Botnet from more than 550 thousands Mac's: details

Hello, UMumble users!

Recently, Dr. Web’s researchers have discovered a botnet of more than 550 thousands infected Mac’s machines. Probably, you may say "it is started all over again”. Presently, more than 670 thousands the infected computers were found around the world (see map):


Once again, we will try to debunk the myth about the platform impregnability and to help some people to understand this process.


A bot spreads through the infected websites in the form of Java-applet, notifying that there is an update for Adobe Flash Player. Java-applet runs the first level downloader, which downloads and installs the main component of the Trojan program. The main component is the Trojan downloader that is constantly connected to one of the command (C & C) servers and waits for the commands to load and run the new components.

The bot finds its C & C servers using the domain names, which are generated using two algorithms. The first algorithm is based on the current date, the second one uses multiple variables, which are stored and encrypted in the body of the bot. Encryption is based on the RC4 algorithm and uses the UUID (Universally Unique Identifier of a computer) as a key.

We did the first reverse engineering of the first generation algorithm of the domains and based on the date of the research (06.04.2012) we generated and registered the domain name After this domain was registered, we were able to keep a log of requests from the bots. Since each request from the bot has its UUID, we were able to calculate the number of active bots. According to the log, less than in 24 hours there were connected more than 600 thousands the unique bots with our server that together used more than 620 thousands external IP-addresses. More than half of all bots connected to our server from the United States territory.

So, here is a secure list with the geographical distribution of active bots Flashfake:

Country Number of active boats
U.S. 300 917
Canada 94 625
United Kingdom 47 109
Australia 41 600
France 7891
Italy 6585
Mexico 5747
Spain 4304
Germany 4021
Japan 3864

These technical details will remain forever in our database.


Now we can determine if your UUID was locked in the bot access database to our sinkhole-server. In order to get more details about the testing and recommendations you need to visit this website: Thousands of people have already benefited from our micro site,, and 2.7% of them found themselves in the infected database.

Mac OSX users can also check whether their computer is infected with Flashfake, and remove the malicious program if any is there, using a special free utility "Kaspersky Lab".


10 Tips

Here is some advice for our dear Mac users. Probably, you know most of them, but you always can add your own if you want.

1. You need to create an account without admin rights for daily use.
2. You should use the browser that has the "sandbox” and the good reputation to close quickly the security holes.
3. You should remove the standalone version of Flash Player.
4. You need to solve the problem with Java.
5. You should run "Software Update" immediately after the exiting patches.
6. You need to use a password manager to deal with the phishing attacks.
7. You should turn off IPv6, AirPort and Bluetooth, if you do not use them.
8. You should run a full disk encryption and FileVault (for MacOS X 10.7 version or higher).
9. You should update your Adobe Reader up to version 10 or higher.
10. You should set up a good solution for data protection.

If this post will help even one person to find safety, then we will assume that the mission of the post is accomplished!
Papay 15 april 2012, 15:02
Vote for this post
Bring it to the Main Page


Leave a Reply

Avaible tags
  • <b>...</b>highlighting important text on the page in bold
  • <i>..</i>highlighting important text on the page in italic
  • <u>...</u>allocated with tag <u> text shownas underlined
  • <s>...</s>allocated with tag <s> text shown as strikethrough
  • <sup>...</sup>, <sub>...</sub>text in the tag <sup> appears as a superscript, <sub> - subscript
  • <blockquote>...</blockquote>For  highlight citation, use the tag <blockquote>
  • <code lang="lang">...</code>highlighting the program code (supported by bash, cpp, cs, css, xml, html, java, javascript, lisp, lua, php, perl, python, ruby, sql, scala, text)
  • <a href="http://...">...</a>link, specify the desired Internet address in the href attribute
  • <img src="http://..." alt="text" />specify the full path of image in the src attribute