More About the Flashback Trojan Horse

Posted on September 27th, 2011 by Peter James

Intego's security researchers have been examining the code of this new Trojan horse, which we announced yesterday. They have found some interesting elements in the code.

First, the code itself is quite sophisticated. The Trojan horse installs a backdoor, at ~/Library/Preferences/Preferences.dylib, which communicates with a remote server, sending and receiving data using RC4 encryption. The backdoor uses the infected Mac's hardware UUID (a unique identifier) as a user agent, and to identify specific computers. It also sends information about the infected Mac, such as which version of Mac OS X, which architecture (Intel or PowerPC), and more.

The encryption key used is an MD5 hash of the infected Mac's UUID. This means that the encryption key for each Mac is different, but also allows the backdoor to find a key easily.

The backdoor is able to download further software, but, for now, we are not seeing this activity. It is also able to update itself, and creates an Sha1 hash of the malware to see if it has changed. If the Sha1 of the software version on the server is different from that installed, this means that an update is necessary.

Anonymous

I am infected with this, how can I remove it successfully?
- Ambrose Carracho
  
  First, go to your home preferences folder. To do that, hold down the shift and command keys on your keyboard and tap the letter G. (The command key is the one with the picture of an Apple on it.)
  
  In the dialog box which appears after typing the command-shift-G combination, type in Library/Preferences and press return.
  
  Now that you’re in the Library/Preferences folder, look for a file called Preferences.dylib. When you find it, put it into the Trash and empty the Trash. If you don’t find it, you weren’t really infected.
  
  A file with the name Preferences.dylib should not exist anywhere on a normal Mac OS, so don’t be afraid of throwing out something important.
  - Anonymous
    
    Thanks for this response. From what I understand it injects code into other applications. Will deleting this file render any previous code injection harmless or do I have to worry about applications I may have opened while infected?
  - Anonymous
    
    I’ve put the Preferences.dylib file into the Trash, but can’t empty the Trash because it says the file is in use. Suggestions? Also, are there any other files I need to delete to get rid of this thing? Thanks.
Herman Couwenbergh

I’ve deleted the ~/Library/Preferences/Preferences.dylib file, but now my Mac won’t start again?
It starts but ends with a blue screen, no jokes please, help!
- http://www.facebook.com/arlendcarlson Arlen Carlson
  
  There are actually a total of 5 files to delete. If you go over to http://discussions.apple.com and search for “Flashback Trojan” you will find the thread that talks about this. Intego was helpful to point me to delete 3 of these 5 files…all before I’d even stumbled across the posts on Apple’s site.
  
  This is quite a bit easier to achieve if you have other login accounts on your machine and are not auto-logging-in to the infected account.

Share

Sign up For Our Newsletter