The Mac Security Blog

Malware

Flashback Is Not a Trojan Horse; What Is It?

Posted on by

The Flashback malware, which may have infected more than a half-million Macs already, has been getting a lot of attention in the press. But many media are calling it the “Flashback Trojan,” or even a “Trojan virus.” Is it correct to use these terms?

Well, Flashback is not a Trojan horse. (It is also not a virus, nor a “Trojan virus,” as some media are saying.) While the distinction is, perhaps, not important if you have been infected by this malware, it actually is useful to know.

A Trojan horse is malware hidden in something that you have downloaded, or have received by e-mail. You think it’s something useful – an application or a file – but when you open it, even though it might seem to do something useful, it actually installs malware. Many Trojan horses use “social engineering” to trick users into opening them. This was the case with the earliest version of the Flashback malware, which Intego discovered in September, 2011. At the time, Flashback masqueraded as a Flash Player installer. A later variant also pretended to be changed tactics to infect Macs by pretending to be Apple’s Software Update tool.

But recent versions of Flashback – the name has remained the same because the underlying malware code is similar – have been using Java vulnerabilities to infect Macs.

The difference between these two methods is important. In the first method, users are tricked into launching something which then infects their Macs. In the second, a “drive-by download” takes advantage of a vulnerability to install, in many cases, without users being aware that anything has happened. (And the actual malware that is installed is called a “backdoor,” because it opens ports on an infected computer enabling remote users to access those computers and the data they contain.)

Drive-by downloads occur when users visit poisoned web sites. In many cases, it’s not even the web sites themselves that are tainted; it could be ads or videos that are embedded in web pages on these sites that serve the malware.

So, malware – in this case a backdoor – is the payload; that’s the nasty stuff that cyber-criminals want to get on your Mac. Trojan horses and drive-by downloads are delivery methods; that’s how the bad guys get the nasty stuff on your Macs.

Users need to know not to open files they get unexpectedly by e-mail, and not to launch applications that they find in their Downloads folder without them having downloaded them. But other than not using the web, the only way to protect against drive-by downloads is to use Mac antivirus software, such as Intego VirusBarrier X6, to ensure that no nasty files get onto your Mac.