Flashback Is Not a Trojan Horse; What Is It?

Posted on April 6th, 2012 by

The Flashback malware, which may have infected more than a half-million Macs already, has been getting a lot of attention in the press. But many media are calling it the "Flashback Trojan," or even a "Trojan virus." Is it correct to use these terms?

Well, Flashback is not a Trojan horse. (It is also not a virus, nor a "Trojan virus," as some media are saying.) While the distinction is, perhaps, not important if you have been infected by this malware, it actually is useful to know.

A Trojan horse is malware hidden in something that you have downloaded, or have received by e-mail. You think it's something useful - an application or a file - but when you open it, even though it might seem to do something useful, it actually installs malware. Many Trojan horses use "social engineering" to trick users into opening them. This was the case with the earliest version of the Flashback malware, which Intego discovered in September, 2011. At the time, Flashback masqueraded as a Flash Player installer. A later variant also pretended to be changed tactics to infect Macs by pretending to be Apple's Software Update tool.

But recent versions of Flashback - the name has remained the same because the underlying malware code is similar - have been using Java vulnerabilities to infect Macs.

The difference between these two methods is important. In the first method, users are tricked into launching something which then infects their Macs. In the second, a "drive-by download" takes advantage of a vulnerability to install, in many cases, without users being aware that anything has happened. (And the actual malware that is installed is called a "backdoor," because it opens ports on an infected computer enabling remote users to access those computers and the data they contain.)

Drive-by downloads occur when users visit poisoned web sites. In many cases, it's not even the web sites themselves that are tainted; it could be ads or videos that are embedded in web pages on these sites that serve the malware.

So, malware - in this case a backdoor - is the payload; that's the nasty stuff that cyber-criminals want to get on your Mac. Trojan horses and drive-by downloads are delivery methods; that's how the bad guys get the nasty stuff on your Macs.

Users need to know not to open files they get unexpectedly by e-mail, and not to launch applications that they find in their Downloads folder without them having downloaded them. But other than not using the web, the only way to protect against drive-by downloads is to use Mac antivirus software, such as Intego VirusBarrier X6, to ensure that no nasty files get onto your Mac.

  • Walt French

    Or, much simpler: turn off Safari’s ability to invoke Java. In your browser:

    Safari menu | Preferences | Security | Uncheck “Enable Java.”

    This is very likely the default setting, though it’s been so long I can’t remember. Or perhaps, it only became that way recently. (Apple’s latest OS version doesn’t even include Java; you have to seek it out. As I have done, since I have one key application written with it.)

  • Topher Kessler

    It morphed into a drive-by-download from an actual trojan that was initially distributed as a Flash player installer, so the initial name kinda stuck; however, it is definitely incorrect to call the latest variants “trojans.”

  • skyracer_1

    Perhaps this is the AV wake up call for Mac users. We love our Mac’s and we should protect them, I have been running VirusBarries for 15 months now and all I can say is its fab, does not use much resource and just does its thing in the background to keep my Mac protected. I also has the iOS version which I would like to see having the auto protect feature as well please. Keep up the good work Intego.

  • Intego