Overclock.net › Forums › Industry News › Software News › [Kaspersky / securelist.com] The Anatomy of Flashfake. Part 1
New Posts  All Forums:Forum Nav:

[Kaspersky / securelist.com] The Anatomy of Flashfake. Part 1  

post #1 of 10
Thread Starter 
Quote:
What is Flashback/Flashfake?

It is a family of malware for Mac OS X. The first versions of this type of threat were detected in September 2011. In March 2012 around 700,000 computers worldwide were infected by Flashback. The infected computers are combined in a botnet which enables cybercriminals to install additional malicious modules on them at will. One of these modules is known to generate fake search engine results. It is quite possible that, in addition to intercepting search engine traffic, cybercriminals could upload other malicious modules to infected computers – e.g. for data theft or spam distribution.

- https://www.securelist.com/en/analysis/204792227/The_anatomy_of_Flashfake_Part_1

Breaks down the code behind this malware and is a great view on how malware is constructed and targeted and just how clever and complex malware is these days. Gone are the days of 'dodgy sites' just having malware.
post #2 of 10
Wow, this is brilliant. Thanks for the awesome read.
post #3 of 10
What a good read! Any idea why the virus would check for apps like Skype or Office and choose not to install itself if they're present?
post #4 of 10
Quote:
Originally Posted by gelatin_factory View Post

What a good read! Any idea why the virus would check for apps like Skype or Office and choose not to install itself if they're present?

That's a good question, I'd ask on that articles comment section, but you must be logged in.
post #5 of 10
It seems to check for anti-virus or debugging tools too. Perhaps something in the MS-Office installer messes with the malware or its' installer, or at least that part of it.
Ryzen 5 1600
(12 items)
 
  
CPUMotherboardGraphicsRAM
AMD Ryzen 5 1600 MSI B350 Gaming Plus Gigabyte GeForce GTX 1060 WINDFORCE2 OC 16GB (2x8GB) Corsair DDR4 Vengeance LED, PC4-24... 
Hard DriveHard DriveCoolingOS
256GB Samsung PM961 Polaris M.2 NVMe  1TB Toshiba DT01ACA100 3.5" HDD, SATA III  Cooler Master Hyper 212 Evo Windows 10 64 
KeyboardPowerCaseMouse
Unicomp Model M 650W EVGA SuperNOVA G1, 80PLUS Gold, Full Modular Kolink Luminosity Cooler Master Reaper Aluminium 
  hide details  
Ryzen 5 1600
(12 items)
 
  
CPUMotherboardGraphicsRAM
AMD Ryzen 5 1600 MSI B350 Gaming Plus Gigabyte GeForce GTX 1060 WINDFORCE2 OC 16GB (2x8GB) Corsair DDR4 Vengeance LED, PC4-24... 
Hard DriveHard DriveCoolingOS
256GB Samsung PM961 Polaris M.2 NVMe  1TB Toshiba DT01ACA100 3.5" HDD, SATA III  Cooler Master Hyper 212 Evo Windows 10 64 
KeyboardPowerCaseMouse
Unicomp Model M 650W EVGA SuperNOVA G1, 80PLUS Gold, Full Modular Kolink Luminosity Cooler Master Reaper Aluminium 
  hide details  
post #6 of 10
Omg. Is it possible that this happened to me ? Recently something from Apple asked for admin rights, but i denied it. Thanks to the Apple hate and OCN for that one ( biggrin.gif ) ... Am i like safe now or should i do full scan with my ESET Smart Security 5 ?
MSI GT780DXR-099
(19 items)
 
   
CPUMotherboardGraphicsRAM
Intel Sandy Bridge i7-2760QM 3,5Ghz Intel® HM67 Express Chipset Nvidia GeForce GTX 570M 1.5GB GDDR5 16GB DDR3, 1333Mhz 
Hard DriveHard DriveCoolingOS
WD Scorpio Black 750Gb, 7200rpm RAID 0 WD Scorpio Black 750Gb, 7200rpm RAID 0 IC Diamond Windows 7 Home Premium, 64-bit  
MonitorKeyboardPowerCase
17,3 1920x1080 Matte Roccat Isku 9-Cell 7800 mAh Aluminium + Solid Plastic 
MouseMouse PadOtherOther
Roccat KONE+ Roccat SENSE blue Roccat Valo CoolerMaster CF-19 Laptop Cooler 
OtherOtherOther
Belkin Cush top Case Laptop Keyboard by Steelseries Laptop Sound by DYNAudio 2.1 
CPUMotherboardGraphicsRAM
Xeon X3440 @3,8 Ghz MSI Big Bang-Fuzion GIGABYTE GTX570 Geil Value+ 2x2GB DDR3, 1600 MHz 
Hard DriveHard DriveHard DriveCooling
Samsung F3 500 Gb Samsung F1 TB WD External 500 Gb Coolermaster 212+ 
CoolingCoolingOSMonitor
Gigabyte Stock cooler Noctua Fans Windows 7 Home Premium, 64-bit Acer GD245HQbid + 3D Vision Kit + 3D Glasses 
KeyboardPowerCaseMouse
Roccat Isku SEASONIC X-750W (80Plus Gold) CM Elite 430 - Black Ed.(cheap crap) Roccat KONE+ 
Mouse PadAudio
Roccat Sense Realtek Audio 
  hide details  
MSI GT780DXR-099
(19 items)
 
   
CPUMotherboardGraphicsRAM
Intel Sandy Bridge i7-2760QM 3,5Ghz Intel® HM67 Express Chipset Nvidia GeForce GTX 570M 1.5GB GDDR5 16GB DDR3, 1333Mhz 
Hard DriveHard DriveCoolingOS
WD Scorpio Black 750Gb, 7200rpm RAID 0 WD Scorpio Black 750Gb, 7200rpm RAID 0 IC Diamond Windows 7 Home Premium, 64-bit  
MonitorKeyboardPowerCase
17,3 1920x1080 Matte Roccat Isku 9-Cell 7800 mAh Aluminium + Solid Plastic 
MouseMouse PadOtherOther
Roccat KONE+ Roccat SENSE blue Roccat Valo CoolerMaster CF-19 Laptop Cooler 
OtherOtherOther
Belkin Cush top Case Laptop Keyboard by Steelseries Laptop Sound by DYNAudio 2.1 
CPUMotherboardGraphicsRAM
Xeon X3440 @3,8 Ghz MSI Big Bang-Fuzion GIGABYTE GTX570 Geil Value+ 2x2GB DDR3, 1600 MHz 
Hard DriveHard DriveHard DriveCooling
Samsung F3 500 Gb Samsung F1 TB WD External 500 Gb Coolermaster 212+ 
CoolingCoolingOSMonitor
Gigabyte Stock cooler Noctua Fans Windows 7 Home Premium, 64-bit Acer GD245HQbid + 3D Vision Kit + 3D Glasses 
KeyboardPowerCaseMouse
Roccat Isku SEASONIC X-750W (80Plus Gold) CM Elite 430 - Black Ed.(cheap crap) Roccat KONE+ 
Mouse PadAudio
Roccat Sense Realtek Audio 
  hide details  
post #7 of 10
Quote:
Originally Posted by allikat View Post

It seems to check for anti-virus or debugging tools too. Perhaps something in the MS-Office installer messes with the malware or its' installer, or at least that part of it.

Well, it ceases and deletes when it detects those AVs because it will instantly be detected, but the Skype and MS Office are really interesting and I'd love to know. I might just have to register there to ask.
post #8 of 10
(can i hjust say malware was in line 3 times from your paragraph in my window haha xD)

Fsecure do stuff like this alot if people liked this tear down smile.gif
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
post #9 of 10
Quote:
Originally Posted by allikat View Post

It seems to check for anti-virus or debugging tools too. Perhaps something in the MS-Office installer messes with the malware or its' installer, or at least that part of it.

Thanks, I could see Office being hardened against exploits and malware but, skype? It seems an odd choice of program for a virus to fear wink.gif
Quote:
Originally Posted by E-Peen View Post

That's a good question, I'd ask on that articles comment section, but you must be logged in.

I was hoping one of OCN's resident tech wizards would have the answer biggrin.gif Maybe it will be explained in part two of the article.
post #10 of 10
http://www.overclock.net/t/1239101/sophos-mac-botnets-gaining-traction-using-drive-by-java-exploit/0_100"
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Software News
This thread is locked  
Overclock.net › Forums › Industry News › Software News › [Kaspersky / securelist.com] The Anatomy of Flashfake. Part 1