The high-profile Flashback trojan that's estimated to have infected more than 600,000 Macs at its peak earlier this year could have earned its creators US$14,000 in the course of three weeks.
The only hitch is that the money isn't going anywhere.
In a blog post on Thursday, security firm Symantec says that the pay-per-click provider that the malware makers were using spotted the activity as fraudulent.
"Many [pay-per-click] providers employ anti-fraud measures and affiliate verification processes before paying. Fortunately, the attackers in this instance appear to have been unable to complete the necessary steps to be paid," the firm said.
Symantec says that the advertising component of the Flashback malware — the one that would show clickable ads to users — was installed on around 10,000 of the estimated 600,000 infected machines. During a three-week period beginning last month, that led to an estimated 10 million ads being displayed; however, only 400,000 were clicked on.
"In other words, utilising less than 2 per cent of the entire botnet, the attackers were able to generate US$14,000 in three weeks, meaning that if the attackers were able to use the entire botnet, they could potentially have earned millions of dollars a year," Symantec said.
An estimate from the security firm earlier this month suggested that Flashback's creators could bring in up to US$10,000 per day using this technique during the height of the infection.
The firm reiterated that the main source of income for the malware was click fraud. The malware kept an eye on search terms typed in by users before relaying that information to pay-per-click services. It would then highjack search results to display what it wanted users to see and click on. In this case, Symantec says 98 per cent of the ads came from a single pay-per-click provider.
Flashback is a form of malware designed to grab passwords and other information from users through their web browser and other applications. A user typically mistakes it for a legitimate browser plug-in while visiting a malicious website. At that point, the software installs code that's designed to gather personal information and send it back to remote servers.
Last month, Apple updated Java for Mac OS X Snow Leopard and Lion to detect and remove the malware. The company brought a similar update to Leopard, an earlier version of OS X, just this week. Both options were predated by removal tools from security companies F-Secure, Kaspersky Lab and Symantec.