or Connect
AppleInsider › Forums › Software › Mac Software › Fake Adobe Flash malware seeks to disable Mac OS X anti-malware protection
New Posts  All Forums:Forum Nav:

Fake Adobe Flash malware seeks to disable Mac OS X anti-malware protection

post #1 of 39
Thread Starter 
A new version of an existing Trojan Horse posing as a legitimate Flash Player installer (named ÂFlashback.AÂ by a security firm) is designed to disable updates to the default Mac OS X anti-malware protection system, potentially leaving the system open to the manual installation of other malware without any system warnings.

According to security researchers at F-Secure, ÂFlashback.CÂ is potentially capable of disabling the auto-update component of AppleÂs built-in XProtect anti-malware application by overwriting the system binary that checks for updates, XProtectUpdater. That functionality is apparently not yet active, however.

Once the malware is installed and delivered an external payload from malicious servers, the local system would be unable to obtain the latest anti-malware definitions and could subsequently be infected by other malicious programs the user installs without seeing the warnings that Mac OS X's XProtect feature is designed to present to users when they attempt to install malicious software that matches known threats, a definition list Apple maintains and which XProtectUpdater references daily.

Disabling system defenses is a common tactic employed by malware programs, the security firm notes, with built-in malware detection programs being Âthe first target on any computing platform.Â

Discovered in late September, the ÂFlashback.AÂ Trojan poses as an Adobe Flash installer in an attempt to trick Mac OS X users into installing the program in order to access Flash-based content on the web. The trojan primarily targets Mac OS X Lion users, since AppleÂs latest desktop operating system doesnÂt come with Flash preinstalled.

ÂFlashback.CÂ similarly masquerades as a Flash installer, displaying the same visual elements during the installation process (shown below) in an attempt to convince users they are installing a genuine copy of Flash. Once installed, ÂFlashback.CÂ first checks to see if the user is running "Little Snitch," a firewall program that could alert the user of its actions. If it is found to be installed, the trojan deletes itself.

If it doesn't find Little Snitch, the malware then tries to connect to a remote host in China in order to obtain other installation files and configurations. F-Secure notes that "the remote host is up but it does not [yet] push anything." If and when the site becomes active, it could deliver a payload that the trojan could use to disable the system's auto-updater, using Safari or Firefox to deliver the malicious code via an LSEnvironment variable that loads when the browser restarts.

Â*

In order to prevent a potential infection with ÂFlashback Trojans, Mac users are advised to obtain their copy of Adobe Flash Player directly from AdobeÂs official website and to disable the "Open 'safe' files after downloading" option in Apple's Safari browser to avoid automatically running files downloaded from the Internet.

Users should also refuse to enter their local account password at any prompt to do so unless they understand why it is required.

In case an infection has occurred, F-Secure provides instructions for removing the Trojan: Scan the whole system and take note of the detected files, then remove the plist entry:



From:

/Applications/Safari.app/Contents/Info.plist
/Applications/Firefox.app/Contents/Info.plist

Delete all detected files

At this time there is not yet a fix from Apple that would automatically flag the new Trojan version as malware when it is being installing on Mac systems, but the trojan is not actually working yet either, so users shouldn't be afraid they are already infected unless they are in the process of installing Adobe Flash from a non-legitimate source.

The evolutionary attempts to create new Mac OS X malware highlight the problems with allowing users to install software from any source, something that has plagued Windows and Mac users with the threat of user-installed malware, and something that has recently exploded as a growing concern among Android users. iOS users are protected from such malware attempts by the security of the App Store, and Apple's Mac App Store affords similar security to its desktop users.

However, web browser plugins such as Adobe Flash, along with other software that plugs into the system on a low level, are not possible to deliver through the App Store under Apple's current policies. Somewhat ironically, users can install the Flash Block app from the Mac App Store, which for 99 cents, offers to temporarily kill active Flash content to conserve battery life, or to block Flash entirely.
post #2 of 39
Best plan yet-- remove Adobe Flash. Period. I don't miss it.
post #3 of 39
...And you will be safe

No joking, all latest OS X trojan news I've seen lately fakes a flash installer. I wonder if its creator want to damage even more Adobe Flash or what.

Beside I've yet to see someone being infected by those "proof of concept" wimpy trojan.
post #4 of 39
Quote:
Originally Posted by BigMac2 View Post

No joking, all latest OS X trojan news I've seen lately fakes a flash installer. I wonder if its creator want to damage even more Adobe Flash or what.

Beside I've yet to see someone being infected by those "proof of concept" wimpy trojan.

Its creator is probably an avid Mac user with absolutely no intent to harm anyone (hence these trojans not actually doing anything malicious once they're installed) but Adobe.

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #5 of 39
Quote:
Originally Posted by RicMac View Post

Best plan yet-- remove Adobe Flash. Period. I don't miss it.

Implying this has anything to do with the program itself.

Like it or not, Flash is far from dead and is still very common on the web.

Retina Macbook Pro - 2.6ghz

Galaxy Nexus - Jelly Bean!

Reply

Retina Macbook Pro - 2.6ghz

Galaxy Nexus - Jelly Bean!

Reply
post #6 of 39
So Apple is becoming so popular that Vwrites (virus writers) are starting to pay attention to Apples OS X. Oh well comes with the territory. I suspect that some day we will be getting anti virus programs as a standard part of OS X. Although anti virus programs are already out its still not so well known.
An Apple man since 1977
Reply
An Apple man since 1977
Reply
post #7 of 39
Nice advertisement for Little Snitch.

Most people who already own Little Snitch are not likely to be fooled by this fake installer anyway.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #8 of 39
Quote:
Originally Posted by MaroonMushroom View Post

Implying this has anything to do with the program itself.

Like it or not, Flash is far from dead and is still very common on the web.

He is just making a suggestion and saying what works for him so don't be offended or feel the need to stick up for Flash. As common as it may be, most of us wouldn't miss Flash content. I, for one, do not miss it at all on any of my iOS devices....period. If you ask me, the name of the product is appropriate for what it does....plays *flashy* stuff, nothing of great substance. People who view internet porn are the biggest proponents of Flash.

Why does Apple bashing and trolling make people feel so good?

Reply

Why does Apple bashing and trolling make people feel so good?

Reply
post #9 of 39
Quote:
Originally Posted by Dickprinter View Post

As common as it may be, most of us wouldn't miss Flash content. I, for one, do not miss it at all on any of my iOS devices....period.

There is a lot of news video that is only in Flash. Just today I went to Wolfram|Alpha and even their tour video is in Flash. As smart as those people are you'd think they would choose an intelligent means of presenting their information. They do have a different video for iPhone, but OS X it is Flash.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #10 of 39
deleted
post #11 of 39
Quote:
Originally Posted by RicMac View Post

Best plan yet-- remove Adobe Flash. Period. I don't miss it.

That was my first thought when reading the article. Dump Flash so as not to be fooled into installing the malware.
post #12 of 39
Quote:
Originally Posted by Psych_guy View Post

That was my first thought when reading the article. Dump Flash so as not to be fooled into installing the mlaware.

I think that is precisely the point of the malware. You don't have Flash and they try to entice you to install it. I have Flash so I'm not sure how Safari on Lion behaves when presented with Flash content. Does it leave the area blank, show a broken icon? Curious. Anyway many novice users would be fooled especially if they were aware that Lion does not come with Flash and they figured they would wait until they needed it to install it. That is who the malware is targeting.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #13 of 39
Quote:
Originally Posted by RicMac View Post

Best plan yet-- remove Adobe Flash. Period. I don't miss it.

thats your option. i use it and enjoy it
Groupthink is bad, mkay. Think Different is the motto.
Reply
Groupthink is bad, mkay. Think Different is the motto.
Reply
post #14 of 39
How does one "scan the whole system?" this statement is just as confusing to most users as you can ever imagine. Be specific, if you're going to give instructions.
post #15 of 39
Quote:
Originally Posted by mstone View Post

I think that is precisely the point of the malware. You don't have Flash and they try to entice you to install it. I have Flash so I'm not sure how Safari on Lion behaves when presented with Flash content. Does it leave the area blank, show a broken icon? Curious. Anyway many novice users would be fooled especially if they were aware that Lion does not come with Flash and they figured they would wait until they needed it to install it. That is who the malware is targeting.

It displays the same thing an iPhone or iPad displays. A blue lego block.
post #16 of 39
Because the Trojan appends launch instructions to property lists within the Safari and Firefox programs, if you would like to check to see if a system has been infected with this Trojan, you can open the Terminal and run the following commands:

If you have Safari:

defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment

If you have Firefox:

defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment

On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.

Peace out Homies...Keep it Safe.
MacBook Pro, iMac, iPad 2, iPhone 4S
Please visit my simple and personal blog at www.simbarhoum.com
Reply
MacBook Pro, iMac, iPad 2, iPhone 4S
Please visit my simple and personal blog at www.simbarhoum.com
Reply
post #17 of 39
When are these virus writers going to realize that security is built into OSX from the inside out?
post #18 of 39
Quote:
Originally Posted by Simsonic View Post

Because the Trojan appends launch instructions to property lists within the Safari and Firefox programs, if you would like to check to see if a system has been infected with this Trojan, you can open the Terminal and run the following commands:

If you have Safari:

defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment

If you have Firefox:

defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment

On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.

Peace out Homies...Keep it Safe.



That's just insane.
post #19 of 39
Quote:
Originally Posted by hittrj01 View Post

It displays the same thing an iPhone or iPad displays. A blue lego block.

I haven't seen a blue lego block since iOS 2 what are you talking about?

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #20 of 39
Quote:
Originally Posted by ConradJoe View Post

That's just insane.

What's insane about that?
MacBook Pro, iMac, iPad 2, iPhone 4S
Please visit my simple and personal blog at www.simbarhoum.com
Reply
MacBook Pro, iMac, iPad 2, iPhone 4S
Please visit my simple and personal blog at www.simbarhoum.com
Reply
post #21 of 39
Quote:
Originally Posted by tylerk36 View Post

So Apple is becoming so popular that Vwrites (virus writers) are starting to pay attention to Apples OS X.

What part of "this isn't a virus" don't you understand?
post #22 of 39
Quote:
Originally Posted by AppleInsider View Post

If it doesn't find Little Snitch, the malware then tries to connect to a remote host in China in order to obtain other installation files and configurations.

Frapping Chinese. I wish Apple would move all its manufacturing out of that country.
post #23 of 39
-blank-
post #24 of 39
Quote:
Originally Posted by Simsonic View Post

Because the Trojan appends launch instructions to property lists within the Safari and Firefox programs, if you would like to check to see if a system has been infected with this Trojan, you can open the Terminal and run the following commands:

If you have Safari:

defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment

If you have Firefox:

defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment

On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.

Peace out Homies...Keep it Safe.

Fantastic info Simsonic. I wish the article had described the steps needed for resolution with that clarity. Cheers.
post #25 of 39
The easiest way to tell if you are running the correct installer is simply that if it is running the Mac OS X installer you are installing the Trojan.

Adobe insist on using their crappy installer which is based on Air which looks horrible.

So if the installer looks nice then be warned.
post #26 of 39
Quote:
Originally Posted by mstone View Post

There is a lot of news video that is only in Flash. Just today I went to Wolfram|Alpha and even their tour video is in Flash. As smart as those people are you'd think they would choose an intelligent means of presenting their information. They do have a different video for iPhone, but OS X it is Flash.

Yeah but Wolfram|Alpha is that science thing... and many 'mericans view science and knowledge as pornographic so maybe that just reinforces the idea for some that Flash is only good for un-Godly things
post #27 of 39
The same malware is probably going to be planted in most open source non app store software too.


Logically it is marketshare which will dictate whether non store apps continue to be allowed.
post #28 of 39
a trojan writer is always going to choose the method that will hook the most people.
What I got... 15" i7 w/8 gigs ram,iPad2 64gig wifi, 2.0 mac mini, 2.0 17" imac, appleTv, Still running my old G4 466 upgraded to 1.2GHz maxed ram as a pro tools machine, and 2 iphones.
Reply
What I got... 15" i7 w/8 gigs ram,iPad2 64gig wifi, 2.0 mac mini, 2.0 17" imac, appleTv, Still running my old G4 466 upgraded to 1.2GHz maxed ram as a pro tools machine, and 2 iphones.
Reply
post #29 of 39
Quote:
Originally Posted by Simsonic View Post

What's insane about that?

The procedure to detect and remove the offending files.

Windows machines have any number of free AV solutions available. They are set and forget software, they update themselves. They inspect incoming data and will not let you download offending code, unless you override the warning.

If they miss anything, they do a deep scan, automagically in the middle of the night, and remove or quarantine the offending code with no user hassles.

The procedure that Mac users need to go through to detect and remove malware is insane.
post #30 of 39
Quote:
Originally Posted by mstone View Post

Nice advertisement for Little Snitch.

Most people who already own Little Snitch are not likely to be fooled by this fake installer anyway.

yep. Little Snitch is the best!

TechnoMinds

We are a Montreal based technology company that offers a variety of tech services such as tech support for Apple products, Drupal based website development, computer training and iCloud...

Reply

TechnoMinds

We are a Montreal based technology company that offers a variety of tech services such as tech support for Apple products, Drupal based website development, computer training and iCloud...

Reply
post #31 of 39
deleted
post #32 of 39
Quote:
Originally Posted by MaroonMushroom View Post

Implying this has anything to do with the program itself.

Like it or not, Flash is far from dead and is still very common on the web.

True. In fact, the reason they're using a fake flash player is because a) flash is known to upgrade regularly and b) it doesn't upgrade through software update. People are used to seeing flash upgrade notices, so they don't pay attention when this thing tries to load.
post #33 of 39
Quote:
Originally Posted by Conrail View Post

People are used to seeing flash upgrade notices, so they don't pay attention when this thing tries to load.

Ever since Flash added itself as a .preferencepane in System Preferences, I've not seen a single upgrade notice.

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #34 of 39
This is gonna be a HUGE problem for the 1% of mac owners who have virus software on their machine.
post #35 of 39
Quote:
Originally Posted by ConradJoe View Post

The procedure to detect and remove the offending files.

Windows machines have any number of free AV solutions available. They are set and forget software, they update themselves. They inspect incoming data and will not let you download offending code, unless you override the warning.

If they miss anything, they do a deep scan, automagically in the middle of the night, and remove or quarantine the offending code with no user hassles.

The procedure that Mac users need to go through to detect and remove malware is insane.


Sounds like you need to upgrade to Windows with a good anti-virus program.

I for one am a Window IT administrator by day, I can't wait to get home and use my antivirus-free Mac at night!
post #36 of 39
Quote:
Originally Posted by Simsonic View Post

Because the Trojan appends launch instructions to property lists within the Safari and Firefox programs, if you would like to check to see if a system has been infected with this Trojan, you can open the Terminal and run the following commands:

If you have Safari:

defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment

If you have Firefox:

defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment

On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.

Peace out Homies...Keep it Safe.

Thank you. Would have been nice if the article had this.

TechnoMinds

We are a Montreal based technology company that offers a variety of tech services such as tech support for Apple products, Drupal based website development, computer training and iCloud...

Reply

TechnoMinds

We are a Montreal based technology company that offers a variety of tech services such as tech support for Apple products, Drupal based website development, computer training and iCloud...

Reply
post #37 of 39
Quote:
Originally Posted by _Rick_V_ View Post

Sounds like you need to upgrade to Windows with a good anti-virus program.

I for one am a Window IT administrator by day, I can't wait to get home and use my antivirus-free Mac at night!

Which Windows AV is your preferred choice? I haven't had any malware problems for longer than I can recall.

A few years ago I downloaded something nasty from a P2P site, but other than that, I can't even remember having a problem. I'm not sure what I was using at that time.
post #38 of 39
Quote:
Originally Posted by ConradJoe View Post

The procedure to detect and remove the offending files.

Windows machines have any number of free AV solutions available. They are set and forget software, they update themselves. They inspect incoming data and will not let you download offending code, unless you override the warning.

If they miss anything, they do a deep scan, automagically in the middle of the night, and remove or quarantine the offending code with no user hassles.

The procedure that Mac users need to go through to detect and remove malware is insane.


"They inspect incoming data and will not let you download offending code, unless you override the warning." assuming that the A/V definitions include that malware.

"If they miss anything, they do a deep scan, automagically in the middle of the night,"
so they know when they miss stuff and do a "automagic" scan? If they know they missed something why didn't they remove it orginally?

The Mac A/V software works the same way as the Windows A/V software by the way. The huge majority of us Mac users don't actually have worry about any of this or the three million and counting Windows malware.
post #39 of 39
Quote:
Originally Posted by Lom View Post

Been using Macs since 98 with zero protection. What's malware?

I think it's what you put on before you go shopping.
If you want to call me names, tell me to shut up and f off...you will be ignored. I WILL NOT BE BULLIED!!
Reply
If you want to call me names, tell me to shut up and f off...you will be ignored. I WILL NOT BE BULLIED!!
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac Software
AppleInsider › Forums › Software › Mac Software › Fake Adobe Flash malware seeks to disable Mac OS X anti-malware protection