Flashback Botnet May Have Earned Its Creators $10,000 A Day
May 1, 2012

Flashback Botnet May Have Earned Its Creators $10,000 A Day

Michael Harper for RedOrbit.com

The Flashback botnet has been busy lately. Not only has it been making headlines for nearly a month, it´s also been avoiding security patches and infecting Mac´s all the while. Now, a new report from security firm Symantec shows the Flashback botnet was also busy earning its makers cold hard cash to the tune of $10,000 a day.

At the height of its infection, the Flashback botnet controlled an estimated 700,000 Windows and OS X machines. According to Symantec, the Flashback botnet earned this money by stealing Google´s advertising dollars, redirecting clicks on infected computers to steal ad revenue.

With so many infected machines controlled by this botnet, Symantec estimates the creators of the malware could have earned an estimated $10,000 a day.

“The Flashback ad-clicking component is loaded into Chrome, Firefox, and Safari where it can intercept all GET and POST requests from the browser. Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker´s choosing, where they receive revenue from the click . (Google never receives the intended ad click.) The ad click component parses out requests resulting from an ad click on Google Search and determines if it is on a whitelist. If not, it forwards the request to [a] malicious server.”

Symantec said the ad clicks were re-directed when the user of an infected computer searched for specific words. One such word was “toys.”

Flashback´s creators earned an estimated 0.08 cents per redirected click, making the scam a slow-game that paid off well in the end.

Recent research by Dr. Web, the first security firm to expose the botnet, says infected computers were controlled by Twitter.

Those machines which were compromised by the botnet were programmed to regularly search Twitter for commands, which were delivered as specific strings of letters. These commands would then direct the machines to websites which would give the machines further instruction.

Mac malware has been widely discussed since the Flashback botnet was discovered in early April. Not usually the target of such infections, initial estimates reported as many as 650,000 Macs  were a part of the botnet, not including infected windows machines.

Apple acknowledged the infection 5 days later and began to release a series of Java patches to address the problem..

Additionally, Apple also released software to find and remove the malware from any infected machine and vowed to choke the botnet out at the source. So far, it is not yet known if Apple has been able to do so.

In the weeks since the initial story broke, security firms like Dr. Web, Symantec, Sophos and Kaspersky have been debating about how large the botnet has become. Dr. Web insists the botnet has 550,000 computers which report back to the command-and-control center every 24 hours. Symantec, however, reported an initial drop in infected computers once Apple released the tools and patches, but said there are still around 140,000 computers still infected by the malware.

As always, caution is encouraged when surfing the web. Mac users should always install new updates from Apple as they are issued. Users wanting to fully protect themselves from the vulnerability can turn Java off altogether with few noticeable differences while browsing the web.