ve Always Wanted to Know About Flashback