Further Information About the Flashback.G Malware

Posted on February 27th, 2012 by

We would like to offer a bit more information about the Flashback.G malware, which we reported on last week. It is important to note that this version of the Flashback Trojan horse does not present an installer, as previous versions did. If a user visits a web page, and their Java is not up to date, the installation will occur without their intervention. If their Java is up to date, they will only see the certificate alert that we show above: they will never be asked for a password, and won't have to launch any other software to allow the installation to take place.

While we're still calling this the Flashback Trojan horse, because the actual malware code is similar to the first version of Flashback, its actions are different. In this case, the initial code that is installed on a Mac then downloads more code from a remote server, and deletes the original. What we see here is an exploit, which installs a downloader, which then downloads a backdoor, which in turn injects code into applications.

  • alvarnell

    Do we know yet what triggers the Java applet to be initiated (assuming it’s a web page and a clickable link, what does it purport to do)? 

    Which applications (beside Safari and Skype) are being infected and where is the code being inserted?

    • Intego

      It doesn’t have to be a clickable link; it only has to be a Java applet on a web page that is set to load with the page.

      So far, we are seeing network apps with injected code: essentially web browsers and Skype.

  • andreasauwaerter

    Hi! Alerted by the information i got aware via #heise I have observed those phenomena, you told, before. a) unasked flashinstallers as well as certificate requests    
    “Um „CS4ServiceManager“ starten zu können, benötigen Sie eine Java-Runtime. Möchten Sie eine Version jetzt installieren?”

  • alvarnell

    Is the fake certificate dialog an image or an actual OS X dialog box showing a fake certificate? I am also wondering if it is normal for the Continue button to the defaulted in situations like this.

    • Intego

      It’s the standard dialog that displays when the certificate is not valid. You can see this from time to time in Safari if you visit a website whose SSL certificate is out of date.

  • jj1313

    Does running Virus Barrier detect the presence of Flashback?  I bought a new iMac and transferred data from the old before thinking to install Virus Barrier.

    • Intego

      VirusBarrier X6 detects all variants of Flashback. Make sure to do a full scan of your new Mac.