1. A few hours after I posted the Flashback.K, someone anonymously uploaded Flashback.O sample (thank you very much!), which I am posting below. Like in the first case, it is a payload binary from a victim, not the downloader, which makes it impossible to install. If you succeed or have a binary that installs, please share. I personally have not tried to run them yet, did not have a vm.
2. Matt Thompson from Unveillance emailed his comments about the Flackback.K sample please see the quote below.
3. Update April 11 - I will put domains and URLs in a separate post because they relate to various versions of Flashback, not v.40/O
Download OSX/Flashback.O 782C4D24D406538498C1FB79FA0F6D62
This is the exact payload binary I have been working with.
I extracted the x86_64 architecture into a thin binary.
At 0x10000158e it sets up an RC4 identity Sbox.
At 0x1000015b2 it starts the RC4 KSA mix with the Hardware UUID. r9
contains the pointer to the UUID string
0x1000041f0 contains the ciphertext length.
0x100004200 is the beginning of 4275 bytes of ciphertext.
0x1000041e8 contains a flag indicating if the data block is encrypted or
not. If this is set to 1 the code just memcpy()'s the data into a
malloc'd buffer rather than decrypting with RC4.
If the Hardware UUID were available from the machine that downloaded
this binary, it would be trivial to write the plaintext back into the
binary and set 0x1000041e8 to 1.
File size: 394.2 KB ( 403676 bytes )
File name: FlashBack.O_ 782C4D24D406538498C1FB79FA0F6D62
File type: unknown
Detection ratio: 19 / 42
Analysis date: 2012-04-11 01:15:36 UTC ( 38 minutes ago )
Antiy-AVL Trojan/OSX.Flashfake 20120410
BitDefender MAC.OSX.Trojan.FlashBack.O 20120411
ClamAV OSX.Flashback-12 20120411
Comodo UnclassifiedMalware 20120410
DrWeb BackDoor.Flashback.40 20120411
Emsisoft Trojan-Downloader.OSX.Flashfake!IK 20120410
F-Secure MAC.OSX.Trojan.FlashBack.O 20120410
Fortinet OSX/Flshplyr.A 20120411
GData MAC.OSX.Trojan.FlashBack.O 20120411
Ikarus Trojan-Downloader.OSX.Flashfake 20120411
Jiangmin TrojanDownloader.OSX.w 20120410
Kaspersky Trojan-Downloader.OSX.Flashfake.ae 20120410
Microsoft Backdoor:MacOS_X/Flashback.E 20120411
NOD32 OSX/Flashback.I 20120410
nProtect MAC.OSX.Trojan.FlashBack.O 20120410
Sophos OSX/Flshplyr-A 20120411
Symantec OSX.Flashback.K 20120411
TheHacker - 20120410
TrendMicro OSX_FLASHBACK.A 20120411
TrendMicro-HouseCall OSX_FLASHBACK.A 20120411
Java Bytecode (53.2%)
Mac OS X Universal Binary executable (35.5%)
HSC music composer song (11.2%)
FileType.................: Mach-O fat binary executable
ObjectFileType...........: Dynamically bound shared library
CPUType..................: x86 64-bit, x86
CPUSubtype...............: i386 (all) 64-bit, i386 (all)
First seen by VirusTotal
2012-04-05 17:06:28 UTC ( 5 days, 8 hours ago )
Last seen by VirusTotal
2012-04-11 01:15:36 UTC ( 38 minutes ago )
File names (max. 25)
1. FlashBack.O_ 782C4D24D406538498C1FB79FA0F6D62