Symantec said on Tuesday the Flashback malware that attacked Apple Mac computers could have netted its authors up to $10,000 a day.
The company reverse engineered one version of the malware, called “Flashback.K,” which it said deprives Google of advertising revenue. Flashback is believed to be the largest-ever malware campaign that has targeted Apple’s operating system so far.
“Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker’s choosing, where they receive revenue from the click,” according to a Symantec blog post.
When a person using an infected computer clicks on a Google advertisement, Flashback analyzes the request and substitutes the web site paying for the advertisement with its own.
Flashback also uses a specially crafted user-agent string, which comprises information about a computer accessing a website, in “an effort to thwart ‘unknown’ parties from investigating the URL with unrecognized user agents,” Symantec wrote.
The company looked at what happened when a user clicked on an ad for toys. The click for the ad, worth 8 cents, is redirected to the a website affiliated with the attackers.
“This ultimately results in lost revenue for Google and untold sums of money for the Flashback gang,” Symantec wrote. Since Flashback infected hundreds of thousands of users, “this figure could sharply rise to the order of $10,000 per day,” Symantec wrote.
Flashback infected Macs using a critical vulnerability in Java, which Apple patched in early April about seven weeks after the issue was disclosed. In the interim, upwards of 800,000 computers were believed to have been infected. Apple released a special Flashback removal update on April 12.