{"id":3716,"date":"2012-03-05T16:19:36","date_gmt":"2012-03-06T00:19:36","guid":{"rendered":"http:\/\/blog.intego.com\/?p=3716"},"modified":"2016-02-12T10:13:01","modified_gmt":"2016-02-12T18:13:01","slug":"flashback-mac-malware-uses-twitter-as-command-and-control-center","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/flashback-mac-malware-uses-twitter-as-command-and-control-center\/","title":{"rendered":"Flashback Mac Malware Uses Twitter as Command and Control Center"},"content":{"rendered":"

The Flashback malware, which Intego pointed out was infecting an increasing number of Macs<\/a>, turns out to be using a novel technique to operate. Many types of malware use command and control servers that they connect to, in order to get instructions from the creators of the malware. The problem with using these servers is that their IP addresses are specified in the malware code, and the servers can generally be taken down.<\/p>\n

Flashback, however, uses an interesting method of getting commands: it uses Twitter. And rather than use a specific Twitter account, which can be removed, it queries Twitter for tweets containing specific hashtags. These hashtags aren’t as simple as, say, #Flashback or #MacMalwareMaster, but are seemingly random strings of characters that change each day. Intego’s malware research team cracked the 128-bit RC4 encryption used for Flashback’s code and discovered the keys to this system.<\/p>\n

The hashtags are made up of twelve characters. There are four characters for the day, four characters for the month, and four characters for the year. The characters used are in the following table:<\/p>\n

 <\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
0<\/td>\ngbqj<\/td>\n18<\/td>\nkudd<\/td>\n<\/tr>\n
1<\/td>\ndljt<\/td>\n19<\/td>\nnwal<\/td>\n<\/tr>\n
2<\/td>\nyfad<\/td>\n20<\/td>\nhmca<\/td>\n<\/tr>\n
3<\/td>\nkpsh<\/td>\n21<\/td>\ndqyo<\/td>\n<\/tr>\n
4<\/td>\nigaw<\/td>\n22<\/td>\nkkag<\/td>\n<\/tr>\n
5<\/td>\npepb<\/td>\n23<\/td>\nviqt<\/td>\n<\/tr>\n
6<\/td>\nezcn<\/td>\n24<\/td>\nwpld<\/td>\n<\/tr>\n
7<\/td>\nhwpd<\/td>\n25<\/td>\nnsiy<\/td>\n<\/tr>\n
8<\/td>\ndrir<\/td>\n26<\/td>\nmyvo<\/td>\n<\/tr>\n
9<\/td>\nrnwp<\/td>\n27<\/td>\nrgel<\/td>\n<\/tr>\n
10<\/td>\nupdw<\/td>\n28<\/td>\nzlxl<\/td>\n<\/tr>\n
11<\/td>\njsng<\/td>\n29<\/td>\ndjno<\/td>\n<\/tr>\n
12<\/td>\nxeoa<\/td>\n30<\/td>\nbeti<\/td>\n<\/tr>\n
13<\/td>\nrgdg<\/td>\n31<\/td>\newof<\/td>\n<\/tr>\n
14<\/td>\naofl<\/td>\n32<\/td>\nmqan<\/td>\n<\/tr>\n
15<\/td>\noeur<\/td>\n33<\/td>\nxsco<\/td>\n<\/tr>\n
16<\/td>\ndspu<\/td>\n34<\/td>\njfiq<\/td>\n<\/tr>\n
17<\/td>\njyuv<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

The following is a screenshot of output from a network packet analyzer when the Flashback malware was searching mobile.twitter.com for the hashtag #pepbyfadxeoa<\/strong>, for today, March 5, 2012:<\/p>\n


\n\"\"<\/center>In addition, in order to ensure that people checking logs don’t spot the malware, it uses a number of different user agents. Here are some examples:<\/p>\n