Fake Adobe Flash malware seeks to disable Mac OS X anti-malware protection

Posted:
in Mac Software edited January 2014
A new version of an existing Trojan Horse posing as a legitimate Flash Player installer (named Â?Flashback.AÂ? by a security firm) is designed to disable updates to the default Mac OS X anti-malware protection system, potentially leaving the system open to the manual installation of other malware without any system warnings.



According to security researchers at F-Secure, Â?Flashback.CÂ? is potentially capable of disabling the auto-update component of AppleÂ?s built-in XProtect anti-malware application by overwriting the system binary that checks for updates, XProtectUpdater. That functionality is apparently not yet active, however.



Once the malware is installed and delivered an external payload from malicious servers, the local system would be unable to obtain the latest anti-malware definitions and could subsequently be infected by other malicious programs the user installs without seeing the warnings that Mac OS X's XProtect feature is designed to present to users when they attempt to install malicious software that matches known threats, a definition list Apple maintains and which XProtectUpdater references daily.



Disabling system defenses is a common tactic employed by malware programs, the security firm notes, with built-in malware detection programs being Â?the first target on any computing platform.Â?



Discovered in late September, the Â?Flashback.AÂ? Trojan poses as an Adobe Flash installer in an attempt to trick Mac OS X users into installing the program in order to access Flash-based content on the web. The trojan primarily targets Mac OS X Lion users, since AppleÂ?s latest desktop operating system doesnÂ?t come with Flash preinstalled.



Â?Flashback.CÂ? similarly masquerades as a Flash installer, displaying the same visual elements during the installation process (shown below) in an attempt to convince users they are installing a genuine copy of Flash. Once installed, Â?Flashback.CÂ? first checks to see if the user is running "Little Snitch," a firewall program that could alert the user of its actions. If it is found to be installed, the trojan deletes itself.



If it doesn't find Little Snitch, the malware then tries to connect to a remote host in China in order to obtain other installation files and configurations. F-Secure notes that "the remote host is up but it does not [yet] push anything." If and when the site becomes active, it could deliver a payload that the trojan could use to disable the system's auto-updater, using Safari or Firefox to deliver the malicious code via an LSEnvironment variable that loads when the browser restarts.



Â*



In order to prevent a potential infection with Â?FlashbackÂ? Trojans, Mac users are advised to obtain their copy of Adobe Flash Player directly from AdobeÂ?s official website and to disable the "Open 'safe' files after downloading" option in Apple's Safari browser to avoid automatically running files downloaded from the Internet.



Users should also refuse to enter their local account password at any prompt to do so unless they understand why it is required.



In case an infection has occurred, F-Secure provides instructions for removing the Trojan: Scan the whole system and take note of the detected files, then remove the plist entry:







From:



/Applications/Safari.app/Contents/Info.plist

/Applications/Firefox.app/Contents/Info.plist



Delete all detected files



At this time there is not yet a fix from Apple that would automatically flag the new Trojan version as malware when it is being installing on Mac systems, but the trojan is not actually working yet either, so users shouldn't be afraid they are already infected unless they are in the process of installing Adobe Flash from a non-legitimate source.



The evolutionary attempts to create new Mac OS X malware highlight the problems with allowing users to install software from any source, something that has plagued Windows and Mac users with the threat of user-installed malware, and something that has recently exploded as a growing concern among Android users. iOS users are protected from such malware attempts by the security of the App Store, and Apple's Mac App Store affords similar security to its desktop users.



However, web browser plugins such as Adobe Flash, along with other software that plugs into the system on a low level, are not possible to deliver through the App Store under Apple's current policies. Somewhat ironically, users can install the Flash Block app from the Mac App Store, which for 99 cents, offers to temporarily kill active Flash content to conserve battery life, or to block Flash entirely.
«1

Comments

  • Reply 1 of 40
    Best plan yet-- remove Adobe Flash. Period. I don't miss it.
  • Reply 2 of 40
    bigmac2bigmac2 Posts: 639member
    ...And you will be safe



    No joking, all latest OS X trojan news I've seen lately fakes a flash installer. I wonder if its creator want to damage even more Adobe Flash or what.



    Beside I've yet to see someone being infected by those "proof of concept" wimpy trojan.
  • Reply 3 of 40
    Quote:
    Originally Posted by BigMac2 View Post


    No joking, all latest OS X trojan news I've seen lately fakes a flash installer. I wonder if its creator want to damage even more Adobe Flash or what.



    Beside I've yet to see someone being infected by those "proof of concept" wimpy trojan.



    Its creator is probably an avid Mac user with absolutely no intent to harm anyone (hence these trojans not actually doing anything malicious once they're installed) but Adobe.
  • Reply 4 of 40
    Quote:
    Originally Posted by RicMac View Post


    Best plan yet-- remove Adobe Flash. Period. I don't miss it.



    Implying this has anything to do with the program itself.



    Like it or not, Flash is far from dead and is still very common on the web.
  • Reply 5 of 40
    tylerk36tylerk36 Posts: 1,037member
    So Apple is becoming so popular that Vwrites (virus writers) are starting to pay attention to Apples OS X. Oh well comes with the territory. I suspect that some day we will be getting anti virus programs as a standard part of OS X. Although anti virus programs are already out its still not so well known.
  • Reply 6 of 40
    mstonemstone Posts: 11,510member
    Nice advertisement for Little Snitch.



    Most people who already own Little Snitch are not likely to be fooled by this fake installer anyway.
  • Reply 7 of 40
    Quote:
    Originally Posted by MaroonMushroom View Post


    Implying this has anything to do with the program itself.



    Like it or not, Flash is far from dead and is still very common on the web.



    He is just making a suggestion and saying what works for him so don't be offended or feel the need to stick up for Flash. As common as it may be, most of us wouldn't miss Flash content. I, for one, do not miss it at all on any of my iOS devices....period. If you ask me, the name of the product is appropriate for what it does....plays *flashy* stuff, nothing of great substance. People who view internet porn are the biggest proponents of Flash.
  • Reply 8 of 40
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by Dickprinter View Post


    As common as it may be, most of us wouldn't miss Flash content. I, for one, do not miss it at all on any of my iOS devices....period.



    There is a lot of news video that is only in Flash. Just today I went to Wolfram|Alpha and even their tour video is in Flash. As smart as those people are you'd think they would choose an intelligent means of presenting their information. They do have a different video for iPhone, but OS X it is Flash.
  • Reply 9 of 40
    macrulezmacrulez Posts: 2,455member
    deleted
  • Reply 10 of 40
    Quote:
    Originally Posted by RicMac View Post


    Best plan yet-- remove Adobe Flash. Period. I don't miss it.



    That was my first thought when reading the article. Dump Flash so as not to be fooled into installing the malware.
  • Reply 11 of 40
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by Psych_guy View Post


    That was my first thought when reading the article. Dump Flash so as not to be fooled into installing the mlaware.



    I think that is precisely the point of the malware. You don't have Flash and they try to entice you to install it. I have Flash so I'm not sure how Safari on Lion behaves when presented with Flash content. Does it leave the area blank, show a broken icon? Curious. Anyway many novice users would be fooled especially if they were aware that Lion does not come with Flash and they figured they would wait until they needed it to install it. That is who the malware is targeting.
  • Reply 12 of 40
    Quote:
    Originally Posted by RicMac View Post


    Best plan yet-- remove Adobe Flash. Period. I don't miss it.



    thats your option. i use it and enjoy it
  • Reply 13 of 40
    How does one "scan the whole system?" this statement is just as confusing to most users as you can ever imagine. Be specific, if you're going to give instructions.
  • Reply 14 of 40
    Quote:
    Originally Posted by mstone View Post


    I think that is precisely the point of the malware. You don't have Flash and they try to entice you to install it. I have Flash so I'm not sure how Safari on Lion behaves when presented with Flash content. Does it leave the area blank, show a broken icon? Curious. Anyway many novice users would be fooled especially if they were aware that Lion does not come with Flash and they figured they would wait until they needed it to install it. That is who the malware is targeting.



    It displays the same thing an iPhone or iPad displays. A blue lego block.
  • Reply 15 of 40
    Because the Trojan appends launch instructions to property lists within the Safari and Firefox programs, if you would like to check to see if a system has been infected with this Trojan, you can open the Terminal and run the following commands:



    If you have Safari:



    defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment



    If you have Firefox:



    defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment



    On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.



    Peace out Homies...Keep it Safe.
  • Reply 16 of 40
    conradjoeconradjoe Posts: 1,887member
    When are these virus writers going to realize that security is built into OSX from the inside out?
  • Reply 17 of 40
    conradjoeconradjoe Posts: 1,887member
    Quote:
    Originally Posted by Simsonic View Post


    Because the Trojan appends launch instructions to property lists within the Safari and Firefox programs, if you would like to check to see if a system has been infected with this Trojan, you can open the Terminal and run the following commands:



    If you have Safari:



    defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment



    If you have Firefox:



    defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment



    On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.



    Peace out Homies...Keep it Safe.







    That's just insane.
  • Reply 18 of 40
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by hittrj01 View Post


    It displays the same thing an iPhone or iPad displays. A blue lego block.



    I haven't seen a blue lego block since iOS 2 what are you talking about?
  • Reply 19 of 40
    Quote:
    Originally Posted by ConradJoe View Post


    That's just insane.



    What's insane about that?
  • Reply 20 of 40
    ktappektappe Posts: 824member
    Quote:
    Originally Posted by tylerk36 View Post


    So Apple is becoming so popular that Vwrites (virus writers) are starting to pay attention to Apples OS X.



    What part of "this isn't a virus" don't you understand?
Sign In or Register to comment.