According to the security firm, the makers of the Flashback malware made $14,000 from click fraud last month, but can't collect on it.
The high-profile Flashback Trojan that is estimated to have infected more than 600,000 Macs at its peak earlier this year would have earned its creators $14,000 in the course of three weeks.
The only hitch is that the money isn't going anywhere.
In a blog post today, security firm Symantec says the pay-per-click provider the malware makers were using spotted the activity as fraudulent.
"Many (pay-per-click) providers employ anti-fraud measures and affiliate-verification processes before paying. Fortunately, the attackers in this instance appear to have been unable to complete the necessary steps to be paid," the firm said.
Symantec says that the advertising component of the Flashback malware -- the one that would show clickable ads to users -- was installed on some 10,000 of the estimated 600,000 infected machines. During a three-week period beginning last month, that led to an estimated 10 million ads being displayed, however, only 400,000 were clicked on.
"In other words, utilizing less than 2 percent of the entire botnet the attackers were able to generate $14,000 in three weeks, meaning that if the attackers were able to use the entire botnet, they could potentially have earned millions of dollars a year," Symantec said.
An estimate from the security firm earlier this month suggested Flashback's creators could bring in up to $10,000 per day using this technique during the height of the infection.
The firm reiterated that the main source of income for the malware was click fraud. The malware kept an eye on search terms typed in by users before relaying that information to pay-per-click services. It would then highjack search results to display what it wanted users to see and click on. In this case, Symantec says 98 percent of the ads came from a single pay-per-click provider.
Flashback is a form of malware designed to grab passwords and other information from users through their Web browser and other applications. A user typically mistakes it for a legitimate browser plug-in while visiting a malicious Web site. At that point, the software installs code designed to gather personal information and send it back to remote servers.
Last month, Apple updated Java for Mac OS X Snow Leopard and Lion to detect and remove the malware. The company brought a similar update to Leopard, an earlier version of OS X,just this week. Both options were predated by removal tools from security companies F-Secure, Kaspersky Lab, and Symantec.