updated 04:42 pm EDT, Sun May 20, 2012
From 600,000 infections to 10,000; ad vendor won't pay
After possibly infecting up to 1.8 percent of the Macintosh population with a click-fraud macro through a Java vulnerability, the Flashback creators won't get paid despite their efforts, reports Computerworld. Following a coordinated security effort between antivirus vendors and security experts, remote malicious orders were blocked or prevented from effecting an estimated peak 600,000 infected computers. Apple joined the fray late, but provided patches and a removal tool for the malware.
"Lots of security companies sinkholed Flashback's domains, and this caused [the hackers] a lot of problems," said Liam O'Murchu, manager of operations at Symantec's security response center. After the combined anti-Flashback efforts, about 10,000 macs remained controlled by the bot-net, but the advertising affiliate that served 98% of the generated clicks isn't paying the creators.
The Flashback malware was designed not to harm the user's own data, but to connect the computer to a botnet that served ads the user wouldn't have normally seen or steal clicks from Google ads generated by users. Across the three weeks that the malware was active, some 10 million ads were served, resulting in about 400,000 click-throughs that would have generated around $14,000 for the malware creators.
"The traffic we've analyzed tells us that they hadn't been paid," said O'Murchu, "They haven't been able to provide the information to the pay-per-click affiliate that [was] required to be paid." Legitimate advertising vendors use a variety of anti-fraud mechanisms, including identity checks and sampling the traffic from the source of the clicks, to insure that the clicks are legitimate. Without these verification steps, advertisers won't pay the advertising vendor.
Apple provided the patch in mid-April for the exploit after it made headlines two weeks prior. The exploit was made public in February. Java patches for Snow Leopard and Lion are available, and a separate removal tool is also downloadable for Leopard, Snow Leopard, and Lion. [via Computerworld]