Apple and the Flashback (Mac virus) domains

Flashback is a Mac virus and was discovered in September 2011. There are some analyses at [1] [2] [3]

The first domain generation algorithm implemented in Flashback generates 5 domains every day with the TLDs com, net, kz, in and info:

9/27/2013 mdrmcwayiivnrvo.com
9/27/2013 mdrmcwayiivnrvo.net
9/27/2013 mdrmcwayiivnrvo.kz
9/27/2013 mdrmcwayiivnrvo.in
9/27/2013 mdrmcwayiivnrvo.info

All current Flashback domains were registered by Apple Inc and point to their sinkhole at 23.21.71.54. Who-is data of mdrmcwayiivnrvo.com:

Registrant: 
Apple Inc.
Domain Administrator
1 Infinite Loop 
Cupertino, CA 95014
US
Email: domains@apple.com

Who-is data of mdrmcwayiivnrvo.kz:

Domain Name............: mdrmcwayiivnrvo.kz

Organization Using Domain Name
Name...................: Hostmaster
Organization Name......: Apple Inc.
Street Address.........: 1 Infinite Loop
City...................: Cupertino, CA
State..................: 
Postal Code............: 95104
Country................: US

We have checked all domains – they are all sinkholed by Apple Inc until end of 2013.

Apple Sinkholes

About the sinkholes

The reason why Apple has sinkholed all these domains is to a) get statistics of the infections and b) prevent the criminals from controlling the infected machines. An important thing here though is that Apple registered the domains until end of 2013 – so with January 2014 the criminals do have the ability to take back control of their botnet.

Criminals use domain generation algorithms (DGAs) to basically prevent single domain takedowns. In this case, however, the DGA generated only 5 domains per day, a fairly low amount compared to other DGAs which generate for example 1000 week (ZeuS Gameover) or 250 daily (Conficker A/B). These 5 domains per day, 1780 domains per year, can be easily registered by anyone and effectively close the criminals out from their own botnet. Kleissner & Associates registered some domains valid for 2014 in order to generate statistics.

As result, as reported by Symantec, the criminals implemented 2 other DGAs out of which one uses a Twitter message as input seed to generate the domain.