The operators of the Flashback malware that infected over 600,000 machines failed to cash in on their potentially lucrative botnet, analysis has revealed.
One of the main ways the Flashback operators were thought to be making money was through highjacking Google searches to push infected users to certain pages. If users clicked on ads after being redirected to a site, the attackers would make money from Pay Per Click (PPC) providers.
Symantec originally estimated the operators of Flashback could have made as much as $10,000 (£6,160) per day. After further analysis, it appeared they couldn’t even make $14,000 in three weeks, as they failed to use much of the botnet’s power or get money out of the PCC providers.
Over a three-week period starting in April, the botnet displayed over 10 million ads on compromised machines, but just close to 400,000 ads were actually clicked. This would have earned the attackers $14,000 but “the attackers in this instance appear to have been unable to complete the necessary steps to be paid,” Symantec said.
“You may not expect to see 100 percent utilisation of the infrastructure from the start, but at the same time what we are looking at here is very small utilisation,” Tom Parsons, senior manager at Symantec Security Response, told TechWeekEurope. “Two percent – that would seem particularly low, especially for something that is bound to catch people’s attention… There were probably issues in terms of executing the grand plan.
“Maybe it was a deliberate decision not to fully utilise it. Maybe they didn’t think it was going to get as much attention or even be identified, but that would have been wishful thinking.”
Parsons compared the Flashback botnet to an Android malicious network, which was using 30,000 bots every day to generate revenue by forcing end users to send premium rate texts to numbers of the mastermind’s choosing. That was around 25 percent botnet usage for revenue generating.
In both cases, the platforms used – Android and Mac OS – were relatively new and so are comparable. In the Android case though, it appears the cybercriminals were more savvy in deploying their army of bots.
“There is a huge contrast there in the figures,” Parsons added, revealing that the Android botnet is still alive and making its masters hundreds of thousands, possibly millions, of dollars. “The operator had been running that Android botnet for six months at that stage and had made hundreds of thousands of dollars and we estimated they would make at least a million dollars for one year.”
There are still plenty of machines within the Flashback botnet. Symantec revealed there are still 120,000 active infections as of today and the actual number is “likely to be higher”.
Are you a security guru? Try our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…