Kaspersky Lab analysis showed more than 600 000 unique robots that were connected to your server within 24 hours, using a total of more than 620 thousand IP addresses. Approximately 300 000 917 of active bots were connected from the United States, followed by 94 000 625 in Canada, 27 000 109 in the UK and 41 000 600 in Australia. The analysis confirmed that this Trojan virus is also present in Latin America with over 13 thousand Macs are infected. Mexico has about 6 000 infections, as many Mac-based computers in Latin America compromised by this threat. The map below shows the penetration of Flashfake in South America.
The bot is distributed as a Java applet on web pages infected by passing himself off as an update for Adobe Flash Player. The Java program then executes the first downloader, which in consequence, the main component of the Trojan downloads and installs. In the main component is a Trojan downloader, which continuously connects with one of its command-and-control servers (C & C) and is waiting to download and execute other new components.
Once installed, the Trojan alternates browser's search results, skewing the results to phishing sites through ad clicks. It also functions as a downloader, which allow creators to update it with new threats or harmful characteristics.
As the botnet actually has been spreading due to a vulnerability in Java, at first glance could not blame Apple for this shortcoming. However, it happens that Oracle released a security patch for more than three months, but the Cupertino company recently put available since last April 2, allowing the indiscriminate spread of the botnet.
If your Mac is under attack, it takes regular contact with the cyber criminal’s domains that point to a supervisory authority to, in order to receive commands, such as redirecting search requests to advertising sites or spam. Of the domains, there are 5 new every day, then 365 x 5 domains. If one domain, there are 20 case-back domains that can be resorted to. If the connection has been established between the bot and the domain receives the IP address of the supervisory and the Hardware UUID and commands issued in exchange for example, to unwanted advertisements. Of the approach and intent of these botnet cyber criminals is similar to the DNS Changer botnet.