Symantec researchers, who had recently reverse engineered components of the OS X Flashback malware, have provided further analysis of the botnet's potential income generating capabilities for the Trojan's developers.
Previous analysis from Symantec revealed that the malware, which had infected more than 600,000 Mac OS X systems, was designed in part as a highly profitable ad-clicking operation that could be netting the Trojan's creators a hefty sum.
"For someone who is controlling a botnet of this magnitude, there are plenty of options. Recently we have seen many botnets using fraudulent ads to generate revenue for attackers. That is exactly the case with Flashback: the operators decided to leverage their botnet to commit fraudulent ad-clicks, also known as click fraud," Symantec stated.
The Flashback Trojan exploited several Java vulnerabilities to gain remote access to the infected systems and likely included a keylogger capability to capture authentication credentials.
Oracle had patched the vulnerability back in February, but the long period between the discovery of the exploit and remediation lead to the large number of infected units.
Symantec researchers provided a fairly detailed explanation of the ad-clicking mechanism Flashback utilizes, and their continued investigation has produced estimates of the botnet's potential income generating power.
"From our analysis we have seen that, for a three-week period starting in April, the botnet displayed over 10 million ads on compromised computers but only a small percentage of users who were shown ads actually clicked them, with close to 400,000 ads being clicked. These numbers earned the attackers $14,000 in these three weeks," Symantec said.
"It is estimated the actual ad-clicking component of Flashback was only installed on about 10,000 of the more than 600,000 infected machines. In other words, utilizing less than 2% of the entire botnet the attackers were able to generate $14,000 in three weeks, meaning that if the attackers were able to use the entire botnet, they could potentially have earned millions of dollars a year," the researchers concluded.
Thought the revenues were generated, the researchers point out the inherent problems associated with actually collecting the payouts, and Symantec's research concludes that the botnet operators probably have not been able to cash-in on the exploit.
"Actually collecting that money is another, often more difficult, job. Many PPC providers employ anti-fraud measures and affiliate-verification processes before paying. Fortunately, the attackers in this instance appear to have been unable to complete the necessary steps to be paid," Symantec says.
Still, the potential from mass profits in a short amount of time make the development of criminal botnets an attractive proposition, and Symantec predicts that the number of such exploits directed at OS X units will increase along with the product's market share.
"Had the attackers been more successful in installing the final payload they could have been earning considerably more than that, which makes this a profitable model for the attackers. Although per-per-click botnets are not a new idea—we have seen them on Windows for years—as the market share of Mac increases, we will see more Mac-related botnets similar to this one in the future."