Mac Flashback Trojan Horse Masquerades as Flash Player Installer Package

[solin]

Malware: OSX/flashback.A

Risk: Low; this malware has been found in the wild, and may fool Mac users who don’t have Flash Player installed. However, Intego so far has only one report of this malware, and a sample provided by a user who downloaded it from a malicious web site.

Description: Intego has discovered a new Trojan horse, Flashback, which masquerades as a Flash Player installer. This Trojan horse has been found in the wild, and has some disturbing actions.

Users visiting certain malicious websites may see a link or an icon to download and install Flash Player. Since Mac OS X Lion does not include Flash Player, some users may be fooled and think this is a real installation link. When they click the link, an installation package downloads, and, if the user is using Safari as their web browser, the Mac OS X Installer will launch. (Safari considers installer packages, with .pkg or .mpkg extensions, to be “safe” files and will launch them after download, if default settings are used.)



If the user proceeds with the installation procedure, the installer for this Trojan horse will deactivate some network security software (code in this malware specifically targets and deactivates Little Snitch, but has no effect on Intego VirusBarrier X6), and, after installation, will delete the installation package itself. The malware installs a dyld (dynamic loader) library and auto-launch code, allowing it to inject code into applications the user launches. This code, installed in a file at ~/Library/Preferences/Preferences.dylib, connects to a remote server, and sends information about the infected Mac to this server: this includes the computer’s MAC address, a unique identifier. This will allow the malware to detect if a Mac is infected.

For now, Intego has analyzed this malware and its installation process. Intego’s security researchers are analyzing the injected code and we will issue more information as soon as possible.

Means of protection: Users should not download a Flash Player installer from any site other than adobe.com. Mac OS X Lion does not include Flash Player, but users who wish to install this software should visit Adobe’s website: http://www.adobe.com/products/flashplayer/.

Next, it is advisable, for those who use Safari as their web browser, to uncheck Open “safe” files after downloading in the program’s General preferences. This will prevent installer packages—whether real or malicious—from launching automatically.

Finally, if an installer claiming to be a Flash Player installer appears, users should be very careful to ensure that they did, indeed, download it from Adobe’s web site. If not, they should quit the installer.

VirusBarrier X6 (www.intego.com/virusbarrier/) protects users from this malware with malware definitions dated September 26, 2011 or later. VirusBarrier X6’s real-time scanner will detect the file when it is downloaded, and its Anti-Spyware protection will block any connections to remote servers if a user has installed the Trojan horse.


Source

[luffy]

I'm still hearing MacOS is Virus Free everywhere I go. Can't wait to see them crying. I know someone just spent over $1100 on Mac laptop and they are so happy. They say "it's pretty."

[Christopher Wilmot]

while for the most part macs are virus/trojan free, macs SUCK for anything other than graphic design =) any game that they develop for the mac platform lacks any kind of substantial third party support. i want a mac so badly just for my Photoshop programs. but other than that i dont have a use for one lol

[jcgo16]

i dont even believe that they're virus free

macs are good but.. i like windows because theres tons of custom built pc and a lot of freeware apps, many games


btw nice topic

mac users prepare for viruses ahaha

[Student26]

Shouldn't this be in the virus / malware section?

[leofelix]

Thread moved to the proper forum section
thank you for the heads up

[safeguy]

I'm still hearing MacOS is Virus Free everywhere I go. Can't wait to see them crying. I know someone just spent over $1100 on Mac laptop and they are so happy. They say "it's pretty."

Well, it is pretty, at least in my eyes.

Next, it is advisable, for those who use Safari as their web browser, to uncheck Open “safe” files after downloading in the program’s General preferences. This will prevent installer packages—whether real or malicious—from launching automatically.

This ought to be advised to all Mac users out there using Safari. Spread the word.