Backdoor.Flashback.39, the piece of malware designed to target computers running Mac OS X, caused a lot of headaches for Mac users, especially because one of the Java vulnerabilities it exploited remained unpatched by Apple.
Security experts have found that even after Apple patched the flaw, the cybercriminals behind the operation didn't seem to be discouraged.
Researchers from Russian security firm Doctor Web analyzed the malicious element and determined that the infection begins when users are redirected to shady sites from compromised domains.
The exploit then saves an executable onto the infected Mac machine. This executable file connects to a remote server from which it downloads and executes the final payload.
If at first the cybercrooks relied on Java vulnerabilities that were addressed back in 2011 and at the beginning of 2012, on March 16 they switched to the now-famous CVE-2012-0507, the security hole that was left unpatched by Apple until April 3.
Dr. Web experts noticed that around April 1 a new variant of Backdoor.Flashback.39 was released. Before stepping into play, the Trojan scans the system and generates the list of control servers only if there’s no trace of security software.
After that, it starts sending notifications to the statistics server utilized by the masterminds of the campaign.
“It should be noted that the malware utilizes a very peculiar routine for generating such addresses. It can also switch between several servers for better load balancing,” Dr. Web experts reveal.
“After receiving a reply from a control server, BackDoor.Flashback.39 verifies its RSA signature and then, if successful, downloads and runs payload on the infected machine. It may get and run any executable specified in a directive received from a server.”
So far, more than 550,000 machines have been found to be infected, which means that Apple users should rush to apply the Java update and maybe even install a security application.