A year after the discovery of the notorious Flashback Apple malware that infected over half a million Mac computers, security investigators have released fresh information on their progress tracking the attack’s authors.
Flashback was originally unearthed targeting Mac computers in April 2012.
Since then, despite the influx of new sophisticated malware, Flashback is still regarded as one of the most pernicious and dangerous campaigns ever mounted.
This is largely down to its success rate, with Flashback still being estimated to have successfully infected over 600,000 Mac computers by targeting an unpatched Java vulnerability.
Despite its high profile nature, as is the case with most cyber campaigns, details regarding its author and origin are difficult to ascertain. Law enforcement is still on the hunt for the crooks behind Flashback.
However, independent security investigator Brian Krebs has now released fresh research linking the malware to a Russian cyber crook called Maxim Dmitrievich Selihanovich, who was operating under the alias Mavook.
"A year ago, I published a series that sought to identify the real-life hackers behind the top spam botnets. Using much the same methodology, I was able to identify and locate a young man in Russia who appears (and privately claims) to be the author of Flashback," wrote Krebs.
"Given Flashback's focus on gaming Google's ad networks, I suspected that the worm's author probably was a key member of forums that focus on so-called ‘black hat SEO'.
Black SEO is a catchall phrase for the tricks crooks use to game search engines, promoting their sites or relagating others.
"Sure enough, this individual happens to be a very active and founding member of BlackSEO.com, a closely guarded Russian language forum dedicated to this topic."
From there Krebs reportedly tracked Mavook's activities, using information stored on the forums to track his location.
"Mavook's profile also shows that his personal homepage was at one time mavook.com. The WHOIS registration records for mavook.com have long been hidden by commercial WHOIS privacy protection services, but I found the original WHOIS record for this domain using the indispensable historic WHOIS service maintained by domaintools.com," wrote Krebs.
"Those records show that the domain was originally registered in 2005 by a Maxim Selikhanovich in Saransk, the capital city in Mordovia, a republic in the eastern region of Russia."
The records also reportedly linked the 30-year-old Russian to several shut down illegal MP3 trading sites, which contained an email address linked to a Facebook account registered under Selihanovich's name.
"One of the emails used by Maxim for that website and a related site was "firstname.lastname@example.org," which was the same email used to register a now-deleted Facebook account under a Maxim Selikhanovich from Saransk," wrote Krebs.
Krebs investigation was based on the back of wider research from several security vendors, including Finnish firm F-Secure.
Speaking to V3 F-Secure analyst Sean Sullivan told V3 that he thought the “conclusions look very conclusive".
The news marks a serious step in security experts ongoing attempt to combat the growing stream of cyber attacks stemming from Russian.
Many of the attacks have followed Flashback's example targeting Oracle's Java platform. Apple has responded to the influx of attacks by shutting down Java on Mac OS X on numerous occasions.