Prominent security blogger Brian Krebs has traced a Russian coder who appears to be happily taking credit for the most successful example of Mac OS X malware in history, last year's infamous Flashback Trojan.
Krebs said he spotted an individual using the ‘Mavook’ nickname a year ago on a Russian language forum dedicated to black hat SEO.
Mavook, it turned out, had listed Flashback as one of his accomplishments when trying to join another invite-only forum, an easy boast perhaps but not one that would be easy to pass off in the sort of company that frequents such places.
Connecting him to the Mavook.com domain, Krebs discovered that although the person registering this domain was now hidden behind Whois privacy protection, he was still able to identify an individual from the Russian city of Saransk using older lookups.
Krebs also ties the named 30 year-old man to a defunct website and an outsourcing firm that a Russian contact was able to confirm had been founded by the suspect.
Is the individual named by Krebs really the culprit or someone who might be because they mentioned it as part of their CV?
The methodology is reasonable, the stream of clues tantalising, and it would confirm the widespread assumption (including by Russian security firms) that a Russian coder was behind the malware.
However, Krebs stops short of accusing the man directly in his carefully-worded analysis. Few suspected cybercriminals from Russia and its environs are ever detained or even investigated by police in those countries so corroborating evidence is unlikely to appear.
Flashback did achieve something that PC advocates had conspicuously failed to do in a decade of trying, namely undermine the illusion that Apple’s computers are immune to serious malware.
As subsequently became clear, Flashback’s purpose was simple click fraud that probably made its author a fairly modest sum by cybercriminal standards after security companies nixed its command & control servers before payments could be tallied.
Ironically, the PC focus of most security vendors was one factor that meant the issue went under-reported until it had grown to as many as 850,000 infections, a gigantic number by previous Mac standards.
Flashback was first picked up by Mac security company Intego and Russian company Dr Web in late 2011 but by early 2012 infections had soared.
Overwhelmingly its Mac victims were unprotected by security software that might have caught it - easy meat in other words. Its scale only became apparent when security firms broke into the command & control.
Things got bad enough for Apple-happy Oxford University’s IT department to issue a public notice on the scale of infections it had suffered among students and faculty members.