or Connect
AppleInsider › Forums › Software › Mac OS X › New Mac OS X Trojan disguises itself as Adobe Flash installer
New Posts  All Forums:Forum Nav:

New Mac OS X Trojan disguises itself as Adobe Flash installer

post #1 of 43
Thread Starter 
A new Mac OS X Trojan Horse called "Flashback" attempts to trick users into installing it by appearing as Adobe's Flash Player installer package.

The Trojan Horse, discovered by security firm Intego, has been found on malicious web sites that invite users to install the phony Flash Player, telling them it is required to access certain content. Since Mac OS X Lion doesnt come with Flash preinstalled, users must manually install it. Intego categorized the threat from Flashback as "low."

The new malware is said to specifically target Lion, and replicates the look and feel of the real Flash installer. It includes design elements and logos that could convince some users it is the actual official software from Adobe.

Once the Trojan is installed on the system, it will delete the installer package and deactivate some network security software. The code used by Flashback can be injected in certain applications run on the computer and the Trojan can connect to remote servers in order to send specific information about the infected computer -- including its MAC address, which is a unique identifier for every machine.

Lion users can protect themselves by downloading the official Flash Player installation player from Adobe. Users should also check the origin of any file claiming to be a Flash Player installer.

Users should also uncheck the "Open 'safe' files after downloading" option in Apple's Safari browser under General Preferences. This will help ensure that the Flashback installer is not automatically run if downloaded.



Users can also manually check to see whether they were infected by looking for the file "~/Library/Preferences/Preferences.dylib" on their Mac.

Apple has already distributed a malware definition update to block another Trojan horse, Trojan-Dropper:OSX/Revir.A, described late last week as a malicious program posing as a PDF download.
post #2 of 43
Further research has shown the trojan is actually Adobe Flash itself and the installer actually is the Flash installer.

What? Steals your resources, slows down your computer, crashes your browser

Run down the list and it fits perfectly.

“The only thing more insecure than Android is its userbase.” – Can’t Remember

Reply

“The only thing more insecure than Android is its userbase.” – Can’t Remember

Reply
post #3 of 43
Quote:
Originally Posted by Tallest Skil View Post

Further research has shown the trojan is actually Adobe Flash itself and the installer actually is the Flash installer..


Dang you beat me to it! lol
post #4 of 43
Quote:
Originally Posted by Tallest Skil View Post

Further research has shown the trojan is actually Adobe Flash itself and the installer actually is the Flash installer.

What? Steals your resources, slows down your computer, crashes your browser

Run down the list and it fits perfectly.

Quote:
Originally Posted by monstrosity View Post

Dang you beat me to it! lol

Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #5 of 43
Quote:
Originally Posted by AppleInsider View Post

Apple has already distributed a malware definition update to block another Trojan horse, Trojan-Dropper:OSX/Revir.A, described late last week as a malicious program posing as a PDF download

That's the problem with blacklists as an exclusive method. They need to be updated constantly. Heurisitics-based AV has been around for decades.
post #6 of 43
Quote:
Originally Posted by Tallest Skil View Post

Further research has shown the trojan is actually Adobe Flash itself and the installer actually is the Flash installer.

What? Steals your resources, slows down your computer, crashes your browser

Run down the list and it fits perfectly.

Quote:
Originally Posted by monstrosity View Post

Dang you beat me to it! lol

Quote:
Originally Posted by solipsism View Post


Quote:
New Mac OS X Trojan disguises itself as Adobe Flash installer

Disguise? Not. I can tell this is going to be one of those threads
post #7 of 43
My father is incredibly gullible... He somehow manages to pick up most Trojans/malware/etc. out there. Now his Mac is painfully slow. I'm going to visit home this weekend, and I would like to tune-up his Mac. Is there a universal method to rid his computer of all malicious content? Thanks
post #8 of 43
Quote:
Originally Posted by ConradJoe View Post

That's the problem with blacklists as an exclusive method. They need to be updated constantly. Heurisitics-based AV has been around for decades.

I somewhat agree, but we've also seen how good Heuristics-Based AV has been working on Windows over the last couple decades... so obviously the magic bullet has yet to be found.

I think Apple is in a favourable position, in regards to black-lists, simply because they have the opportunity to start from the beginning. By the time MS realized they were vulnerable to viri, they were a long way behind the 8-ball.

Obviously, as nearly all Heuristic scanners will attest to, the best solution at the moment is actually a two-fold attack -- using both black-lists and Heuristics.

Apple has taken care of the black-list part, it's up to the user to find a Heuristics scanner that works.
post #9 of 43
Quote:
Originally Posted by ConradJoe View Post

That's the problem with blacklists as an exclusive method. They need to be updated constantly. Heurisitics-based AV has been around for decades.

For now a blacklist approach is far superior to the resource-intensive heuristic scanners which are necessary in Windows. If we get to a point where there are too many threats for Apple to handle easily then a heuristic approach will probably become the better choice. Additionally, trojans, depending on what they do once installed, often-times require some slightly more specific targeting (thus a definitions list update) to stop efficiently.
The true measure of a man is how he treats someone that can do him absolutely no good.
  Samuel Johnson
Reply
The true measure of a man is how he treats someone that can do him absolutely no good.
  Samuel Johnson
Reply
post #10 of 43
Quote:
Originally Posted by bcode View Post

Obviously, as nearly all Heuristic scanners will attest to, the best solution at the moment is actually a two-fold attack -- using both black-lists and Heuristics.

No doubt. And being wise about what you click on is a good idea as well. I'm using a couple of free solutions for firewall and AV, set to monitor continuously. AdWare is taken care of occasionally, if as when necessary.
post #11 of 43
Quote:
Originally Posted by RepreeThis View Post

My father is incredibly gullible... He somehow manages to pick up most Trojans/malware/etc. out there. Now his Mac is painfully slow. I'm going to visit home this weekend, and I would like to tune-up his Mac. Is there a universal method to rid his computer of all malicious content? Thanks

Save all documents and personal data to a backup. Wipe and install the OS. Update it to the latest version. Then use Migration Assistant to reclaim docs and applications.
post #12 of 43
Try macscan or Sophos Anti-Virus (Free) if not a clean install will do the trick.

I regularly maintain my Mac with MainMenu Pro as well. It makes running maintenance scripts a breeze along with cleaning system/user cache and rebuilding spotlight when necessary.

Quote:
Originally Posted by RepreeThis View Post

My father is incredibly gullible... He somehow manages to pick up most Trojans/malware/etc. out there. Now his Mac is painfully slow. I'm going to visit home this weekend, and I would like to tune-up his Mac. Is there a universal method to rid his computer of all malicious content? Thanks
post #13 of 43
Like the previous MacDefender trojan, these rodents are copying something from the Windows side. The fake Flash installer is something I've seen on Windows computers for years.
post #14 of 43
I have this file in my user library. Can I just delete it? Or is there something more complicated that I have to do? does anybody know?
post #15 of 43
Quote:
Originally Posted by Swift View Post

Save all documents and personal data to a backup. Wipe and install the OS. Update it to the latest version. Then use Migration Assistant to reclaim docs and applications.


Argh! The troll got you.
post #16 of 43
Quote:
Originally Posted by Bloodshotrollin'red View Post


Argh! The troll got you.

What about that guy's post is in any way trollish?

He's asking a question that he wouldn't need to ask if he spent twenty seconds and read the actual article, but that's not trolling.

“The only thing more insecure than Android is its userbase.” – Can’t Remember

Reply

“The only thing more insecure than Android is its userbase.” – Can’t Remember

Reply
post #17 of 43
Quote:
Originally Posted by Swift View Post

Save all documents and personal data to a backup. Wipe and install the OS. Update it to the latest version. Then use Migration Assistant to reclaim docs and applications.

Why would you do that?

Why not create a new user, see if that one is 'slow'. If it is not then you know its a setting/file issue on his Dads user account. Its incredibly unlikely that he has any malware and if he indeed has no malware you may actually identify what he has done to make it slow and prevent him from doing it again.
post #18 of 43
Quote:
Originally Posted by Tallest Skil View Post

What about that guy's post is in any way trollish?

He's asking a question that he wouldn't need to ask if he spent twenty seconds and read the actual article, but that's not trolling.

Astro-turfing has become more sophisticated, more like astro-landscape gardening these days. I wonder how long before the original post is reposted on a Windows/Android forum as proof of Macs' vulnerability? 'Even posters on rabid Apple fan site AppleInsider are complaining...' etc etc.
Believe nothing, no matter where you heard it, not even if I have said it, if it does not agree with your own reason and your own common sense.
Buddha
Reply
Believe nothing, no matter where you heard it, not even if I have said it, if it does not agree with your own reason and your own common sense.
Buddha
Reply
post #19 of 43
I downloaded and ran this a while back, just for the hell of it.

I thought something was weird when I saw "Flash 11".

The one I downloaded rewrote the hosts file to point every google.* to another address. Guess they wanted to steal google logins?

The good thing is that you can check your installer log files to see what happened ;-)
post #20 of 43
Quote:
Originally Posted by AppleInsider View Post

Lion users can protect themselves by downloading the official Flash Player installation player from Adobe.

Whiskey, tango, foxtrot?

I'm sorry I'm a little lost here. So if I download Adobe Flash my computer will be safer?

Did I wake up in another dimension?
post #21 of 43
Quote:
Originally Posted by HMayes View Post

Whiskey, tango, foxtrot?

I'm sorry I'm a little lost here. So if I download Adobe Flash my computer will be safer?

Did I wake up in another dimension?


Haha, no. It means if you get a message that you need to download flash, go to Adobe and get the official flash update, not one from another site. It won't make your computer safer, it will just prevent you from downloading the trojan.
post #22 of 43
Quote:
Originally Posted by RepreeThis View Post

My father is incredibly gullible... He somehow manages to pick up most Trojans/malware/etc. out there. Now his Mac is painfully slow. I'm going to visit home this weekend, and I would like to tune-up his Mac. Is there a universal method to rid his computer of all malicious content? Thanks

1. Reformat
2. Reinstall
3. Reprimand

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #23 of 43
Quote:
Originally Posted by katastroff View Post

I thought something was weird when I saw "Flash 11".

Flash 11's out though

Oh, wait, just beta. Forgot about that. I always use the betas.

“The only thing more insecure than Android is its userbase.” – Can’t Remember

Reply

“The only thing more insecure than Android is its userbase.” – Can’t Remember

Reply
post #24 of 43
Quote:
Originally Posted by AppleInsider View Post

The new malware is said to specifically target Lion, and replicates the look and feel of the real Flash installer. It includes design elements and logos that could convince some users it is the actual official software from Adobe.

Are they smoking crack?! This installer looks nothing like Adobe's official Flash updater.

Quote:
Originally Posted by ConradJoe View Post

That's the problem with blacklists as an exclusive method. They need to be updated constantly. Heurisitics-based AV has been around for decades.

Actually you are thinking viruses, which some malware just happens to include. All malware detection is blacklist based, which is why it is such a problem. You can install anything you want on your system made by anyone, so if you are gullible enough to run it there is nothing your system can do to stop it.

Blacklists that are maintained globally & updated real time are actually very effective & probably far more so than heuristics. In fact what I'd like to see is for Apple to use push technology for Macs so that instead of checking 1 a day they actually get notified immediately when an update is released & download it immediately. One of the most powerful features of an IDS/IPS system is global correlation, realtime updated blacklist contributed to by parties all around the world.
post #25 of 43
Quote:
Originally Posted by RepreeThis View Post

My father is incredibly gullible... He somehow manages to pick up most Trojans/malware/etc. out there. Now his Mac is painfully slow. I'm going to visit home this weekend, and I would like to tune-up his Mac. Is there a universal method to rid his computer of all malicious content? Thanks

A lot of things can slow down a system besides just malware, first thing I would do is run a permissions repair on his drive and reboot. You may also need to re-download latest combo update for his system & install it.

If he is on Snow Leopard make sure he has the option set to check against Apple for the malware blacklist. If he is still getting every new malware out there after that then it's time to take his computer away cause that takes a lot of talent to download what most of us have never once run into.
post #26 of 43
Quote:
Originally Posted by hezetation View Post

Are they smoking crack?! This installer looks nothing like Adobe's official Flash updater.

I don't think they report intended to claim that the fake installer was a sufficiently close copy of the real flash installer to fool someone who knows what the real installer looks like - but rather that the use of Adobe logo etc and the overall appearance would be enough to fool someone either with less experience or paying less attention that it it a legitimate installer.

I have seem some malicious software installers that have obvious flaws in the interface that should make anyone think twice about continuing - then again, esp on the windows side I have seen legitimate installers that were so poorly crafted I thought twice about using the software.
post #27 of 43
i got 10.3 flash today. installer looked like adobe always looked. i dont see the noted library file on my mac.

according to my mac i have the correct latest version of flash 10.3. so how do i know if somethings wrong. i dont see a problem at this point.
post #28 of 43
Quote:
Originally Posted by gdog View Post

so how do i know if somethings wrong. i dont see a problem at this point.

By READING the article. If you don't have the crap in your Library, nothing's wrong.

And if you got Flash from Adobe, there's no way it could possibly be the trojan.

“The only thing more insecure than Android is its userbase.” – Can’t Remember

Reply

“The only thing more insecure than Android is its userbase.” – Can’t Remember

Reply
post #29 of 43
Quote:
Originally Posted by Tallest Skil View Post

By READING the article. If you don't have the crap in your Library, nothing's wrong.

And if you got Flash from Adobe, there's no way it could possibly be the trojan.

i was prompted to update. so i didn't get directly from adobe. but it looked like last update and is for 10.3
searching mac (command find) and using spotlight, i dont see library file. what do you think?

if infected, any anti malware software?
post #30 of 43
Quote:
Originally Posted by gdog View Post

i was prompted to update. so i didn't get directly from adobe. but it looked like last update and is for 10.3
searching mac (command find) and using spotlight, i dont see library file. what do you think?

if infected, any anti malware software?


also i have mac firewall turned on. does that prevent this type of thing? thx
post #31 of 43
Quote:
Originally Posted by gdog View Post

i was prompted to update. so i didn't get directly from adobe.

What does this mean? You being prompted to update doesn't immediately imply you didn't download the update from Adobe.

Quote:
searching mac (command find) and using spotlight, i dont see library file. what do you think?

I think you'll need to go look for it manually since Spotlight doesn't look in Library folders.

Quote:
if infected, any anti malware software?

READ THE ARTICLE. Remove the files and you'll be fine.

“The only thing more insecure than Android is its userbase.” – Can’t Remember

Reply

“The only thing more insecure than Android is its userbase.” – Can’t Remember

Reply
post #32 of 43
Quote:
Originally Posted by Tallest Skil View Post

What does this mean? You being prompted to update doesn't immediately imply you didn't download the update from Adobe.



I think you'll need to go look for it manually since Spotlight doesn't look in Library folders.



READ THE ARTICLE. Remove the files and you'll be fine.


using search in finder and command f, i dont see file.
i looked in library and did not see. by prompted, i mean. i got a pop up saying new version of flash available. and it looked and worked exactly like previous flash updates. installer log shows install and everything seems normal as far as i can tell. is there some better way for me to find that file. let me know. thx
post #33 of 43
Quote:
Originally Posted by gdog View Post

using search in finder and command f, i dont see file.

Yes. You won't. Because you can't. Spotlight doesn't search Library folders by default, so you won't see that.

Can't for the life of me figure out how to get it to search Libraries (and System), as I would like that very much, but whatever.

Quote:
i looked in library and did not see.

Then you don't have it. Shouldn't be a problem.

Quote:
by prompted, i mean. i got a pop up saying new version of flash available. and it looked and worked exactly like previous flash updates.

If this pop-up was one from an existing Flash install, then you installed it from Adobe itself. You're fine.

“The only thing more insecure than Android is its userbase.” – Can’t Remember

Reply

“The only thing more insecure than Android is its userbase.” – Can’t Remember

Reply
post #34 of 43
k cool thx. ran quick scan using iantivirus and was clean. so i guess all good.
post #35 of 43
Quote:
Originally Posted by Tallest Skil View Post

What about that guy's post is in any way trollish?

He's asking a question that he wouldn't need to ask if he spent twenty seconds and read the actual article, but that's not trolling.

Because that guys post was an obvious ruse to make macs look just as vulnerable.
post #36 of 43
Quote:
Originally Posted by ericblr View Post

Because that guys post was an obvious ruse to make macs look just as vulnerable.

Oh, I see. You can't really find Mac trojans even if you're TRYING, can you?

“The only thing more insecure than Android is its userbase.” – Can’t Remember

Reply

“The only thing more insecure than Android is its userbase.” – Can’t Remember

Reply
post #37 of 43
Quote:
Originally Posted by Tallest Skil View Post

Oh, I see. You can't really find Mac trojans even if you're TRYING, can you?

It's not that hard to manually remove things anyway (on OSX or Windows) if you can see a process running. Both have functions for show all processes. You can pretty much identify stuff from there, not that I'm a Windows fan (I use a couple things without OSX versions so I've dealt with it).
post #38 of 43
The file Preferences.dylib is easy enough to find in the user library but once thrown into the trash it begins to wreak all sorts of havoc, to the point of eliminating the user trash folder from the underlying system architecture. The best way to deal with this, if you are as unfortunate as I to install it (from a link on a reputable e-commerce site, by the way) the best way to deal with it is as follows:
First, go to system preferences and make sure that automatic log in is switched off.

Second, create a root user and log in as the root user.

Third, delete your home account making sure to keep the home folder. It will remain in the Users folder but renamed usernamae(deleted)

Fourth, create a new user with the same user name as your original account. Give it the same password, even.

Finally, drag the contents of the old user folder into the new user folder. When you are prompted whether or not you want to replace a given folder, click yes and check the box that makes this action for all folders. This is your new user folder. Because Trash is not part of the user file structure, your old trash and it's contents won't follow you to the new account.

You might want to back up your computer before doing any of this.
post #39 of 43
why not just open up the terminal and delete is using rm? None of the underlying OS services a file can access get invoked that way. It just goes away.

Sure not having to deal with the command line is a wonderful thing. But every once in a while a simple command can be immensely useful and far simpler than the GUI+services might make the endeavor otherwise.
.
Reply
.
Reply
post #40 of 43
Quote:
Originally Posted by Tallest Skil View Post

Can't for the life of me figure out how to get it to search Libraries (and System), as I would like that very much, but whatever

Supposedly by invoking Spotlight with Command-Option-Space performs a "universal search" but I only read it somewhere; don't know if that works across various 10.x versions...
Android seems to be an illiterate product, as they only have numbers to show for.
Reply
Android seems to be an illiterate product, as they only have numbers to show for.
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › New Mac OS X Trojan disguises itself as Adobe Flash installer