New Flashback Variant Changes Tack to Infect Macs

Posted on March 7th, 2012 by

Intego has discovered a new variant of the Flashback malware, Flashback.N, which has been changed since our blog post showing how Flashback used Twitter as a command and control center. This new variant changes the files it installs and their location: the files we specified in our blog post of February 23 are no long used. In addition, it uses a different social engineering trick, if it fails to install itself via the Java vulnerabilities that we mentioned in that blog post.

The new version of the Flashback malware installs after Mac users visit infected web sites. In Intego's tests, the installation procedure was somewhat odd, as web sites display a spinning gear for some time, before finally displaying a password request dialog pretending to be from Software Update, Apple's tool for downloading and installing software.

Flashback forces Safari to quit, installs a file at /tmp/Software Update, then installs two invisible files in Safari's resources, taking advantage of the root rights it obtained when the user entered his or her administrator's password.

Next, Flashback injects code in Safari when the browser is launched. The .COAAShipPlotter.png file is the malware, and the .COAAShipPlotter.xsl is the file that injects code in Safari, in conjunction with Safari's info.plist file which has been modified.

After this, the malware performs the same operations as previously, sniffing network traffic in search of user names and passwords. Note that these file names may change.

In addition, it is now clear that the Flashback malware has been created by the same people who were behind the Mac Defender fake antivirus which infected many Mac users beginning in May, 2011.

Websense Security Labs published a blog post pointing out that tens of thousands of WordPress blogs were infected by code that redirected them to web sites serving fake antiviruses, including Mac Defender. Sucuri Security narrowed this down to a plugin called ToolsPack, which installs a backdoor on servers where it is installed. But David Dede of Sucuri Security said, "Many of the blogs compromised in these recent attacks were running outdated WordPress versions, had vulnerable plug-ins installed or had weak administrative passwords susceptible to brute force attacks."

Intego has examined some of the WordPress blogs infected with this code and found that they redirect Mac users to sites that serve the Flashback malware. It is important that people running WordPress sites ensure that their installation is up to date, that they have secure passwords, and that they especially don't use this ToolsPack plugin.

Regarding this new variant of the Flashback malware, it is important to make sure to only enter passwords when you have performed an action that would require one. Using Software Update is a bit sneaky, because if you have Software Update set to check for updates automatically, it may unexpectedly display a dialog when it has found new updates, but the dialog it presents is different, and looks like this:

After you click on Install, you may see a password request, depending on the type of update being installed.

Intego VirusBarrier X6 with current malware definitions protects against this new version of the Flashback malware; Intego did not need to update its malware definitions to detect this new variant.

  • alvarnell

    Are these the only two files installed or does it install some or all of the other three, previously identified?

    • Intego

      In the samples we have so far, it is only the two files we mentioned, and none of the previous files are present. However, in previous samples, we saw different file names, so there’s no reason to not assume that other file names will be used. The people behind this malware are working quickly to try and stay ahead of us.

  • Nick Reilingh

    Can you make any comments at to what kinds of sites have been seen serving this malware? Like, are WordPress blogs infected, are most of them non-US-based sites, etc?

    • Intego

      The articles we link to mention a vast number of WordPress sites, mostly in the US (but you generally don’t know where a site is hosted when you visit it). These sites then redirect users to other sites; the ones we have seen are in Russia, but look like well-known sites hosted in the US.

  • bubblelux

    so how do i know if i’m infected and do i do if i am?

  • n00bs@uc3

    How is Flashback connected to the Mac Defender campaign?? 

    • Intego

      There are a number of details that we cannot share, regarding servers and other elements, that suggest that there is a link.

  • jacquesdaspy

    Sad! Remember how Steve Jobs was belittled and condemned by so many because ht absolutely declined to let Flash Player in to the iPhone and iPad. Gee whizz? What do they call some one that can see the future?