Malware

INTEGO SECURITY MEMO: Mac Flashback Trojan Horse Masquerades as Flash Player Installer Package

Posted on September 26th, 2011 by

Malware: OSX/flashback.A

Risk: Low; this malware has been found in the wild, and may fool Mac users who don’t have Flash Player installed. However, Intego so far has only one report of this malware, and a sample provided by a user who downloaded it from a malicious web site.

Description: Intego has discovered a new Trojan horse, Flashback, which masquerades as a Flash Player installer. This Trojan horse has been found in the wild, and has some disturbing actions.

Users visiting certain malicious websites may see a link or an icon to download and install Flash Player. Since Mac OS X Lion does not include Flash Player, some users may be fooled and think this is a real installation link. When they click the link, an installation package downloads, and, if the user is using Safari as their web browser, the Mac OS X Installer will launch. (Safari considers installer packages, with .pkg or .mpkg extensions, to be “safe” files and will launch them after download, if default settings are used.)



If the user proceeds with the installation procedure, the installer for this Trojan horse will deactivate some network security software (code in this malware specifically targets and deactivates Little Snitch, but has no effect on Intego VirusBarrier X6), and, after installation, will delete the installation package itself. The malware installs a dyld (dynamic loader) library and auto-launch code, allowing it to inject code into applications the user launches. This code, installed in a file at ~/Library/Preferences/Preferences.dylib, connects to a remote server, and sends information about the infected Mac to this server: this includes the computer’s MAC address, a unique identifier. This will allow the malware to detect if a Mac is infected.

For now, Intego has analyzed this malware and its installation process. Intego’s security researchers are analyzing the injected code and we will issue more information as soon as possible.

Means of protection: Users should not download a Flash Player installer from any site other than adobe.com. Mac OS X Lion does not include Flash Player, but users who wish to install this software should visit Adobe’s website: http://www.adobe.com/products/flashplayer/.

Next, it is advisable, for those who use Safari as their web browser, to uncheck Open “safe” files after downloading in the program’s General preferences. This will prevent installer packages—whether real or malicious—from launching automatically.

Finally, if an installer claiming to be a Flash Player installer appears, users should be very careful to ensure that they did, indeed, download it from Adobe’s web site. If not, they should quit the installer.

VirusBarrier X6 (www.intego.com/virusbarrier/) protects users from this malware with malware definitions dated September 26, 2011 or later. VirusBarrier X6’s real-time scanner will detect the file when it is downloaded, and its Anti-Spyware protection will block any connections to remote servers if a user has installed the Trojan horse.



VirusBarrier Express and VirusBarrier Plus, available exclusively from the Mac App Store, detect this malware with malware definitions dated September 26, 2011 or later, but these programs do not have a real-time scanner, due to limitations imposed by the Mac App Store; users should scan their Macs after they have updated to the latest malware definitions, or manually scan any installer packages they have downloaded if they seem suspicious.

Note: if anyone who has been infected by this Trojan horse knows the URL at which they got it, can you please send an e-mail to sample@virusbarrier.com? Thanks.

  • http://www.facebook.com/profile.php?id=1412222018 David Cullinan

    If I recently updated Flash, but didn’t pay much attention to where it came from (it never occurred to me to be concerned), is there a way to check and see if my computer is infected?

    • http://www.intego.com Intego

      Check to see if you have this file:

      ~/Library/Preferences/Preferences.dylib

      ~ is your home folder.

      If you do, then you’re infected.

  • http://www.facebook.com/people/Jason-Miller/1105505180 Jason Miller

    I actually installed a random Flash update today with out even thinking about it. Does this trojan work on OSX Lion and will your software detect it on OSX Lion?

    • http://www.intego.com Intego

      Yes, and yes.

      • http://www.facebook.com/people/Jason-Miller/1105505180 Jason Miller

        Here is more information in case you can use it. I was just browsing a website and without clicking any link a random flash installer popped up while trying to watch a flash video clip. It followed the install and self deletion you have mentioned. I was using the latest version of Firefox on OSX Lion. 

  • http://twitter.com/DannyOri Danny Ori

    So, I’m a little concerned.  When I got home tonight, I had a Flash update appear through the system preferences panel (I’m running Lion and had Flash previously installed).  I downloaded it and it took me to the Adobe site.  Now I read that there’s a Flash trojan out there….and since I downloaded it, my fan speed has been extremely high, when Safari or no other apps have been open.

    Does anybody have a suggestion as to how I find out if I have a problem?  I have ClamXav and just downloaded Virus Barrier Express from the Mac App Store.  I have download safe files UNCHECKED in Safari and this update did not appear through Safari, but through system preferences.

    Thanks for the help.

    • http://www.intego.com Intego

      Check on the Adobe web site, at the URL in the article above. If you need an update, and download it from there, you’re safe. As for the fan speed, that could simply be Flash that is CPU-hungry.

  • Anonymous

    Hmm – a lot of people are very concerned…but has _anybody_ actually encountered that thing? If so, please keep it in a canning jar – I’d very much like to see it…:)

    • http://www.intego.com Intego

      Intego got a sample from a customer who encountered it in the wild. We don’t think it’s very widespread yet, but nipping something like this in the bud helps ensure that it doesn’t go far.

      • Anonymous

        My machine was infected about a month ago after I clicked through the malware flash installer without thinking about it.  I thought that the installer was odd – it doesn’t look like Adobe’s installers – but didn’t think anything of it.  It installed a binary called “vksd” which kept launching the “zip” binary.  It also infected my Time Machine backups; two trips to the Apple Store didn’t fix anything.  I eventually tracked down the binary from the command line and deleted it, which fixed the problem. 

        In my case, the primary symptom was a process (zip, called by vksd) which kept sucking up more and more memory until the machine ground to a halt.  At the time this occurred, there was no mention of the malware binary (vksd) on the internet, at least not in English.

        • Anonymous

          Can you please post specific the specific steps you undertook to remove this binary?

          • Anonymous

            When booting normally, I could use the console to see which processes were taking up memory.  “Zip” was taking up 2+ GB (my machine had 4 GB at that time) and I could also see that zip was called by “vksd” or something.  I booted into Safe Boot mode and updated the locateDB (check Google, I forget the command).  I then searched the machine for “vksd” and it turned up in /usr/bin/ or somewhere similar.  I didn’t take notes on any of this so I am going from memory.  see, for example: http://neilang.com/entries/updating-the-locate-database-in-mac-os-x/    there are instructions elsewher eonline for how to use the command line to locate a file.  I also checked the PrefPanes, Prefs, and Library for stuff but I forget what I found.  would type more but this is not my day job

  • http://pulse.yahoo.com/_NXX7YOWT2BKXFXS7INEPEUDJU4 Jorge Torres

    Hello…. Can anyone help me with this… my PC is already infected with this virus/trojan… its been 1 month now since my PC is infected. I can’t open facebook site.. I’m happy that this virus got your attention now, I search for this problem 1 month ago when my PC got infected and nothing appear… 

    • http://www.intego.com Intego

      If it’s a PC – i.e., Windows – then it’s not the same thing. Are you using a Mac or a PC?

      • Anonymous

        If it’s a PC you probably have dozens of real viruses on there.  

  • Anonymous

    Unfortunately I have this virus/trojan. What are the steps to remove it? Do I need to reinstall any apps? How would I know they have been compromised?

    • Daniel V

      Download one of Intego’s AV programs.

  • Anonymous

    I had the exact same thing with a random flash update popping up, so i clicked it and after install i had to use the quit button to make it go away.
    It seems a few people have had this so does anyone know if it is genuine, i don’t seem to have any preferences.dylib file so assume i am ok, am scanning at the moment so will let all know.

    • Anonymous

      Same situation here…

  • Robin Sherman

    This thing suddenly popped up on my monitor this morning (Tuesday). I thought it was the Adobe software update notifying me automatically, as I recall it sometimes does. It looked real so I  installed it. 
    But I did a search for the Preferences.dylib file and could  not find it. This worries me.

    I’m using OS Snow Leopard 10.6.8.

    • Anonymous

      Can you open the console and see anything out of the ordinary?  It seems like this file malware might behave differently than when I encountered it a few weeks ago.

  • http://www.facebook.com/people/Brian-Edwards/728321485 Brian Edwards

    I was infected by this virus yesterday. I stupidly ran the ‘flash player’ update and thought nothing of it. Today my mac was useless. My desktop icons were gone and most menu names were replaced by number sequences. I discovered the preferences.dylib file and attempted to trash it. At this point the whole system became useless. I shut down and on re-start just got a blue screen.

    I have re-formatted my drive and am in the process of re-installing the OS and applications. 

    Would this have solved the problem or would it still be on the system?

    Should I be wary of my timemachine backup? 

    Is it possible that the virus would be on that drive or in files on that drive that i want to recover?

    • http://www.intego.com Intego

      If you’ve done a clean install, then the malware is not there. However, certain files could be in your Time Machine backup. 

      • Anonymous

        My Time Machine backups were compromised starting with the first backup after installing the malware.

        • Anonymous

          The delete these and go back a back-up version predating the virus download, should be OK provided you also have your anti-virus running (you do have now, right?).

      • Anonymous

        By clean install, do you mean just the system, or all apps and docs as well?

        • http://www.intego.com Intego

          A clean install is your system and apps; you want to keep your personal files and documents.

  • David Milner

    If you are concerned about which flash version you last installed and whether it ‘could’ be this – check to see whether the version you are running is
    10.3.183.10 – they released an update on the 21st to determine whether that update was genuine.

    • http://www.intego.com Intego

      We’re trying to find out exactly what the procedure is. We’ve never seen any alerts for new versions of Flash Player, in spite of having checked the option for automatic checks.

      • Anonymous

        Automatic updates do pop up in Windows 7, so some users might be talking about that – those constant updates (on my work PC) are one reason why I clicked through the mac installer without reading anything.

  • http://twitter.com/jjmali JohnJ

    There was a Flash update today for me as well. It was genuine. The
    installer is stiull on my computer and the pref file is not present.
    Everything I’ve read refers to the pref file to see if you’re infected. I
    also believe that the virus has requires you to click to install it.
    The flash update was different. I could also see that my file was
    downloaded from Adobe.

    If you did the install recently check your recent items menu. That will also give you clues.

  • Anonymous

    I believe this malware hosed my system yesterday. For the past several days, Firefox had been prompting me on application startup to install a Flash plugin located in ~/Library/Application Support/Firefox/Profiles/. I thought this was odd, and then I heard about this malware. I don’t recall where I got the dodgy Flash updater, but I do remember blindly installing a Flash update a few days ago (I’m an idiot for that!). Sure enough, I had the offending dylib in my preferences directory. After putting the dylib in my trash, I tried to open Activity Monitor to look for any suspicious processes, but it would open and immediately close–no errors or anything. I then logged out and tried to log back in, but the desktop wouldn’t load no matter what I tried (including booting in safe-mode). I could, however, login under >consol and single-user. After a bit of troubleshooting, I simply wiped my system and restored from a clean Time Machine backup. FWIW, Neither ClamXav nor Sophos (free Home edition) recognized this malware, at least as of 9/27.

  • Anonymous

    I’m pretty sure I downloaded this Flash Trojan Horse. I recall seeing a strange file when I was trying to solve why I can no longer run videos on a number of sites, including yahoo, hulu and cnbc. Now when I try to load the videos, I get a box that says Adobe Flash wants to more room to store stuff on your computer- allow, deny. I’m running the scan again with the latest update, but the last one said “no virus detected”. I’m going to check my library again, but could it morph into something else? And how likely is it that my video download problem and this malware are related?

  • Herman Couwenbergh

    I ran your software and it found the ~/Library/Preferences/Preferences.dylib I put it in quaratine and deleted it, but now my Mac won’t start-up again?!
    I starts and than ends in a blue screen (no jokes please, i Thought them up myself), does anybody know how to fix this…

    Herman

  • Anonymous

    I have Virus Barrier 6 and my virus definition updates are… up to date. However, when I go into VB6 > Firewall > Trojan I do not see “Flashback.A” listed anywhere there.  Does Intego give it a different name?

    • http://www.intego.com Intego

      It’s not listed there. It’s filtered as any other malware on download or scan.

  • jorge massoud

    I have re-formatted my drive and am in the process of re-installing the OS and applications. 

    Would this have solved the problem or would it still be on the system?

  • Alfia Wallace

    I manage a Mac OS 10.5.8 iMac lab at an elementary school and some teacher recently downloaded and installed the rogue Flash updater on the presentation desktop and now Safari and other applications are unusable on it.  I checked the lab computers and their Flash version is up-to-date (I did the updates less than a month ago), yet when kids visit certain *educational* websites, such as Spelling City and some research sites for doing state reports, the bogus installer pops up.  We are warning everyone to ignore it, but this is a serious threat for those of us in K12 education with Mac labs. 

    • http://www.intego.com Intego

      If you have any URLs that you think are serving this malware, we’d appreciate if you could send them to sample@virusbarrier.com. That way we can collect more samples, and keep ahead of the malware creators.

  • Anonymous

    Hello Intego.  Recently I spent several $000s to get a mac to reduce my exposure to viruses that tend to target the Microsoft platforms.  Then, in the last couple of weeks, I opened Skype and saw two names of contacts that I neither invited nor accepted into my Skype world.  I also was creating several presentations and using Google images quite a bit and have noticed changes on my display.  Pop-up screen savers that I had not seen prior.  One day recently, I contacted a research service.  Turns out the company that carried a Dallas address was really based in India.  Have an email from the firm which your VirusBarrier X6 has red-flagged.  Spoke with a project partner who I have exchanged files with over the last couple of weeks.  She has used a mac for 30 years and now notices potential issues on her system and recommended that I download your software.  Then today, noticed your notice on flash and recalled receiving some kind of upgrade request.  As a new mac user, I presumed it was necessary for the images I was downloading.  

    1)  The  Skype folks tell me that contacts shouldn’t just appear in my contact list and that this seldom, if ever, occurs.  BTW, one contact name was in arabic.  The second was a business in Maryland.  I have blocked the Skype contacts.

    2)  Here is what I found related to flash on my system:  okay or trouble?install_flash_player_osx_intel.dmg

    3)  If okay, any suggestions for why or how Skype contacts got in?

  • dis666

    …and just what does it do? What are the effects?

  • Alfia Wallace

    It turns out that Adobe started updating Flash with more regularity and that the last build allowed for autolaunching of the downloader on any page with Flash.  I have had to update Flash in the lab three times this academic year which is unprecedented. That makes detecting any Trojan considerably more difficult.  It doesn’t look like we were actually infected though. *whew*

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}