The Flashback trojan is one of the most successful attacks on Mac computers ever discovered, and one security reporter believes he has identified the person responsible for the malware.
Brian Krebs of Krebs on Security researched the trojan on a few underground online forums dealing with black-hat search engine optimization and general cybercrime. He obtained a copy of a private conversation between a person called “Mavook,” listed as a “V.I.P.” on one of these forums, BlackSEO.com. The correspondence, translated from its original Russian [right], shows Mavook telling another member that he created the Flashback trojan as a reason why he should be let into an exclusive hacker forum Darkode.com.
“I believe Brian is right, but I don’t believe this is hardcore evidence to get him arrested,” said Sean Sullivan, F-Secure’s security advisor.
The trojan was for the most part shut down around this time a year ago when Apple released a fix to its version of Java. The trojan, reportedly infected over 400,000 Mac computers, was unique for Apple’s hardware in that it didn’t require the user to input a password. Instead, it traveled by tricking users into downloading a fake Flash plugin, which would then trigger the malware download.
Researchers later found that the trojan actually stole advertising revenue by redirecting a person who clicked on an ad to a website of the criminal’s choosing.
In order to discover the human behind the “Mavook name,” Krebs did a WhoIs look-up on domaintools.com for the website Mavook listed on his BlackSEO profile. The website, mavook.com, was registered in 2005 by a Russian man by the name of Maxim Selikhanovich. He was then able to tie the same email address used to register the mavook website to a Skype user by the same name. This led to the discovery of a couple more email addresses that connected to two websites that sold MP3 files and a Facebook account for Maxim Selikhanovich.
The evidence, of course, would not at this point hold up in a court of law. It’s really just a private message made public. But Sullivan, who also followed Mavook’s moves, believes the type of information the hacker was seeking was in line with someone who wanted to perform another major attack on Apple.
“Whenever a new Java exploit came out, this guy would be asking questions,” said Sullivan. “I wouldn’t be surprised if Apple — they’ll never tell us if they do – if Apple wouldn’t ask the FBI, ‘Hey, what can you find out this guy?’”
Apple, who is already working with “law enforcement” on the hack that disrupted a number of high profile companies in Silicon Valley (such as Microsoft and Facebook), will likely bring this man’s name up in those dealings. From there, the FBI can do its own digging for enough evidence to arrest — if there is any.
Sullivan advised, “I would keep my head down if I were Maxim.”
Cracked Macbook image via ianmunroe/Flickr, BlackSEO screenshot via Brian Krebs