Today’s blog is a quick follow up to the OSX.Flashback.K issue. The statistics from our sinkhole are showing declining numbers on a daily basis. However, we had originally believed that we would have seen a greater decline in infections at this point in time, but this has proven not to be the case. Currently, it appears that the number of infected computers has tapered off, but remains around the 140,000 mark.
As there have been tools released by Symantec and other vendors in the past few days concerning this threat, the infection numbers should have seen a dramatic decrease by now. If you suspect that your Mac has been infected with OSX.Flashback.K, it is recommended to install the latest patches, ensure that your antivirus is up to date with the latest signatures, and to use the free Norton Flashback Detection and Removal Tool.
Sinkhole
Please note, the sinkhole domain was unavailable on April 12th
Command-and-control (C&C) servers
Further analysis on the domain name generator (DNG) algorithm has revealed that Flashback does not limit itself to using “.com” as the top level domain (TLD).
It chooses from the following five TLDs:
- .com
- .in
- .info
- .kz
- .net
The graphic below lists the upcoming C&C servers that are to be contacted by OSX.Flashback.K over the coming week.
Vulnerability
The recent Oracle Java SE Remote Java Runtime Environment Denial Of Service Vulnerability (CVE-2012-0507, BID 52161) used to distribute the Flashback Trojan has now also been seen to be distributing another Mac threat:OSX.Sabpab.
OSX.Sabpab has also been seen in targeted attacks distributed with malicious Word documents exploiting the Microsoft Word Record Parsing Buffer Overflow Vulnerability (CVE-2009-0565, BID 35190).
Again, it is paramount that you have the latest antivirus signatures installed and have applied the latest available patches for both the operating system and third-party applications.
Payload C&C server
The Flashback payload is considerably larger than the initial stage downloading component. Analysis is ongoing; however, one of the new features of the Trojan is that it can now retrieve updated C&C locations through Twitter posts by searching for specific hashtags generated by the OSX.Flashback.K hashtag algorithm.
Removal tool
Please visit our website for more information about this threat and how to protect your computers from harm atwww.symantec.com. A free detection and removal tool for the OSX.Flashback.K issue, “Norton Flashback Detection and Removal Tool”, is freely available for download.