Botnet on Mac: details
Hi, Habr!
The other day, our colleagues from the company Dr. Web found a botnet of more than 550 thousand Macs. Well, "begins again," you say. But the truth is! At the moment, the world has already recorded more than 670 thousand infected computers, even though we, Russian users, are not particularly affected by this (see map):
')
But still, we will not fail to once again dispel the myth of the platform’s inaccessibility, and there, you see, we will help someone, because we don’t talk about Macs without instructions on treating a computer and free lessons on anger management. So, for those in the tank, we repeat:
Trojan-Downloader.OSX.Flashfake.ab
The bot spreads via infected websites in the form of a Java applet, issued as an update to Adobe Flash Player. The Java applet launches the first level loader, which downloads and installs the main component of the Trojan program. The main component is a Trojan downloader that constantly connects to one of the command (C & C) servers and expects commands to download and execute new components.
The bot finds its C & C servers by domain names, which are generated using two algorithms. The first algorithm is based on the current date, the second uses several variables that are stored in the body of the bot in encrypted form. Encryption is based on the RC4 algorithm and uses the UUID (computer unique identifier) as the key.
We performed the reverse engineering of the first domain generation algorithm and, based on the study date - 04/06/2012 - we generated and registered the domain name krymbrjasnof.com. After registering a domain, we were able to keep a log of calls from bots. Since each request from the bot contains its unique hardware identification number (UUID), we were able to calculate the number of active bots. According to the magazine, in less than 24 hours more than 600,000 unique bots connected to our server, which together used more than 620,000 external IP addresses. More than half of all bots were connected to our server from the United States.
So, in that post on the security account we determined the geographical distribution of active Flashfake bots:
Technical details will now remain forever in our database.
Medicine
Now we can determine whether your UUID was recorded in the database of bots accessing our sinkhole server. Detailed information on how to pass this test, and recommendations on what needs to be done in the event of infection, can be found at flashbackcheck.com. Tens of thousands of people have already used our microsite flashbackcheck.com , and 2.7% of them found themselves in the database of infected.
Mac OSX users can also check if their computer is infected with Flashfake, and remove the malware if it exists, using a special free Kaspersky Lab utility .
10 tips
And of course, the long-awaited advice for our dear poppy users. Of course, you know all of them, but you can add your own, or dispute, if you want. The full text with screenshots, where what is being done, is located at the link : you can give it to read to not very competent friends or younger generation.
1. For everyday use, create an account without administrator rights.
2. Use a sandboxed browser with a good reputation for quickly closing security holes.
3. Uninstall the standalone version of Flash Player
4. Solve the Java problem
5. Run the "Update Software" and update the computer immediately after the release of patches
6. Use password manager to counter phishing attacks.
7. Disable IPv6, AirPort and Bluetooth when you don’t need them.
8. Launch full disk encryption and FileVault (MacOS X version 10.7 and higher)
9. Update Adobe Reader to version 10 or higher.
10. Install a good data protection solution.
If with this post we help at least one misguided soul to gain safety, then we will assume that the mission of the post is completed. Although it is possible, for this you will need a repost on Vkontaktik;)
The other day, our colleagues from the company Dr. Web found a botnet of more than 550 thousand Macs. Well, "begins again," you say. But the truth is! At the moment, the world has already recorded more than 670 thousand infected computers, even though we, Russian users, are not particularly affected by this (see map):
')
But still, we will not fail to once again dispel the myth of the platform’s inaccessibility, and there, you see, we will help someone, because we don’t talk about Macs without instructions on treating a computer and free lessons on anger management. So, for those in the tank, we repeat:
Trojan-Downloader.OSX.Flashfake.ab
The bot spreads via infected websites in the form of a Java applet, issued as an update to Adobe Flash Player. The Java applet launches the first level loader, which downloads and installs the main component of the Trojan program. The main component is a Trojan downloader that constantly connects to one of the command (C & C) servers and expects commands to download and execute new components.
The bot finds its C & C servers by domain names, which are generated using two algorithms. The first algorithm is based on the current date, the second uses several variables that are stored in the body of the bot in encrypted form. Encryption is based on the RC4 algorithm and uses the UUID (computer unique identifier) as the key.
We performed the reverse engineering of the first domain generation algorithm and, based on the study date - 04/06/2012 - we generated and registered the domain name krymbrjasnof.com. After registering a domain, we were able to keep a log of calls from bots. Since each request from the bot contains its unique hardware identification number (UUID), we were able to calculate the number of active bots. According to the magazine, in less than 24 hours more than 600,000 unique bots connected to our server, which together used more than 620,000 external IP addresses. More than half of all bots were connected to our server from the United States.
So, in that post on the security account we determined the geographical distribution of active Flashfake bots:
| A country | The number of active bots |
| USA | 300917 |
| Canada | 94625 |
| Great Britain | 47109 |
| Australia | 41600 |
| France | 7891 |
| Italy | 6585 |
| Mexico | 5747 |
| Spain | 4304 |
| Germany | 4021 |
| Japan | 3864 |
Technical details will now remain forever in our database.
Medicine
Now we can determine whether your UUID was recorded in the database of bots accessing our sinkhole server. Detailed information on how to pass this test, and recommendations on what needs to be done in the event of infection, can be found at flashbackcheck.com. Tens of thousands of people have already used our microsite flashbackcheck.com , and 2.7% of them found themselves in the database of infected.
Mac OSX users can also check if their computer is infected with Flashfake, and remove the malware if it exists, using a special free Kaspersky Lab utility .
10 tips
And of course, the long-awaited advice for our dear poppy users. Of course, you know all of them, but you can add your own, or dispute, if you want. The full text with screenshots, where what is being done, is located at the link : you can give it to read to not very competent friends or younger generation.
1. For everyday use, create an account without administrator rights.
2. Use a sandboxed browser with a good reputation for quickly closing security holes.
3. Uninstall the standalone version of Flash Player
4. Solve the Java problem
5. Run the "Update Software" and update the computer immediately after the release of patches
6. Use password manager to counter phishing attacks.
7. Disable IPv6, AirPort and Bluetooth when you don’t need them.
8. Launch full disk encryption and FileVault (MacOS X version 10.7 and higher)
9. Update Adobe Reader to version 10 or higher.
10. Install a good data protection solution.
If with this post we help at least one misguided soul to gain safety, then we will assume that the mission of the post is completed. Although it is possible, for this you will need a repost on Vkontaktik;)
Source: https://habr.com/ru/post/141963/
All Articles