Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

OSX.Flashback – How to Turn Your Botnet into $$$

Created: 16 May 2012 17:58:38 GMT • Updated: 23 Jan 2014 18:15:34 GMT • Translations available: 日本語
Symantec Security Response's picture
+2 2 Votes
Login to vote

Further analysis of the OSX.Flashback botnet has shed more light on how profitable such a botnet can be. Previously, we wrote that OSX.Flashback was generating money for its authors by displaying advertisements on compromised computers. We now have a much clearer idea of how many ads the attackers were displaying and how much those ads earned for the attackers.

From our analysis we have seen that, for a three-week period starting in April, the botnet displayed over 10 million ads on compromised computers but only a small percentage of users who were shown ads actually clicked them, with close to 400,000 ads being clicked. These numbers earned the attackers $14,000 in these three weeks, although it is worth mentioning that earning the money is only one part of the puzzle—actually collecting that money is another, often more difficult, job. Many PPC providers employ anti-fraud measures and affiliate-verification processes before paying. Fortunately, the attackers in this instance appear to have been unable to complete the necessary steps to be paid.

It is estimated the actual ad-clicking component of Flashback was only installed on about 10,000 of the more than 600,000 infected machines. In other words, utilizing less than 2% of the entire botnet the attackers were able to generate $14,000 in three weeks, meaning that if the attackers were able to use the entire botnet, they could potentially have earned millions of dollars a year.

For someone who is controlling a botnet of this magnitude, there are plenty of options. Recently we have seen many botnets using fraudulent ads to generate revenue for attackers. That is exactly the case with Flashback: the operators decided to leverage their botnet to commit fraudulent ad-clicks, also known as click fraud.

Analyzing the traffic delivered from the Flashback command-and-control (C&C) servers, we were able to follow the redirects used by the attackers. Compromised computers pass users' search keywords to the attackers. The attackers then contact various pay per click (PPC) services and route the ads from the PPC providers to the compromised computer—in the process earning money for those ads from the PPC providers.

We were able to identify patterns in the traffic sent to the compromised computers showing that the Flashback operators prefer some PPC providers over others. In fact over 98% of the ads being sent to compromised computers appear to originate from the same PPC provider. In such cases, the attackers are taking advantage of both users and the PPC providers by getting paid for ads that may not have been seen by users and may not be relevant to what the user searched for.
 

Process – Getting Paid

The OSX.Flashback bot-master hijacked Google’s search results and displayed their own PPC search results to create conversions. In the non-mainstream PPC world, keywords that generate the most pay out are usually related to pharmaceutical products, debt-mortgage consolidation, and auto-insurance. Generally, low demand search keywords such as yarn, glue, silly putty, etc., are usually the least expensive to use, but generate considerably less pay out.

Although the authors of Flashback had the opportunity to send users ads for search terms other than what the user had searched for, this is not what they decided to do. If a user searches for “toys” they are returned ads that are related to toys, likely avoiding the auditing programs that pay per click providers put in place. A search for “toys” on Google, for instance, results in a hijack by OSX.Flashback where the C&C server sends back the following encoded URL:

[http://][IP ADDRESS]/click.php?id=oilZLmquP5Xbg7U282f16g_6-uBw5r_xrTrfouhLHbOkwDfu0QZN4X21K6rK98QROh[REMOVED]

This URL redirects the user to the following URL that is related to the original search term “toys”:

[http://][REMOVED]search.net/?login=[REMOVED]&search=toys

Even though only a small fraction of the more than 600,000 compromised computers redirected users, the attackers still managed to display over 10 million ads in a three week period, generating $14,000 in revenue during. Had the attackers been more successful in installing the final payload they could have been earning considerably more than that, which makes this a profitable model for the attackers. Although per-per-click botnets are not a new idea—we have seen them on Windows for years—as the market share of Mac increases, we will see more Mac-related botnets similar to this one in the future.