[plug] [OT] Detecting Flashback/flashfake Trojan

Tim weirdit at gmail.com
Thu Aug 2 06:07:41 WST 2012

Hey guys.

No matter how hard I google, I'm having trouble finding how to detect
the Flashback/Flashfake Mac Trojan via network analysis. Everything
talks about detecting it on the Mac itself. I have a network I've
recently taking responsibility for, that has a number of personal (as
in, outside of the companies control) Mac's on the network, and one of
them appears to have the Trojan, as reported by our ISP.
My idea for trying to identify the machine, is to do network traffic
analysis, to work out which device it is, so I can then track down
that device and take appropriate action (i.e. update and remove trojan
or have no network access). But nothing I can find gives us an easy
way to "tag" network traffic. I assume AISI (who currently report the
infection) have a list of C&C servers being used, and detect attempts
to access them. However I can't even find a nice way find that list.

Anyone else having this issue on networks they work with?

I've found one ip that appears to be a new kind of C&C server, so I'm
thinking I'll block that, then monitor DNS for strange looking
domains, and maybe try to monitor twitter access (where another method
of C&C is being used).


Timothy White - Somewhere in Australia

More information about the plug mailing list