Symantec experts decided to take a better look at the Flashback Trojan that recently cause havoc among hundreds of thousands of Mac OS X users. The malware has been analyzed before, but this examination was conducted with the purpose of finding the cybercriminals’ motivation for launching this campaign.
To determine the approximate sum of money earned by the creators of Flashback, the researchers compared it to the W32.Xpaj.B ad-clicking Trojan that was making the rounds in August 2011.
If Xpaj made around $450 (342 EUR) per day with a botnet that totaled 25,000 bots, the 650,000 machines that were overtaken by Flashback at its peak may have generated a sum that exceeds $10,000 (7,600 EUR).
The large amounts of money were generated by an ad-clicking element that was downloaded by the initial OSX.Flashback.K component.
“The Flashback ad-clicking component is loaded into Chrome, Firefox, and Safari where it can intercept all GET and POST requests from the browser. Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker's choosing, where they receive revenue from the click,” experts explained.
“Flashback uses a specially crafted user agent in these requests, which is actually the clients universally unique identifier (UUID) encoded in base64. This is already sent in the ‘ua’ query string parameter, so it is likely that this is an effort to thwart "unknown" parties from investigating the URL with unrecognised user-agents.”
A closer look at one of the samples revealed that, for instance, when users searched for “toys,” they were forcefully redirected to a third-party URL. By writing this URL into the browser, the victim would be directed to the arbitrary domain, hijacking the ad click that was originally meant for Google.
This means that the Flashback campaign not only generated considerable revenues for the cybercriminals, but also significant losses for Google.