Researchers peer inside OS X-based Flashback trojan botnet after taking control of command server

“The Flashback trojan that hijacked well over 500,000 Macs at its peak is still clinging to life, with about 22,000 infected machines in recent days, a security researcher said,” Dan Goodin reports for Ars Technica.

“The compromised Macs were observed connecting to command and control servers that had been ‘sinkholed’ — meaning taken over for research or security purposes — by analysts from security firm Intego,” Goodin reports. “During a five-day period ending January 7, 22,000 Flashback-infected computers reported to server domains recently acquired by Intego, Arnaud Abbati, a researcher with the company, wrote in a blog post. Those machines could be maliciously controlled by anyone who has access to one of the many domain names programmed into a Flashback algorithm, assuming they know how the internals of the malware works.”

“Abbati went on to say that Apple countered the threat by reverse engineering the domain-generation algorithm and buying all of the names through the end of 2013. That prevented him or anyone else outside of Apple from monitoring the Flashback botnet. Then, at the beginning of the year, Apple briefly failed to purchase some domain names, making it possible once again for Intego to peer into the inner workings of Flashback. Over the past few days, Apple has bought all of the 2014 domains,” Goodin reports. “Abbati said that’s a good thing for the safety of those who remain infected.”

Read more in the full article here.

Related articles:
Mac Flashback trojan hacker may have been identified, researcher says FBI will likely investigate – April 4, 2013
Apple releases Flashback Removal Security Update for Leopard, Leopard Security Update 2012-003 – May 14, 2012
Symantec: Mac Flashback trojan infections declining rapidly, have dropped six-fold in a week – April 18, 2012
Apple releases Flashback trojan removal tool – April 14, 2012
Apple releases Java Update to remove Flashback trojan – April 12, 2012
600,000 Macs infected with Flashback trojan, 274 in Cupertino; how to check your Mac – April 5, 2012


  1. That is one of the many reasons Steve Jobs wanted iOS free of Flash. I followed his decision and never looked back. All my devices and computers are free of this plague.

  2. This trojan exploited Java to infect computers. Just because it has the contains the word “flash” doesn’t mean it has anything to do with Adobe’s Flash plugin. The iPhone’s camera has a flash too – do you assume that’s also related to Adobe’s plugin?

  3. Flash is implicated thus: “Flashback first came to light in 2011 when it took hold of people’s machines by masquerading as a legitimate installer of Adobe’s ubiquitous Flash media player.”

    1. That’s social engineering. It has nothing to do with Flash technology. If an iOS popup said asked to update Angry Birds or some other ubiquitous software, thousands would accept it, even if the popup was really a trick for malware. Shoot, even the iOS popup said it was updating Flash media player, I bet thousands would accept it anyway unaware that it’s not not supposed to be there.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.