Following our recent security memo about the Mac Flashback Trojan horse, Intego has seen an increase in the number of Mac users infected by this malware. After publicizing this threat, many users have posted both in the comments on this blog, and on other blogs and forums about having either seen this malware download, or actually installing it.
If you end up on a site that is serving this malware, you will see something similar to this:
The first things you see are the crashed plugin graphic and the purported error messages. After this, the fake Adobe Flash installer screen pops up, and then the Flashback Trojan horse installation package downloads. At this point, if you have the default Safari settings – which allow “safe” downloads to open automatically – you will see an Installer window open.
This is effective social engineering. Savvy Mac users will not be fooled, because they know that a Flash installer would never appear in this manner, but two things make this approach believable. First, Flash Player is not installed on Mac OS X Lion, so users will need to install it themselves if they want to view Flash content on the web. Second, if they do have Flash Player installed, and have set the Flash Player preference pane (in System Preferences) to automatically check for updates, they may think that this is an update alert. (We have never had any such alerts, in spite of having checked that setting.) So this can easily fool many Mac users into downloading the malware.
For these reasons, Intego is raising the risk level of this malware to medium.
If you see a web page similar to that shown above, do not run any installer, and if the Installer window does not open, check your Downloads folder for any package file that contains the name Flash, then delete it. Only download Flash Player installers from the Adobe web site.
Note: if anyone who has been infected by this Trojan horse knows the URL at which they got it, or has a sample, please send an e-mail (with sample attached, and zipped, if possible) to email@example.com. Thanks.