People often wonder about what motivates the creators of malware. In the case of the Flashback malware that infected several hundred thousand Macs, it turns out that the motivator was money.
A post on the Symantec official blog listed the stages of infection from Flashback:
- A user visits a compromised website.
- The browser is redirected to an exploit site hosting numerous Java exploits.
- CVE-2012-0507 is used to decrypt and install the initial OSX.Flashback.K component.
- This component downloads a loader and an Ad-clicking component.
That ad-clicking component is what made the money for the scoundrels who wrote the malware. As the Symantec post explains, the malware specifically targets searches made on Google. Depending on the search query, the malware redirected the Mac user to another page chosen by the attacker, and the attacker received revenue from the click-through. Since Google never received the intended ad click, they lost revenue.
Symantec analyzed a similar botnet last year and determined that about 25,000 infected machines could net the attacker about US$450 per day. Based on the breadth of the Flashback attack, they estimated that the malware was earning its creators almost $10,000 per day.
If you haven’t updated your Mac to counteract a possible Java malware attack, or run Apple’s free tool for removing the malware from Macs that don’t have Java installed, be sure to run Software Update as soon as possible to protect yourself.