All the latest UK technology news, reviews and analysis


Apple Flashback malware hunt points to Russian cyber crook

03 Apr 2013
apple-logo

A year after the discovery of the notorious Flashback Apple malware that infected over half a million Mac computers, security investigators have released fresh information on their progress tracking the attack’s authors.

Flashback was originally unearthed targeting Mac computers in April 2012.

Since then, despite the influx of new sophisticated malware, Flashback is still regarded as one of the most pernicious and dangerous campaigns ever mounted.

This is largely down to its success rate, with Flashback still being estimated to have successfully infected over 600,000 Mac computers by targeting an unpatched Java vulnerability.

Despite its high profile nature, as is the case with most cyber campaigns, details regarding its author and origin are difficult to ascertain. Law enforcement is still on the hunt for the crooks behind Flashback.

However, independent security investigator Brian Krebs has now released fresh research linking the malware to a Russian cyber crook called Maxim Dmitrievich Selihanovich, who was operating under the alias Mavook.

"A year ago, I published a series that sought to identify the real-life hackers behind the top spam botnets. Using much the same methodology, I was able to identify and locate a young man in Russia who appears (and privately claims) to be the author of Flashback," wrote Krebs.

"Given Flashback's focus on gaming Google's ad networks, I suspected that the worm's author probably was a key member of forums that focus on so-called ‘black hat SEO'.

Black SEO is a catchall phrase for the tricks crooks use to game search engines, promoting their sites or relagating others.

"Sure enough, this individual happens to be a very active and founding member of BlackSEO.com, a closely guarded Russian language forum dedicated to this topic."

From there Krebs reportedly tracked Mavook's activities, using information stored on the forums to track his location.

"Mavook's profile also shows that his personal homepage was at one time mavook.com. The WHOIS registration records for mavook.com have long been hidden by commercial WHOIS privacy protection services, but I found the original WHOIS record for this domain using the indispensable historic WHOIS service maintained by domaintools.com," wrote Krebs.

"Those records show that the domain was originally registered in 2005 by a Maxim Selikhanovich in Saransk, the capital city in Mordovia, a republic in the eastern region of Russia."

The records also reportedly linked the 30-year-old Russian to several shut down illegal MP3 trading sites, which contained an email address linked to a Facebook account registered under Selihanovich's name.

"One of the emails used by Maxim for that website and a related site was "troxel@yandex.ru," which was the same email used to register a now-deleted Facebook account under a Maxim Selikhanovich from Saransk," wrote Krebs.

Krebs investigation was based on the back of wider research from several security vendors, including Finnish firm F-Secure.

Speaking to V3 F-Secure analyst Sean Sullivan told V3 that he thought the “conclusions look very conclusive".

The news marks a serious step in security experts ongoing attempt to combat the growing stream of cyber attacks stemming from Russian.

Many of the attacks have followed Flashback's example targeting Oracle's Java platform. Apple has responded to the influx of attacks by shutting down Java on Mac OS X on numerous occasions.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson
About

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

BYOD vs CYOD vs BYOC poll

Which approach is your firm taking to managing employees' mobile devices?
23%
14%
4%
17%
30%
12%

Popular Threads

Powered by Disqus
Sony Xperia Z2 smartphone running Android KitKat 4.4

Sony Xperia Z2 video

We test out the latest Android KitKat flagship from Sony

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv33

Data protection: the key challenges

Deduplication is a foundational technology for efficient backup and recovery

rdc2

iPad makes its mark in the enterprise

The iPad can become a supercharged unified communications endpoint, allowing users to enhance their productivity

Java Developers X2 - Oslo

Java, Algorithms, Data Structures, Groovy, Rails, Linux...

Front End Web Developers x2 - Oslo

HTML, CSS (SASS), JavaScript, JQuery, Angular JS, ROR...

Web Developers x3 - work from home

HTML, CSS, JavaScript, PHP/PHP 5, MySQL, LAMP, Subversion...

Front End Web Developers (eCommerce) x3

HTML, CSS, JavaScript, eCommerce Package (Ideally Demandware...
To send to more than one email address, simply separate each address with a comma.