Malware

Flashback Trojan Spreading; Mac Users Should Be Wary of Flash Installers

Posted on September 28th, 2011 by

Following our recent security memo about the Mac Flashback Trojan horse, Intego has seen an increase in the number of Mac users infected by this malware. After publicizing this threat, many users have posted both in the comments on this blog, and on other blogs and forums about having either seen this malware download, or actually installing it.

If you end up on a site that is serving this malware, you will see something similar to this:


The first things you see are the crashed plugin graphic and the purported error messages. After this, the fake Adobe Flash installer screen pops up, and then the Flashback Trojan horse installation package downloads. At this point, if you have the default Safari settings - which allow "safe" downloads to open automatically - you will see an Installer window open.

This is effective social engineering. Savvy Mac users will not be fooled, because they know that a Flash installer would never appear in this manner, but two things make this approach believable. First, Flash Player is not installed on Mac OS X Lion, so users will need to install it themselves if they want to view Flash content on the web. Second, if they do have Flash Player installed, and have set the Flash Player preference pane (in System Preferences) to automatically check for updates, they may think that this is an update alert. (We have never had any such alerts, in spite of having checked that setting.) So this can easily fool many Mac users into downloading the malware.

For these reasons, Intego is raising the risk level of this malware to medium.

If you see a web page similar to that shown above, do not run any installer, and if the Installer window does not open, check your Downloads folder for any package file that contains the name Flash, then delete it. Only download Flash Player installers from the Adobe web site.

Note: if anyone who has been infected by this Trojan horse knows the URL at which they got it, or has a sample, please send an e-mail (with sample attached, and zipped, if possible) to sample@virusbarrier.com. Thanks.

  • Anonymous

    Ok, this is weird. Yesterday morning I was alerted with a popup that looked legit that my flash needed updating. Since I have the pref pane installed and it is set to auto-check for updates, I didn’t think anything of it and installed. I don’t have the preferences.dylib file anywhere on my disk, can I be sure that I am not infected? Will VirusBarrier X6 downloaded from your site find it if this file is missing, or is that all it checks for?

    • Anonymous

      If you are unsure whether you installed or updated Flash from Adobe.com, it might be a good idea to run a scan on your computer. Since you can download VirusBarrier for a 30 free trial, I don’t see any harm in verifying your computer is in fact clean.

      VirusBarrier X6 will detect and quarantine this Trojan horse with malware definitions dated September 26, 2011 or later. Since you mentioned already downloading the Flash update via the popup, the anti-spyware protection would be most useful for you to block any connections to remote servers if you installed the Trojan horse.

      • http://pulse.yahoo.com/_PXLBRYEXVNSJWYS4QA6LU65ILA tanya

        My wife installed the trojan on MY computer… I cannot find the infected file, nor can the most up-to-date Virus Barrier 6, however, I do know I am infect because every time I open up Firefox and view a video, the video appears “scrambled” and “pixelated.”  If I go to youtube.com and click a video, Firefox crashes instantly.  I have no idea how to get rid of this virus!

        • http://www.intego.com Intego

          This Trojan horse does not cause video display problems.

  • http://twitter.com/regagain regagain

    Nice article! But when I read it it was already too late. What should I do now that I have run the installer?

    • Anonymous

      Do you know the URL at which they got Flash pop up? The malicious code is installed in a file at ~/Library/Preferences/Preferences.dylib 

      If you have this file on your computer, then you are definitely infected. 

      If you are infected or unsure, you might try installing VirusBarrier X6 and run a malware scan; also keep the anti-spyware protection turned on to block any connection to remote servers if you already installed the Trojan horse.  

      You can download the 30 day free trial of VirusBarrier X6, here: http://www.intego.com/virusbarrier/

      • Anonymous

        OK, I am worried too. But I do NOT have that dylib file.
        Does that mean I’m NOT infected?
        Note, I’m running Firefox, not Safari.

        • Anonymous

          If you don’t have the dynamic loader file and do not use Safari, then you are likely not infected with the malware.

      • http://twitter.com/regagain regagain

        I don’t know the URL, sorry! I don’t have the file and I’m doing a scan right now. Thanks for the help.

      • Anonymous

        Is the tilda “~” meaning root/Lib or could the preferences.dylib file also be in the users Lib directory?

        Also, can people running Tiger be affected by this. VB X6 won’t run on Tiger, but  X5 will, can X5 help in this case and are you still updating X5?

        • http://www.intego.com Intego

          ~ is a shortcut for the user’s home folder.

          The X5 version will detect this malware.

      • Anonymous

        How can I tell if that code is in a file at ~/Library/Preferences/Preferences.dylib ?

        Just using Finder?

        (mac noob, sorry)

  • http://profiles.google.com/lukeskymac Lucas Bertolino Pizzo

    “Fix a crush of Adobe Flash Player?”

    How can anyone fall for that?

  • Anonymous

    You mean they now have TWO infected Macs?  LOL, last time there was only ONE they could point to.

    • Anonymous

      Well, lots of Asian people like me might, our English is not perfect. And lots of ppl are just careless. But I agree, does sound like Chinglish to me.

  • http://pulse.yahoo.com/_IP347ULLFWHPHCJ6CWBSKFJ7IA adfe 33ed

    I got this yesterday morning following a link to update on Comedy Central’s website, which also opened adobe.com. I ‘updated’ Flash and immediately my browser crashed, I had to log out and back in to get my Dock to reappear and noticed all my music missing (!) in iTunes, then found all my media files, documents, bookmarks, and preference settings were gone, though I still had many applications and could open them. 

    I did a safeboot, repaired many suddenly confused permissions, booted from my install (Snow Leopard) disc and repaired the hard disk successfully, but after booting from my HD again nothing returned. I was an AppleCare advisor for OS X and iOS for a year and I understand a trojan this new would have befuddled AppleCare too. However, I have yet to see anyone posting problems as extensive as mine.

    Any suggestions? Lost a lot.  

    • http://pulse.yahoo.com/_FYBAA44PNMSSQA5KCJMTDOGUIU Louie

      There is a list of files that this trojan installs listed in this post on Mac discussions: https://discussions.apple.com/message/16247297#16247297

      Instead of the last one listed “swlog” I found on named “softwareupdate” so either there are some variants out there or the name is changed while it is running.

      While removing these files will remove the initial infection it does not guarantee that this trojan has not imbedded itself in other ways. Even after removing the files I was still seeing strange behavior with my Finder, flashing and resetting windows. Also it was strange behavior in Finder that lead me to a search and to discover I had been infected in the first place. All the contextual menus in Finder started showing up with unreadable labels for example. 

      My intuition leads me to believe that this thing get quickly buried into your system in ways that are not yet understood. For that reason I am in the middle of a complete install on to a clean hard drive. A real PITA but the safest way to make sure that I am really removing this beast.

      -louie

      • http://www.intego.com Intego

        That’s what the initial version installed. Intego has already found several variants, and it’s safe to assume that the installed files may change over time.

        • http://pulse.yahoo.com/_FYBAA44PNMSSQA5KCJMTDOGUIU Louie

          Do you folks have any idea what else happens to your computer once you get infected? 

          Does removing the listed files remove all of the malicious code? As stated above I was noticing unusual behaviour after I was infected and again even after I removed the bogus files.

          • http://twitter.com/stevejoblard Steve Joblard

            That’s a command and control backdoor. The hacker may have installed other malware on your mac before you removed the files. Installing the backdoor gives a total control on your mac. VirusBarrier AntiSpyware feature is able to block such unknown connections from your mac to the hacker server. No firewall is efficient in that case, as the originator of the connection is your mac, not a distant evil hacker.

  • http://twitter.com/MrEarWax MrEarWax

    I downloaded a flash update window, and i don’t have dylib file and none of these files. https://discussions.apple.com/…
    but I’m still insure if i got the virus. I downloaded the “virus barrier express”  on mac app store and it didn’t detect any virus.

  • http://twitter.com/MrEarWax MrEarWax

    I just opened google translate with safari and a flash update showed up!
    virus???

  • gary wight

    A warning for others: this virus is also attacking programs such as Netbeans. I was caught this morning. I found the trojan when I ran the virus scanner. It is called OSX/flashbackDropper.gen. 

    I have quarantined the trojan program, but am not sure about what damage this will cause and how to delete it safely from my computer. 

    Any pointers will be appreciated.

    • http://www.intego.com Intego

      Can you send the sample to sample@virusbarrier.com? We’d love to have a look at it.

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}