Fake Adobe Flash malware seeks to disable Mac OS X anti-malware protection
A new version of an existing Trojan Horse posing as a legitimate Flash Player installer (named Â?Flashback.AÂ? by a security firm) is designed to disable updates to the default Mac OS X anti-malware protection system, potentially leaving the system open to the manual installation of other malware without any system warnings.
According to security researchers at F-Secure, Â?Flashback.CÂ? is potentially capable of disabling the auto-update component of AppleÂ?s built-in XProtect anti-malware application by overwriting the system binary that checks for updates, XProtectUpdater. That functionality is apparently not yet active, however.
Once the malware is installed and delivered an external payload from malicious servers, the local system would be unable to obtain the latest anti-malware definitions and could subsequently be infected by other malicious programs the user installs without seeing the warnings that Mac OS X's XProtect feature is designed to present to users when they attempt to install malicious software that matches known threats, a definition list Apple maintains and which XProtectUpdater references daily.
Disabling system defenses is a common tactic employed by malware programs, the security firm notes, with built-in malware detection programs being Â?the first target on any computing platform.Â?
Discovered in late September, the Â?Flashback.AÂ? Trojan poses as an Adobe Flash installer in an attempt to trick Mac OS X users into installing the program in order to access Flash-based content on the web. The trojan primarily targets Mac OS X Lion users, since AppleÂ?s latest desktop operating system doesnÂ?t come with Flash preinstalled.
Â?Flashback.CÂ? similarly masquerades as a Flash installer, displaying the same visual elements during the installation process (shown below) in an attempt to convince users they are installing a genuine copy of Flash. Once installed, Â?Flashback.CÂ? first checks to see if the user is running "Little Snitch," a firewall program that could alert the user of its actions. If it is found to be installed, the trojan deletes itself.
If it doesn't find Little Snitch, the malware then tries to connect to a remote host in China in order to obtain other installation files and configurations. F-Secure notes that "the remote host is up but it does not [yet] push anything." If and when the site becomes active, it could deliver a payload that the trojan could use to disable the system's auto-updater, using Safari or Firefox to deliver the malicious code via an LSEnvironment variable that loads when the browser restarts.
Â*
In order to prevent a potential infection with Â?FlashbackÂ? Trojans, Mac users are advised to obtain their copy of Adobe Flash Player directly from AdobeÂ?s official website and to disable the "Open 'safe' files after downloading" option in Apple's Safari browser to avoid automatically running files downloaded from the Internet.
Users should also refuse to enter their local account password at any prompt to do so unless they understand why it is required.
In case an infection has occurred, F-Secure provides instructions for removing the Trojan: Scan the whole system and take note of the detected files, then remove the plist entry:
From:
/Applications/Safari.app/Contents/Info.plist
/Applications/Firefox.app/Contents/Info.plist
Delete all detected files
At this time there is not yet a fix from Apple that would automatically flag the new Trojan version as malware when it is being installing on Mac systems, but the trojan is not actually working yet either, so users shouldn't be afraid they are already infected unless they are in the process of installing Adobe Flash from a non-legitimate source.
The evolutionary attempts to create new Mac OS X malware highlight the problems with allowing users to install software from any source, something that has plagued Windows and Mac users with the threat of user-installed malware, and something that has recently exploded as a growing concern among Android users. iOS users are protected from such malware attempts by the security of the App Store, and Apple's Mac App Store affords similar security to its desktop users.
However, web browser plugins such as Adobe Flash, along with other software that plugs into the system on a low level, are not possible to deliver through the App Store under Apple's current policies. Somewhat ironically, users can install the Flash Block app from the Mac App Store, which for 99 cents, offers to temporarily kill active Flash content to conserve battery life, or to block Flash entirely.
According to security researchers at F-Secure, Â?Flashback.CÂ? is potentially capable of disabling the auto-update component of AppleÂ?s built-in XProtect anti-malware application by overwriting the system binary that checks for updates, XProtectUpdater. That functionality is apparently not yet active, however.
Once the malware is installed and delivered an external payload from malicious servers, the local system would be unable to obtain the latest anti-malware definitions and could subsequently be infected by other malicious programs the user installs without seeing the warnings that Mac OS X's XProtect feature is designed to present to users when they attempt to install malicious software that matches known threats, a definition list Apple maintains and which XProtectUpdater references daily.
Disabling system defenses is a common tactic employed by malware programs, the security firm notes, with built-in malware detection programs being Â?the first target on any computing platform.Â?
Discovered in late September, the Â?Flashback.AÂ? Trojan poses as an Adobe Flash installer in an attempt to trick Mac OS X users into installing the program in order to access Flash-based content on the web. The trojan primarily targets Mac OS X Lion users, since AppleÂ?s latest desktop operating system doesnÂ?t come with Flash preinstalled.
Â?Flashback.CÂ? similarly masquerades as a Flash installer, displaying the same visual elements during the installation process (shown below) in an attempt to convince users they are installing a genuine copy of Flash. Once installed, Â?Flashback.CÂ? first checks to see if the user is running "Little Snitch," a firewall program that could alert the user of its actions. If it is found to be installed, the trojan deletes itself.
If it doesn't find Little Snitch, the malware then tries to connect to a remote host in China in order to obtain other installation files and configurations. F-Secure notes that "the remote host is up but it does not [yet] push anything." If and when the site becomes active, it could deliver a payload that the trojan could use to disable the system's auto-updater, using Safari or Firefox to deliver the malicious code via an LSEnvironment variable that loads when the browser restarts.
Â*
In order to prevent a potential infection with Â?FlashbackÂ? Trojans, Mac users are advised to obtain their copy of Adobe Flash Player directly from AdobeÂ?s official website and to disable the "Open 'safe' files after downloading" option in Apple's Safari browser to avoid automatically running files downloaded from the Internet.
Users should also refuse to enter their local account password at any prompt to do so unless they understand why it is required.
In case an infection has occurred, F-Secure provides instructions for removing the Trojan: Scan the whole system and take note of the detected files, then remove the plist entry:
From:
/Applications/Safari.app/Contents/Info.plist
/Applications/Firefox.app/Contents/Info.plist
Delete all detected files
At this time there is not yet a fix from Apple that would automatically flag the new Trojan version as malware when it is being installing on Mac systems, but the trojan is not actually working yet either, so users shouldn't be afraid they are already infected unless they are in the process of installing Adobe Flash from a non-legitimate source.
The evolutionary attempts to create new Mac OS X malware highlight the problems with allowing users to install software from any source, something that has plagued Windows and Mac users with the threat of user-installed malware, and something that has recently exploded as a growing concern among Android users. iOS users are protected from such malware attempts by the security of the App Store, and Apple's Mac App Store affords similar security to its desktop users.
However, web browser plugins such as Adobe Flash, along with other software that plugs into the system on a low level, are not possible to deliver through the App Store under Apple's current policies. Somewhat ironically, users can install the Flash Block app from the Mac App Store, which for 99 cents, offers to temporarily kill active Flash content to conserve battery life, or to block Flash entirely.
Comments
No joking, all latest OS X trojan news I've seen lately fakes a flash installer. I wonder if its creator want to damage even more Adobe Flash or what.
Beside I've yet to see someone being infected by those "proof of concept" wimpy trojan.
No joking, all latest OS X trojan news I've seen lately fakes a flash installer. I wonder if its creator want to damage even more Adobe Flash or what.
Beside I've yet to see someone being infected by those "proof of concept" wimpy trojan.
Its creator is probably an avid Mac user with absolutely no intent to harm anyone (hence these trojans not actually doing anything malicious once they're installed) but Adobe.
Best plan yet-- remove Adobe Flash. Period. I don't miss it.
Implying this has anything to do with the program itself.
Like it or not, Flash is far from dead and is still very common on the web.
Most people who already own Little Snitch are not likely to be fooled by this fake installer anyway.
Implying this has anything to do with the program itself.
Like it or not, Flash is far from dead and is still very common on the web.
He is just making a suggestion and saying what works for him so don't be offended or feel the need to stick up for Flash. As common as it may be, most of us wouldn't miss Flash content. I, for one, do not miss it at all on any of my iOS devices....period. If you ask me, the name of the product is appropriate for what it does....plays *flashy* stuff, nothing of great substance. People who view internet porn are the biggest proponents of Flash.
As common as it may be, most of us wouldn't miss Flash content. I, for one, do not miss it at all on any of my iOS devices....period.
There is a lot of news video that is only in Flash. Just today I went to Wolfram|Alpha and even their tour video is in Flash. As smart as those people are you'd think they would choose an intelligent means of presenting their information. They do have a different video for iPhone, but OS X it is Flash.
Best plan yet-- remove Adobe Flash. Period. I don't miss it.
That was my first thought when reading the article. Dump Flash so as not to be fooled into installing the malware.
That was my first thought when reading the article. Dump Flash so as not to be fooled into installing the mlaware.
I think that is precisely the point of the malware. You don't have Flash and they try to entice you to install it. I have Flash so I'm not sure how Safari on Lion behaves when presented with Flash content. Does it leave the area blank, show a broken icon? Curious. Anyway many novice users would be fooled especially if they were aware that Lion does not come with Flash and they figured they would wait until they needed it to install it. That is who the malware is targeting.
Best plan yet-- remove Adobe Flash. Period. I don't miss it.
thats your option. i use it and enjoy it
I think that is precisely the point of the malware. You don't have Flash and they try to entice you to install it. I have Flash so I'm not sure how Safari on Lion behaves when presented with Flash content. Does it leave the area blank, show a broken icon? Curious. Anyway many novice users would be fooled especially if they were aware that Lion does not come with Flash and they figured they would wait until they needed it to install it. That is who the malware is targeting.
It displays the same thing an iPhone or iPad displays. A blue lego block.
If you have Safari:
defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment
If you have Firefox:
defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment
On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.
Peace out Homies...Keep it Safe.
Because the Trojan appends launch instructions to property lists within the Safari and Firefox programs, if you would like to check to see if a system has been infected with this Trojan, you can open the Terminal and run the following commands:
If you have Safari:
defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment
If you have Firefox:
defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment
On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.
Peace out Homies...Keep it Safe.
That's just insane.
It displays the same thing an iPhone or iPad displays. A blue lego block.
I haven't seen a blue lego block since iOS 2 what are you talking about?
That's just insane.
What's insane about that?
So Apple is becoming so popular that Vwrites (virus writers) are starting to pay attention to Apples OS X.
What part of "this isn't a virus" don't you understand?