PDA

View Full Version : Tweaked Trojan Disables Automatic Updating of OS X Anti-Malware Tools




MacRumors
Oct 19, 2011, 10:13 AM
http://images.macrumors.com/im/macrumorsthreadlogo.gif (http://www.macrumors.com/2011/10/19/tweaked-trojan-disables-automatic-updating-of-os-x-anti-malware-tools/)


Last month, we noted as part of a report on an update to the anti-malware tools in OS X that a new trojan horse threat known as Flashback.A had surfaced, with the malware masquerading as a Flash Player installer. While Apple has continued to update its XProtect.plist to detect Flashback.A, security firm F-Secure now reports (http://www.f-secure.com/weblog/archives/00002256.html) (via ZDNet (http://www.zdnet.com/blog/security/new-mac-os-x-malware-disables-apples-malware-protection/9665)) that a revised version of the trojan which disables the auto-updating feature of Apple's anti-malware tools has appeared.There's something new brewing in Mac malware development (again).

Recent analysis has revealed to us that Trojan-Downloader:OSX/Flashback.C disables the automatic updater component of XProtect, Apple's built-in OS X anti-malware application.The report walks through how the modified trojan overwrites XProtectUpdater files, preventing infected systems from performing their daily check for updated malware definitions and thus keeping the door open for future attacks.

http://images.macrumors.com/article-new/2011/10/flashback_c_installer.jpg


Flashback.C installer
The Flashback.C trojan is capable of connecting to a remote host in order to download and execute further code, but it is unclear what the exploit is being used for at this time. Users are of course advised to download Flash Player and other software from trusted sources so as to avoid infecting their systems with trojans such as Flashback.C.

Update: MacRumors has heard and Sophos has confirmed (http://nakedsecurity.sophos.com/2011/10/19/mac-malware-evolves-apple/) that Apple had already updated its XProtect.plist entries to detect Flashback.C by the time news of it broke to the public. Consequently, users encountering the malware on Mac OS X Snow Leopard or OS X Lion should be automatically warned of the threat prior to mounting the package.

Article Link: Tweaked Trojan Disables Automatic Updating of OS X Anti-Malware Tools (http://www.macrumors.com/2011/10/19/tweaked-trojan-disables-automatic-updating-of-os-x-anti-malware-tools/)



MultiMediaWill
Oct 19, 2011, 10:16 AM
i tH0uGh7 m4c d0Nt g3T v1rus

Unggoy Murderer
Oct 19, 2011, 10:19 AM
i tH0uGh7 m4c d0Nt g3T v1rus

They don't, this is a Trojan. Big difference :rolleyes:

Aduntu
Oct 19, 2011, 10:21 AM
They don't, this is a Trojan. Big difference :rolleyes:

Your sarcasm meter is obviously broken.

jmpnop
Oct 19, 2011, 10:21 AM
i tH0uGh7 m4c d0Nt g3T v1rus

tRoj4n is n0t v1rus.

Sacird
Oct 19, 2011, 10:21 AM
OH noes!!!

bender o
Oct 19, 2011, 10:21 AM
Damn you Flash!! When are you gonna go extinct!! you suck!!

daxomni
Oct 19, 2011, 10:21 AM
i tH0uGh7 m4c d0Nt g3T v1rus
The Reality Distortion Field that previously protected all Macs from all attacks appears to have dissipated.

iStudentUK
Oct 19, 2011, 10:22 AM
Quick everyone download MacDefender!


(My team of lawyers require me to note that I'm not actually suggesting anyone download MacDefender.)

roadbloc
Oct 19, 2011, 10:22 AM
It's happening more and more.

RoboCop001
Oct 19, 2011, 10:23 AM
I don't understand why these fools waste everyone's time by writing viruses, and I mean for any platform. Can't they put that energy and effort into something positive? :mad:

igazza
Oct 19, 2011, 10:24 AM
iOS is the future :)

Mad-B-One
Oct 19, 2011, 10:25 AM
The Reality Distortion Field that previously protected all Macs from all attacks appears to have dissipated.

It changed size and is only hovering over iOS at this time.

Quick everyone download MacDefender!


(My team of lawyers require me to note that I'm not actually suggesting anyone download MacDefender.)

Would be a solution. Two Trojan horses fighting each other. Maybe they block each other then? Someone please try that in a VM :D

CodeBreaker
Oct 19, 2011, 10:25 AM
So have they managed to scare anyone?

Sacird
Oct 19, 2011, 10:25 AM
I don't understand why these fools waste everyone's time by writing viruses, and I mean for any platform. Can't they put that energy and effort into something positive? :mad:

I'm actually with ya on that. I feel so bad when anyone on any platform has to deal with this crap. Lock as many up as possible and throw em in camps. Put em on a PPV where they are tortured like in Hostel, they'll learn sooner or later.

Not actually serious about torture and stuff to be clear.

ndpitch
Oct 19, 2011, 10:25 AM
Looks like this could be a leadup into needing anti-virus/anti-malware/anti-spyware on the Mac.

hobo.hopkins
Oct 19, 2011, 10:25 AM
I foresee this discussion degrading very quickly...

In reality all one needs to do is be cautious of where they are downloading files, and this wouldn't be a problem.

tubular
Oct 19, 2011, 10:26 AM
1 - how can we tell if a machine is infected?
2 - how, if infected, can we remove it, short of a clean install?

Shrink
Oct 19, 2011, 10:27 AM
i tH0uGh7 m4c d0Nt g3T v1rus

Oh, god, here we go again with the virus vs malware vs trojan vs etc., etc.

Malware is a generic category (malicious software). Viruses, trojans, spyware and all other crap that f***ks with your computer are malware.

Macs have never been infected by a virus up to this date. Yes, it is possible sometime in the future a virus could be developed that will infect a Mac. Nothing to this date!

Trojan is NOT a virus - it is a form of malware. Unlike a virus which can infect a computer without action on the part of the user, trojans have to be invited in. In short - the user has to screw up.

The best defense is an educated user.

(GGJstudios - How did I do?? :D :p:p)

stage1
Oct 19, 2011, 10:28 AM
CRAP!! I downloaded a flash update today on my macbook!

What should I do help!! I'm not joking.

Memo86
Oct 19, 2011, 10:28 AM
Well... i was a PC user in the XP era and i didn't get any virus (and there are thousands of windows wiruses, right?) so, I think that is REALLY HARD to get your mac infected. ¿Who would download flash from other site than Adobe.com? :confused:

igazza
Oct 19, 2011, 10:29 AM
Best idea is to use chrome as your browser :)

RoboCop001
Oct 19, 2011, 10:30 AM
1 - how can we tell if a machine is infected?
2 - how, if infected, can we remove it, short of a clean install?

I can't completely give you those answers but one way is Time Machine. If you're infected or fear that you are infected just restore your whole HD to a previous state.

Memo86
Oct 19, 2011, 10:30 AM
CRAP!! I downloaded a flash update today on my macbook!

What should I do help!! I'm not joking.

If you downloaded from Adobe Updater or from Adobe.com i'm sure you're safe... if you downloaded from some pr0n site or crappy page maybe you're in trouble... :P

Unggoy Murderer
Oct 19, 2011, 10:30 AM
Your sarcasm meter is obviously broken.
No, not really. Functioning perfectly fine the last time I checked.

Exhale
Oct 19, 2011, 10:31 AM
It wont really effect the currents mac IMO. If someone wanted to do harm to the OS then they would have by now. There are alot of smart people out there who could program a Trojan which did alot more than just this.
Its a typical botnet from the looks of things; it listens for commands from a remote server. Only the creator knows what those commands would be. Trojans like this are normally the actual infector. The payload is typically delivered via separate programs that these trojans in turn are triggered to download. That payload could easily be something that steals & encrypts your personal files, demanding a ransom for its return.

Of course it could be programmed to cause a lot of damage on its own - but malware writers have not really been interested in that for a good decade now. The most important thing is to deliver an infector, and only after that actually devise a payload. It gives far more flexibility, and greatly reduces detection rates.

stage1
Oct 19, 2011, 10:31 AM
If you downloaded from Adobe Updater or from Adobe.com i'm sure you're safe... if you downloaded from some pr0n site or crappy page maybe you're in trouble... :P

I was just on yahoo checking the news this morning and an update popped up that said I needed to upgrade :confused:

It looked completely like any other flash upgrade that i've installed previously.
I'm really worried now.

redscull
Oct 19, 2011, 10:32 AM
1 - how can we tell if a machine is infected?
2 - how, if infected, can we remove it, short of a clean install?

I second these questions. I know I've seen this prompt multiple times recently, though I didn't even realize it was the virus/trojan at the time. I'm pretty sure I hit cancel every time I've seen it, but maybe one time I didn't?

crazy dave
Oct 19, 2011, 10:33 AM
CRAP!! I downloaded a flash update today on my macbook!

What should I do help!! I'm not joking.

If you downloaded the real Flash update, then you have absolutely nothing to worry about. This is only if you visit a really shady website who tells you to update Flash and instead of actually going to the real Flash's website you download and install the "Flash" version from said shady website. If you did that, then you might have a problem.

acidfast7
Oct 19, 2011, 10:34 AM
How do I prevent this from happening on OS 10.5.8?

crazy dave
Oct 19, 2011, 10:34 AM
I second these questions. I know I've seen this prompt multiple times recently, though I didn't even realize it was the virus/trojan at the time. I'm pretty sure I hit cancel every time I've seen it, but maybe one time I didn't?

Not all such prompts are fakes, just make sure you go the Flash website to install your updates or that you have the latest version.

stage1
Oct 19, 2011, 10:35 AM
I hope more light is shed on this, I'm worried now :(

Diode
Oct 19, 2011, 10:35 AM
If anything it's a sign that the mac platform is becoming large enough to warrant people writing viruses for it.

So there's that....

redscull
Oct 19, 2011, 10:36 AM
Not all such prompts are fakes, just make sure you go the Flash website to install your updates or that you have the latest version.I realize this, but how can people double-check since it's now in the past that this did or did not happen? I have Time Machine active, but that's not very helpful if I don't know how far I need to go back because I don't know how to identify the infection.

CodeBreaker
Oct 19, 2011, 10:36 AM
I second these questions. I know I've seen this prompt multiple times recently, though I didn't even realize it was the virus/trojan at the time. I'm pretty sure I hit cancel every time I've seen it, but maybe one time I didn't?

This link may help : http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_c.shtml
But this version of the trojan wipes out the XProtectUpdater. A combo update may reinstall it.

crazy dave
Oct 19, 2011, 10:36 AM
I was just on yahoo checking the news this morning and an update popped up that said I needed to upgrade :confused:

It looked completely like any other flash upgrade that i've installed previously.
I'm really worried now.

Yahoo is almost certainly fine. I wouldn't get too worried about it.

Drunken Master
Oct 19, 2011, 10:38 AM
I'm actually with ya on that. I feel so bad when anyone on any platform has to deal with this crap. Lock as many up as possible and throw em in camps. Put em on a PPV where they are tortured like in Hostel, they'll learn sooner or later.

Not actually serious about torture and stuff to be clear.

Nah, they should probably beat each other to within an inch of their lives with their bare hands. I'd pay $44.95 to see that.

tubular
Oct 19, 2011, 10:39 AM
If I take a look at my com.apple.xprotectupdater.plist, and it hasn't been blanked out, as the F-secure writeup says the Trojan does, then I'm assuming that things are okay.

(Damn you, crafty Ulysses, and your wily schemes.)

Versus
Oct 19, 2011, 10:42 AM
Wow. This reminds me of what would happen if LA suddenly got hit with a blizzard. Everyone would be scurrying around looking for a jacket and shovel. ;)

Seriously though, while I carry an iPhone, I am a PC in real life. It is with heavy heart that I welcome you to our world. It sucks.

Again not being familiar with Macs and OSX, I would always suggest to anyone with any kind of maleware to reformat. That's what I do. It's a pain in the ass, but it's infinitely better than spending three days on a AV forum having them instruct you to download 14 different programs that preform100 different scans and then post the logs to eventually tell you you're "clean". Peace of mind is worth a lost weekend, in my opinion.

Marcush1286
Oct 19, 2011, 10:42 AM
i tH0uGh7 m4c d0Nt g3T v1rus

Only PowerPC macs are IMMUNE.. Its when Apple opened to INTEL is now why we are getting viruses and malware.

Sacird
Oct 19, 2011, 10:45 AM
Nah, they should probably beat each other to within an inch of their lives with their bare hands. I'd pay $44.95 to see that.

Hell I do own a Mac, I'd pay $89.99. ;)

crazy dave
Oct 19, 2011, 10:45 AM
I realize this, but how can people double-check since it's now in the past that this did or did not happen? I have Time Machine active, but that's not very helpful if I don't know how far I need to go back because I don't know how to identify the infection.

If you've kept your security updates up-to-date you should be fine. Previously Apple's security updates I think have been pretty good about getting rid of this thing. This is a brand new one that stops your computer from getting updates. As tubular noted, if you're infected by the brand new one (very unlikely) your com.apple.xprotectupdater.plist will be blanked out.

bjett92
Oct 19, 2011, 10:45 AM
Wow. This reminds me of what would happen if LA suddenly got hit with a blizzard. Everyone would be scurrying around looking for a jacket and shovel. ;)

Seriously though, while I carry an iPhone, I am a PC in real life. It is with heavy heart that I welcome you to our world. It sucks.

Macs are nowhere near the PC world when it comes to malware. PCs have viruses, Macs do not. This won't even be a problem to an an educated user.

Jerome Morrow
Oct 19, 2011, 10:48 AM
Some douche bag goes out to piss in the wind and suddenly everyone is afraid.

Detrius
Oct 19, 2011, 10:48 AM
If you downloaded the real Flash update, then you have absolutely nothing to worry about. This is only if you visit a really shady website who tells you to update Flash and instead of actually going to the real Flash's website you download and install the "Flash" version from said shady website. If you did that, then you might have a problem.

That's the problem. As of Flash 10.3, the real Flash updates download automatically as you're browsing the web. The only truly good solution is to use Chrome, which includes Flash. Uninstall Flash from the system. Then, if you ever get a notice to install a Flash upgrade, you know it's malware.

bpaluzzi
Oct 19, 2011, 10:51 AM
If anything it's a sign that the mac platform is becoming large enough to warrant people writing viruses for it.

So there's that....

Only PowerPC macs are IMMUNE.. Its when Apple opened to INTEL is now why we are getting viruses and malware.

Both of these posts are laughably uninformed.

The Mac's resistance to viruses has nothing to do with market share, nor did it have to do with the PowerPC architecture.

There still has never been a virus reported on OS X. Not likely to change any time soon. And that would be the case if Apple had 99% of the PC market.

Saphire
Oct 19, 2011, 10:51 AM
Is purchasing a good virus checker any use or are they all a waste of money.

Therbo
Oct 19, 2011, 10:51 AM
Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)

Mac OS X built in UNIX permissions prevent a virus from going further then your home folder, unless you give it your password and you have sudo (Aka a Administrator)

Unless of course they found a exploit in the unix permission system, then the world is screwed

This is a Trojan, the installer actually has to ask for your password since the XProtect file is owned by root, so you yourself dont have access to it, and neither does the program since its ram by you, unless you give it your password and your an administrator.

This is why an education user will never need an anti virus on OS X/Linux/BSD etc, because the anti virus couldn't do more then what you can do

Jerome Morrow
Oct 19, 2011, 10:52 AM
Is purchasing a good virus checker any use or are they all a waste of money.

Waste of time and money.

Four oF NINE
Oct 19, 2011, 10:52 AM
I hope more light is shed on this, I'm worried now :(

Do you have an Apple computer? Dude! You probably have nothing at all to worry about, especially from Adobe! Relax and cheer up! :)

LastLine
Oct 19, 2011, 10:53 AM
Best idea is to use chrome as your browser :)

Agreed - or to accept Flash needs to die ;-) Roll in new standards.

Surreal
Oct 19, 2011, 10:53 AM
That's the problem. As of Flash 10.3, the real Flash updates download automatically as you're browsing the web. The only truly good solution is to use Chrome, which includes Flash. Uninstall Flash from the system. Then, if you ever get a notice to install a Flash upgrade, you know it's malware.

You can still go download yourself.

crazy dave
Oct 19, 2011, 10:54 AM
That's the problem. As of Flash 10.3, the real Flash updates download automatically as you're browsing the web. The only truly good solution is to use Chrome, which includes Flash. Uninstall Flash from the system. Then, if you ever get a notice to install a Flash upgrade, you know it's malware.

It checks for updates automatically when one is browsing the web, but doesn't download them automatically - you still have to hit an agree button so he may have gotten the message from Flash while on Yahoo, but it had nothing with being on Yahoo. I actually have my preferences set to only check for updates when I tell it to, but I probably should make it more automatic.

Versus
Oct 19, 2011, 10:54 AM
Macs are nowhere near the PC world when it comes to malware. PCs have viruses, Macs do not. This won't even be a problem to an an educated user.

Oh, that's good. As I said, I may not be a Mac user, but I appreciate all their strengths. Last week I got a nice little trojan dropper from a "respectable" website and was happy to have a secure OS device on hand to pay some bills and use the web until I could reformat.

phillipduran
Oct 19, 2011, 10:54 AM
I don't understand why these fools waste everyone's time by writing viruses, and I mean for any platform. Can't they put that energy and effort into something positive? :mad:

It's easy money for the corrupt. They will get caught eventually.

Darth.Titan
Oct 19, 2011, 10:55 AM
Only PowerPC macs are IMMUNE.. Its when Apple opened to INTEL is now why we are getting viruses and malware.

That statement is wrong in so many ways I don't even know where to start. :rolleyes:

Oh well, I'm sure someone else will be along soon to point out the multiple inaccuracies of your post.

shamino
Oct 19, 2011, 10:56 AM
It's disturbing that, after decades of malware, that people will still consider installing software from untrusted sources. Especially when the software is a free download.
Macs have never been infected by a virus up to this date. Yes, it is possible sometime in the future a virus could be developed that will infect a Mac. Nothing to this date!
More accurately, Mac OS X has never been infected by a virus up to this date. There have been viruses for the classic Mac platform, although most are very old and not likely to be in the wild, and wouldn't work on a modern Mac even if you downloaded it.
CRAP!! I downloaded a flash update today on my macbook! What should I do help!! I'm not joking.
Where did you download it from? The official source is from Adobe: http://get.adobe.com/flashplayer/. You shouldn't consider installing a copy downloaded from anywhere else.

GarageRock
Oct 19, 2011, 10:57 AM
Took me a few years as a PC guy to actually install an anti-virus....when I did, I rareley got hit!! When I made the switch to the mac(3 yrs ago), I didn't bother with an antivirus but now I have Nod32 installed which is by far the best antivirus around, and it's installed to protect myself *just in case* and also, I'll download PC files on my mac, scan them, then transfer to the PC.

With that said, I'd like to say Hi, finally joined after reading this forum for the last 2 years!!

Santabean2000
Oct 19, 2011, 10:58 AM
Both of these posts are laughably uninformed.

The Mac's resistance to viruses has nothing to do with market share, nor did it have to do with the PowerPC architecture.

There still has never been a virus reported on OS X. Not likely to change any time soon. And that would be the case if Apple had 99% of the PC market.

The irony. Love the self-assured arrogance though, very becoming...:rolleyes:

KnightWRX
Oct 19, 2011, 10:58 AM
Is purchasing a good virus checker any use or are they all a waste of money.

Considering there is yet to be a OS X virus...

Trojans are simple to defend against guys : Don't be gullible.

Lock
Oct 19, 2011, 10:58 AM
That's the problem. As of Flash 10.3, the real Flash updates download automatically as you're browsing the web. The only truly good solution is to use Chrome, which includes Flash. Uninstall Flash from the system. Then, if you ever get a notice to install a Flash upgrade, you know it's malware.

+1. It makes life much simpler.

KnightWRX
Oct 19, 2011, 10:58 AM
The irony. Love the self-assured arrogance though, very becoming...:rolleyes:

What Irony ? The guy is basically right, both those posts were grossly misinformed.

HiDEF
Oct 19, 2011, 10:59 AM
so Adobe Flash updates will never ask for your PW?

KnightWRX
Oct 19, 2011, 11:00 AM
Agreed - or to accept Flash needs to die ;-) Roll in new standards.

What does Flash needing to die have to do with this ? This thing could pose as a SilverLight or iTunes or Quicktime or any other kind of update. They just happened to pick Flash.

Versus
Oct 19, 2011, 11:00 AM
It's easy money for the corrupt. They will get caught eventually.

And it's easier money for the people that make AV software. In fact, some could say that those are the people responsible for the maleware to begin with. The best way to sell a product that detects something is to make sure there's plenty of things to detect, right?

You ever see the movie The Frighteners? Michael J Fox = AV Software developer. Ghosts = Virus. Works out nicely. ;)

mpb2000
Oct 19, 2011, 11:01 AM
What is the name of the installer for this thing? Is the actual file name the same as what you would download from adobe? If not, if you still have the installer, you can check that.

Therbo
Oct 19, 2011, 11:01 AM
Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)

so Adobe Flash updates will never ask for your PW?

Actually they need to, they install to a system library, which you dont own

So an administrator will have to give the program temporary root privs so it can update the files, hence why it ask for your password.

markgodley
Oct 19, 2011, 11:02 AM
i remember having the 666 infection on one of my old machines (performa 6400/200).. wasn't that a virus?

Mr. McMac
Oct 19, 2011, 11:02 AM
iOS is the future :)

I hope not

Vegasman
Oct 19, 2011, 11:02 AM
How do I prevent this from happening on OS 10.5.8?

Windows 7? :p

KnightWRX
Oct 19, 2011, 11:04 AM
I hope not

Not to mention iOS isn't immune to this stuff either. What do you think the guy jailbreakme.com was using ? A security flaw that would have allowed any kind of malware to get through, not just jailbreaking tools.

benji888
Oct 19, 2011, 11:06 AM
If you downloaded the real Flash update, then you have absolutely nothing to worry about. This is only if you visit a really shady website who tells you to update Flash and instead of actually going to the real Flash's website you download and install the "Flash" version from said shady website. If you did that, then you might have a problem.

I updated flash days ago, I can't remember what all it looked like, but, I am noticing my computer seems to be slower, wondering what I actually downloaded as the pic shown looks the same as what it would look like from adobe. ...and I just cleaned up my downloads folder.

So, this article is a little confusing, so, how do I know what I actually installed?? ...did adobe just release an update? (of course they did, this is what they use to trick people).

ugh.

another reason to hate flash? ...I wish we could ban flash from the internet! ...that slothful memory hog!:mad:

xizar
Oct 19, 2011, 11:08 AM
This link may help : http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_c.shtml
But this version of the trojan wipes out the XProtectUpdater. A combo update may reinstall it.

I apologize if this seems overly specious, but what does "wipe out" mean? Delete? Replace with an empty text file? Replace with a text file that looks right but isn't?

I realize that the web page to which you refer uses the same phrase.

I also downloaded an update while using Chrome and currently have the following for my xprotectupdater:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>StartInterval</key>
<integer>86400</integer>
<key>Label</key>
<string>com.apple.xprotectupdater</string>
<key>ProgramArguments</key>
<array>
<string>/usr/libexec/XProtectUpdater</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

Is that what's supposed to be there?

(To avoid recriminations of "lol n00b y u flash bro chr0m iz al u ned!", I have found that Steam requires a separate install of Flash to display things, so plz don't taze me, bro.)

tirerim
Oct 19, 2011, 11:09 AM
What Irony ? The guy is basically right, both those posts were grossly misinformed.

Yes, they were, but that still doesn't make Macs invulnerable. All it takes is a good privilege escalation attack (which are certainly not unheard of on *nix-based OSes), and then for someone to automate it.

Therbo
Oct 19, 2011, 11:09 AM
Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)

iOS is the future :)

I hope not

If apple merged iOS and OS X (which they won't)

The entire OS X developer community (PHP, Perl, C++ etc) will leave

Jbaffoh
Oct 19, 2011, 11:11 AM
Well, I received a Flash updater popup yesterday, and installed it. It was legitimate. Adobe released a new update, which is what I received.

I checked for the suspect entries in the info.plist, and they're not there. The XProtectUpdater is intact, and dated 10/12, when I updated to 10.7.2.

Jerome Morrow
Oct 19, 2011, 11:12 AM
Yes, they were, but that still doesn't make Macs invulnerable. All it takes is a good privilege escalation attack (which are certainly not unheard of on *nix-based OSes), and then for someone to automate it.

It's been like that for ten years.

Therbo
Oct 19, 2011, 11:15 AM
Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)

Although *NIX OSs certainly have less known exploits

Windows has what, 1,000s that still haven't been patched.

Mr. McMac
Oct 19, 2011, 11:15 AM
Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)



If apple merged iOS and OS X (which they won't)

The entire OS X developer community (PHP, Perl, C++ etc) will leave

And a bunch of us normal mac users as well, including me..

tubular
Oct 19, 2011, 11:18 AM
I apologize if this seems overly specious, but what does "wipe out" mean? Delete? Replace with an empty text file?

The disassembly notes say that it overwrites your plist file with blanks. So yes, what you posted is what you should see for a xprotectupdater.plist.

Jerome Morrow
Oct 19, 2011, 11:22 AM
Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)



If apple merged iOS and OS X (which they won't)

The entire OS X developer community (PHP, Perl, C++ etc) will leave

Oh come on ... it's going to happen, but not only with OS X and iOS, but in general. The problem here is that you look at it as it is today and think it will be some half-assed 'something'. We are going that direction and it will happen.

----------

And a bunch of us normal mac users as well, including me..

Same goes for you as well.

Taz Mangus
Oct 19, 2011, 11:23 AM
Looks like this could be a leadup into needing anti-virus/anti-malware/anti-spyware on the Mac.

It is a cat and mouse game. I suspect Apple will come up with a update to resolve this issue.

Vegasman
Oct 19, 2011, 11:24 AM
It's been like that for ten years.

An additional ingredient missing in the original comment is that it also needs a worthwhile probability of working. And since all these types of attack only work on a very small percentage of the population, you need to have a very large population to make it worthwhile.

The Mac now has a very large population....

mzd
Oct 19, 2011, 11:25 AM
i think this is a little more confusing for most users than people are granting.
- both the real Flash update and the trojan will prompt users to install while randomly browsing the web.
- both the real Flash update and the trojan prompt for admin password since they both need access to system files.

as far as I can tell, the main difference is in the install window you see.
legitimate Flash updates should look like this:
http://tracehotnews.com/wp-content/uploads/2011/04/Adobe-flash-player-10.3.jpg

and do not use the standard system installer window like the trojan does:
http://cdn.macrumors.com/article-new/2011/10/flashback_c_installer.jpg

kbmb
Oct 19, 2011, 11:25 AM
Here's a good article about not only what the REAL Flash updater looks like, but also what commands you can run to see if you are infected:

http://reviews.cnet.com/8301-13727_7-20119265-263/latest-adobe-flash-trojan-for-os-x-gets-revised/

Regardless of what the trojan program looks like....it's only a matter of time before they tweak these attacks to look exactly like the official installer. That's the problem. Flash is a pref pane now....and will automatically popup to tell you there is an update.

At this point....you just really can't trust that popup. You have no idea if that popup if from the official install, or somehow popped up from a webpage you are viewing.

The only real safe thing to do is, if you get the popup, official or not, close it. Go to: http://get.adobe.com/flashplayer/ and grab the latest version.

Of course if you are using Chrome, your version is updated automatically. You also can't visit the Get Flash Player page in Chrome, because it will see you are running Chrome, which has it built in. You'll have to use Safari or Firefox.

-Kevin

SockRolid
Oct 19, 2011, 11:25 AM
Yet another reason to hate Flash.

kbmb
Oct 19, 2011, 11:27 AM
i think this is a little more confusing for most users than people are granting.
- both the real Flash update and the trojan will prompt users to install while randomly browsing the web.
- both the real Flash update and the trojan prompt for admin password since they both need access to system files.

as far as I can tell, the main difference is in the install window you see.
legitimate Flash updates should look like this:
Image (http://tracehotnews.com/wp-content/uploads/2011/04/Adobe-flash-player-10.3.jpg)

and do not use the standard system installer window like the trojan does:
Image (http://cdn.macrumors.com/article-new/2011/10/flashback_c_installer.jpg)

Right now, that's correct. But it's only a matter of time before they tweak their attack to look like the official one.

-Kevin

----------

Yet another reason to hate Flash.

It's not about Flash. Like someone else said.....on a Mac they could prompt an update for Quicktime or iTunes or iPhoto....and a lot of unsuspecting users will be fooled.

-Kevin

rjohnstone
Oct 19, 2011, 11:28 AM
A legitimate Flash "UPDATE" does not invoke the Installer app, it uses a simple notification box which you can cancel.
http://news.cnet.com/i/tim/2010/09/27/09_28_10_FlashUpdate1.jpg


It will prompt for an administrator password if you choose to run it.

The fake installer uses the Installer routine.
http://ryanspcrepairshop.com/wp-content/uploads/2011/08/fake_flash_mac.jpg

Kflik
Oct 19, 2011, 11:28 AM
SOOOOOO IS THIS IT?




I went back in my recent downloads, found the update that I installed (popped up like any normal update and looked exactly the same). This article had me worried so when I went back to my downloads folder and saw the update I clicked on it and this messaged popped up

mzd
Oct 19, 2011, 11:29 AM
Right now, that's correct. But it's only a matter of time before they tweak their attack to look like the official one.

-Kevin
exactly!

Kflik
Oct 19, 2011, 11:31 AM
Well I had the above notification and I moved it to the trash. What I'm wondering is why it did not infect anything? My computer is running fine, and how come it let me move it to the trash so simply? Did it never truly install?

The update popped up like any other update from Adobe, I did not type in my password and it did not invoke the installer app, it was just the simple notification box. Any opinions as to why I got this and why it did not harm my computer?

Vegasman
Oct 19, 2011, 11:34 AM
i think this is a little more confusing for most users than people are granting.
- both the real Flash update and the trojan will prompt users to install while randomly browsing the web.
- both the real Flash update and the trojan prompt for admin password since they both need access to system files.

as far as I can tell, the main difference is in the install window you see.
legitimate Flash updates should look like this:
Image (http://tracehotnews.com/wp-content/uploads/2011/04/Adobe-flash-player-10.3.jpg)

and do not use the standard system installer window like the trojan does:
Image (http://cdn.macrumors.com/article-new/2011/10/flashback_c_installer.jpg)

Good point. And a lot of people will simply say: "Thank goodness, Adobe is finally using the standard system installer window" and not think anything of it.

Plutonius
Oct 19, 2011, 11:35 AM
Looks like this could be a leadup into needing anti-virus/anti-malware/anti-spyware on the Mac.

Only if you are foolish enough to load in a Trojan.

kbmb
Oct 19, 2011, 11:35 AM
Well I had the above notification and I moved it to the trash. What I'm wondering is why it did not infect anything? My computer is running fine, and how come it let me move it to the trash so simply? Did it never truly install?

The update popped up like any other update from Adobe, I did not type in my password and it did not invoke the installer app, it was just the simple notification box. Any opinions as to why I got this and why it did not harm my computer?

Was that as far as you got? Or did you click Open from that dialog box?

If that's as far as you got, that's Apple's scanner kicking in to tell you not to continue. If you moved it to the trash, then you should be fine.

If you opened it, and ran it....then you might be infected.

-Kevin

*LTD*
Oct 19, 2011, 11:43 AM
Notice, yet again, how this is somehow connected to Flash.

It doesn't have to be, but we keep seeing Flash's involvement. LOL

haravikk
Oct 19, 2011, 11:44 AM
Doesn't anyone realise that Adobe doesn't use the Mac Installer program and instead use their own half-assed Flex nonsense? :)

Kflik
Oct 19, 2011, 11:46 AM
Was that as far as you got? Or did you click Open from that dialog box?

If that's as far as you got, that's Apple's scanner kicking in to tell you not to continue. If you moved it to the trash, then you should be fine.

If you opened it, and ran it....then you might be infected.

-Kevin

Well did you see my post two posts up from the one you quoted?

I attached a screen shot of what warning I got when I clicked on the update in the downloader.

I did not get the box people are showing a picture of, I got the REGULAR update box people are showing a picture of....looks just like EVERY updater box I've ever gotten.

I did not "run" anything though. I believe I just followed the normal instructions.
BUT IF I did follow normal instructions, it would have installed right? BUT if it installed wouldn't it not allow me to simply bring it up with that warning box and have me move it to the trash like I did???

confused....

nex4k
Oct 19, 2011, 11:47 AM
Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)

If apple merged iOS and OS X (which they won't)

The entire OS X developer community (PHP, Perl, C++ etc) will leave

So true.

They already made a first attempt with Lion and I, counting myself to the PHP devs, still see no reason to update to a OS oversimplified to fit the stupidest of users but not professionals.

Of course they defend Lion because admitting they ran the car into a tree at full speed would be a selfkill but I am certain they got a taste of this development direction's future and won't do that again with 10.8.

Coming back to topic, all the important stuff was told with

Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)

Mac OS X built in UNIX permissions prevent a virus from going further then your home folder, unless you give it your password and you have sudo (Aka a Administrator)

Unless of course they found a exploit in the unix permission system, then the world is screwed

This is a Trojan, the installer actually has to ask for your password since the XProtect file is owned by root, so you yourself dont have access to it, and neither does the program since its ram by you, unless you give it your password and your an administrator.

This is why an education user will never need an anti virus on OS X/Linux/BSD etc, because the anti virus couldn't do more then what you can do
and
Yes, they were, but that still doesn't make Macs invulnerable. All it takes is a good privilege escalation attack (which are certainly not unheard of on *nix-based OSes), and then for someone to automate it.

Macs aren't invulnerable, nor is iOS, this is definately true, but because of its UNIX base system it is freaking way harder to write some "real" Malware for it, or find an usable exploit for it, that works fully automatic without any action required from the target user.

As with Antivirus Applications, they definately are a waste of money on a Mac for now.
If you really get to catch a virus on OS X (that still has to be written of course) which you can't knock off yourself by just not entering your admin password stupidly into every window popping up out of nowhere that asks for it, that virus has the same OS privileges as the Antivirus software and could easily deactivate it. This is where you probably need a second HDD with another OS install and some handwork. No Antivirus can help you in such a case.

tl,dr =
Trojans: Users with brains relax, users with no brain shell out money for some Antivirus software
Viruses: Users with brains get a second HDD with another OS install handy, users with no brain find yourself some user with a brain.

Sequin
Oct 19, 2011, 11:53 AM
LOL. As someone that grew up with PCs, trojans and virsues don't scare me. I've never lost a battle to them! BRING IT ON MAC TROJANS.

rocknblogger
Oct 19, 2011, 11:54 AM
Trojans, viruses, keyloggers et al, can all be very problematic. I think that there are many Mac users who over the years have become accustomed to having a very secure and trouble free experience as it pertains to these problems. And because of this it's possible to let your guard down.

That doesn't mean that I think Mac users are stupid or have a false sense of security but, it's easy to become complacent and perhaps not be as vigil at all times and maybe not check the URL when downloading an update to Flash (or any other update for that matter). It should be noted that the majority of infections that occur on Windows computers are facilitated by the user. Whether downloading and running a suspected file or using someone's infected flash drive to transfer infected files or opening an email you shouldn't have. These people weren't stupid but they let their guard down. This could happen to anyone.

When I moved to Mac from Windows I knew that I was leaving the threat of viruses behind (for the most part) but at the same time I know how difficult life can become when your system gets infected (Doesn't matter whether it's a virus a trojan or any other type of malware). It happened to me one time in all the years of using Windows but it taught me a very valuable lesson. I don't want to worry about it and being that I'm human I know I also can let my guard down just long enough to make a mistake. For that reason I run ESET's Cybersecurity on my Mac which is an excellent anti malware app that I don't even know (except the icon in the menu bar) is even running. It takes almost zero resources and to me it's just worth having for those times when a mistake can happen.

I know a lot of long time die hard Mac users will say "You don't need it", "It's a waste", "Just use common sense". But assuming we are all human any one of us can make a mistake. Is it worth $30 a year to minimize these problems even more? It is to me.

A couple people here mentioned using Time Machine to restore an infected system. But if your system has been infected for a while before you realize it, odds are that your Time Machine backups can also be infected so it may not necessarily help you.

My two cents. Let's all be very careful.

snberk103
Oct 19, 2011, 11:56 AM
1 - how can we tell if a machine is infected?
2 - how, if infected, can we remove it, short of a clean install?

CRAP!! I downloaded a flash update today on my macbook!

What should I do help!! I'm not joking.


The F-Secure site has a general description: Link (http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_c.shtml). I scrolled down to the bottom, where it listed the files that this Trojan wipes out and confirmed that at least one of these was still on my system.

[HD] /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

I clicked on the plist file, and there's content in it, so it's not be overwritten with a blank.

The other file is in the /usr directory, and frankly I'm not worried enough to try and remember how to make this ordinarily hidden directory visible.

I believe that this will indicate whether you are infected or not, but of course if I'm wrong I'm sure someone will chime in.

Luck.

Dr McKay
Oct 19, 2011, 11:58 AM
tRoj4n is n0t v1rus.

When it's on a Mac, it's a Trojan, when it's on Windows. It's a "virus" ;)

Winter Charm
Oct 19, 2011, 11:58 AM
So true.

They already made a first attempt with Lion and I, counting myself to the PHP devs, still see no reason to update to a OS oversimplified to fit the stupidest of users but not professionals.

Of course they defend Lion because admitting they ran the car into a tree at full speed would be a selfkill but I am certain they got a taste of this development direction's future and won't do that again with 10.8.

Coming back to topic, all the important stuff was told with


and


Macs aren't invulnerable, nor is iOS, this is definately true, but because of its UNIX base system it is freaking way harder to write some "real" Malware for it, or find an usable exploit for it, that works fully automatic without any action required from the target user.

As with Antivirus Applications, they definately are a waste of money on a Mac for now.
If you really get to catch a virus on OS X (that still has to be written of course) which you can't knock off yourself by just not entering your admin password stupidly into every window popping up out of nowhere that asks for it, that virus has the same OS privileges as the Antivirus software and could easily deactivate it. This is where you probably need a second HDD with another OS install and some handwork. No Antivirus can help you in such a case.

tl,dr =
Trojans: Users with brains relax, users with no brain shell out money for some Antivirus software
Viruses: Users with brains get a second HDD with another OS install handy, users with no brain find yourself some user with a brain.

Even keeping regular backups is totally fine. I don't like the time consuming process of cloning my HDD, but it would be pretty easy for me to just do a reinstall and restore everything from time machine.

Time machine is really useful when you don't keep the drive plugged in for hourly backups - you don't want the files a trojan messed with being backed up without warning. Instead, I do one backup at the end of the day, so long as nothing suspicious has occurred.

gnasher729
Oct 19, 2011, 11:59 AM
It is a cat and mouse game. I suspect Apple will come up with a update to resolve this issue.

I think that Apple could solve the problem by giving 0.0001% of their cash to the right person in Russia. Microsoft spends more than that giving money to the Russian police, which also helps.

Seems that at least four malware writers don't like the idea.

bpaluzzi
Oct 19, 2011, 12:01 PM
nevermind

Saphire
Oct 19, 2011, 12:06 PM
New to mac so asking a Daft question, how do you get into termal on Imac.

farmboy
Oct 19, 2011, 12:06 PM
Quick everyone download MacDefender!


(My team of lawyers require me to note that I'm not actually suggesting anyone download MacDefender.)

I believe multiples of lawyers are correctly called a "coven".

ArtOfWarfare
Oct 19, 2011, 12:06 PM
1 - how can we tell if a machine is infected?
2 - how, if infected, can we remove it, short of a clean install?

I agree with these questions.

I'm particularly worried because CNN's flash player was acting funky last night and kept throwing up a window saying I needed to install some flash plugin, for which mouse clicks didn't work and to dismiss it I needed to hit the tab key a few times to select a button, and then hit return to deny it permission to install. (Hitting return to allow it to install for whatever reason didn't work.)

bpaluzzi
Oct 19, 2011, 12:10 PM
New to mac so asking a Daft question, how do you get into termal on Imac.

Open "Utilities" (located in your Applications folder, or direct shortcut with Shift+Command+U while in Finder)

Click on "Terminal"

Sorted! :-)

Saphire
Oct 19, 2011, 12:10 PM
Found the terminal. Thank you,, All clear

kbmb
Oct 19, 2011, 12:13 PM
I agree with these questions.

I'm particularly worried because CNN's flash player was acting funky last night and kept throwing up a window saying I needed to install some flash plugin, for which mouse clicks didn't work and to dismiss it I needed to hit the tab key a few times to select a button, and then hit return to deny it permission to install. (Hitting return to allow it to install for whatever reason didn't work.)

Read this article to see commands to see if you are infected.
http://reviews.cnet.com/8301-13727_7-20119265-263/latest-adobe-flash-trojan-for-os-x-gets-revised/


Because the Trojan appends launch instructions to property lists within the Safari and Firefox programs, if you would like to check to see if a system has been infected with this Trojan, you can open the Terminal and run the following commands:

defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment
On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.


Read more: http://reviews.cnet.com/8301-13727_7-20119265-263/latest-adobe-flash-trojan-for-os-x-gets-revised/#ixzz1bFV3dMSr

-Kevin

Soliber
Oct 19, 2011, 12:13 PM
i think this is a little more confusing for most users than people are granting.
- both the real Flash update and the trojan will prompt users to install while randomly browsing the web.
- both the real Flash update and the trojan prompt for admin password since they both need access to system files.

as far as I can tell, the main difference is in the install window you see.
legitimate Flash updates should look like this:
Image (http://tracehotnews.com/wp-content/uploads/2011/04/Adobe-flash-player-10.3.jpg)

and do not use the standard system installer window like the trojan does:
Image (http://cdn.macrumors.com/article-new/2011/10/flashback_c_installer.jpg)
It's a bit like knock-off clothing, the devil's in the details:
You can see that the welcoming text in the fake installer is placed obscurely. Adobe would never launch something like that.

AppleFan1984
Oct 19, 2011, 12:14 PM
iOS is the future :)
That may turn out to be more correct than many realize.

I see a day coming not long from now in which it will be very difficult, if not impossible, to download anything for your Mac outside of Apple's AppStore.

Deelron
Oct 19, 2011, 12:19 PM
Some douche bag goes out to piss in the wind and suddenly everyone is afraid.

Only if I'm downwind.

doctor-don
Oct 19, 2011, 12:19 PM
i don't understand why these fools waste everyone's time by writing viruses, and i mean for any platform. Can't they put that energy and effort into something positive? :mad:

off with their heads - and not the head above their shoulders.

nex4k
Oct 19, 2011, 12:23 PM
Even keeping regular backups is totally fine. I don't like the time consuming process of cloning my HDD, but it would be pretty easy for me to just do a reinstall and restore everything from time machine.

Time machine is really useful when you don't keep the drive plugged in for hourly backups - you don't want the files a trojan messed with being backed up without warning. Instead, I do one backup at the end of the day, so long as nothing suspicious has occurred.

The reason to have a second OS install on a separate HDD was not to clone anything but have an untampered OS that can access the files on your (infected) main HDD with lesser chance to infect it too when you're trying to get the malware away by hand. See, on the main HDD the malware is then likely to run in the background and could possibly interrupt you as you're trying to clean up, but if you run another OS install, it's not running.

Time Machine is fine too but restoring from it equals a fresh install or it takes even longer, seen time-wise. Both ways guarantee a complete removal of the malware. I also don't have my TM HDD connected to my Mac all the time, I only do backups occasionally or when the 10-day-warning window pops up.

New to mac so asking a Daft question, how do you get into termal on Imac.

Reading your post, I guess it's better if you don't use it until a couple of years have passed and you got really really familiar with OS X, otherwise there is a high risk that you shred your whole system with the wrong single command you typed in.

QuantumLo0p
Oct 19, 2011, 12:27 PM
Well, I received a Flash updater popup yesterday, and installed it. It was legitimate. Adobe released a new update, which is what I received. I checked for the suspect entries in the info.plist, and they're not there. The XProtectUpdater is intact, and dated 10/12, when I updated to 10.7.2.

I second that. A flash updater popped up, which was probably legit since I wasn't surfing at the time, but I went directly to Adobe to check Flash version. I think the new version is 11.X and I was running 10.X. So unless there was some url spoofing going on I'm sure mine updated correctly.

Definitely scary though. I seem to recall another recent Flash update that occurred during a breaking trojan story.

Kflik
Oct 19, 2011, 12:45 PM
Read this article to see commands to see if you are infected.
http://reviews.cnet.com/8301-13727_7-20119265-263/latest-adobe-flash-trojan-for-os-x-gets-revised/



-Kevin

I ran those instructions in my terminal and it said that they do not exist. I am thinking I am okay.

Thanks for that information!

liam5150
Oct 19, 2011, 12:57 PM
Trojans, viruses, keyloggers et al, can all be very problematic. I think that there are many Mac users who over the years have become accustomed to having a very secure and trouble free experience as it pertains to these problems. And because of this it's possible to let your guard down.

That doesn't mean that I think Mac users are stupid or have a false sense of security but, it's easy to become complacent and perhaps not be as vigil at all times and maybe not check the URL when downloading an update to Flash (or any other update for that matter). It should be noted that the majority of infections that occur on Windows computers are facilitated by the user. Whether downloading and running a suspected file or using someone's infected flash drive to transfer infected files or opening an email you shouldn't have. These people weren't stupid but they let their guard down. This could happen to anyone.

When I moved to Mac from Windows I knew that I was leaving the threat of viruses behind (for the most part) but at the same time I know how difficult life can become when your system gets infected (Doesn't matter whether it's a virus a trojan or any other type of malware). It happened to me one time in all the years of using Windows but it taught me a very valuable lesson. I don't want to worry about it and being that I'm human I know I also can let my guard down just long enough to make a mistake. For that reason I run ESET's Cybersecurity on my Mac which is an excellent anti malware app that I don't even know (except the icon in the menu bar) is even running. It takes almost zero resources and to me it's just worth having for those times when a mistake can happen.

I know a lot of long time die hard Mac users will say "You don't need it", "It's a waste", "Just use common sense". But assuming we are all human any one of us can make a mistake. Is it worth $30 a year to minimize these problems even more? It is to me.

A couple people here mentioned using Time Machine to restore an infected system. But if your system has been infected for a while before you realize it, odds are that your Time Machine backups can also be infected so it may not necessarily help you.

My two cents. Let's all be very careful.

Sorry but it all sound like a paid insert... Sounds like the kind of arguments insurance vendors use.

thomaus
Oct 19, 2011, 01:12 PM
That's the problem. As of Flash 10.3, the real Flash updates download automatically as you're browsing the web. The only truly good solution is to use Chrome, which includes Flash. Uninstall Flash from the system. Then, if you ever get a notice to install a Flash upgrade, you know it's malware.

What percent of the general public could take your advice about uninstalling Flash? The easy 10-step process is detailed here:http://kb2.adobe.com/cps/909/cpsid_90906.html.

Flash has turned into a huge exploitable avenue of attack for Macs (and PCs). Adobe has been using a variety of their own flavor-of-the-moment installers that start up after the user has been informed that Flash needs to be updated. This has been going on for years. We've been trained to mindlessly go through this drill (same thing with Acrobat, but don't get me started.)

So, for a human-engineered exploit, all you need is something that looks like a video player and an enticing subject. Fill the frame with a 'Flash plugin is out-of-date' message linked to a Trojan. Badda-boom -- people have been trained to click and install this. If the installer looks weird or different, that seems normal based on past experience.

I'm usually just pissed that updating Flash requires a browser restart along with the dozens of tabs and windows I have open. Now I have to worry whether it's a Trojan loading or not.

swingerofbirch
Oct 19, 2011, 01:15 PM
This is very interesting because several times I have had an application pop up out of the blue saying it was to update Flash. Something about it opening out of the blue seemed suspicious to me, and I didn't install it at first, but then I remembered I had disabled the automatic opening of downloads from Safari, which is how the previous trojan had worked I thought, so I did install it. I'm guessing now I probably did fall for something.

Edit: Opening safe files was checked in Safari . . . shows I should not have relied on MobileMe syncing preferences.

hkenneth
Oct 19, 2011, 01:19 PM
I was just on yahoo checking the news this morning and an update popped up that said I needed to upgrade :confused:

It looked completely like any other flash upgrade that i've installed previously.
I'm really worried now.

I think Adobe is using an AIR like interface for its flash setup package, not the Apple pkg interface.

KRF68
Oct 19, 2011, 01:19 PM
can i search for something? Any help?

AdrianT
Oct 19, 2011, 01:19 PM
has anyone gotten the flash player on mac to do automatic updates? I have the option checked but it never seems to say there is a new version. I always have to go to adobe.com and update it manually even when autoupdate is checked in the system prefs.

NakedPaulToast
Oct 19, 2011, 01:21 PM
Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)


Unless of course they found a exploit in the unix permission system, then the world is screwed



Or an exploit is found for an executable that has the SETUID bit set and is owned by superuser. And yes, this happens with frequency; and yes, the UNIX/Linux world has been screwed numerous times.

50548
Oct 19, 2011, 01:50 PM
It's happening more and more.

You mean malware supposed to lure you into typing an admin password? I had one of these back in 2002. Wake me up when real danger appears.

mdnz
Oct 19, 2011, 01:54 PM
This is what the official installer for Flash looks like:

http://www.appletips.nl/wp-content/uploads/2010/12/flash10.2.png

If yours look any different, click the installer away and delete it.

primmstereo
Oct 19, 2011, 01:55 PM
Damn you Flash!! When are you gonna go extinct!! you suck!!

Comment FAIL.

I hope you realize this has nothing to do with Adobe.

munkery
Oct 19, 2011, 01:59 PM
How do I prevent this from happening on OS 10.5.8?

Trojans and other online scams that require user error to be successful can be avoided by following the suggestions in #8, #9, & #14 in the "Mac Security Suggestions" link found below in my sig.

If you wish to have anti-malware protection similar to that provided by default in SL and Lion, see #10 in the "Mac Security Suggestions" link found below in my sig.

xizar
Oct 19, 2011, 02:01 PM
The disassembly notes say that it overwrites your plist file with blanks. So yes, what you posted is what you should see for a xprotectupdater.plist.

!! Yay!

Thanks for the info.

Dillenger
Oct 19, 2011, 02:01 PM
All Your Trojans (and viruses) Belong To Us.

blackhand1001
Oct 19, 2011, 02:22 PM
Both of these posts are laughably uninformed.

The Mac's resistance to viruses has nothing to do with market share, nor did it have to do with the PowerPC architecture.

There still has never been a virus reported on OS X. Not likely to change any time soon. And that would be the case if Apple had 99% of the PC market.

You can believe that all you want but the hackers at blackhat would disagree. Windows is in fact more secure than mac is at this time. The days of true viruses on pc's are pretty much gone. 99.999% of what you come across are trojan horses. They require user interaction to be executed and with vista and windows 7 they have to be given administrative privileges. Windows vista and 7 will only prompt for administrative privileges if they detect that the file is a proper installer or if its in the compatibility database. So even many trojan horses fail as they do request privilege elevation in vista or 7. The days of self replicating viruses on windows are gone. I am sure there is something out there that can do this, but same goes for mac os. The whole unix privileges thing doesn't mean crap if the user (which is where most of it goes wrong on either platform) gives the trojan permission to run. And on windows vista and 7 since most software has been updated to work with proper permissions you don't see uac any more than you are asked for you password on macos.

ogee
Oct 19, 2011, 02:22 PM
This is what the official installer for Flash looks like:

Image (http://www.appletips.nl/wp-content/uploads/2010/12/flash10.2.png)

If yours look any different, click the installer away and delete it.

Damm Mines a fake, its in English not Dutch! :D

djrod
Oct 19, 2011, 02:26 PM
You can believe that all you want but the hackers at blackhat would disagree. Windows is in fact more secure than mac is at this time. The days of true viruses on pc's are pretty much gone. 99.999% of what you come across are trojan horses. They require user interaction to be executed and with vista and windows 7 they have to be given administrative privileges. Windows vista and 7 will only prompt for administrative privileges if they detect that the file is a proper installer or if its in the compatibility database. So even many trojan horses fail as they do request privilege elevation in vista or 7. The days of self replicating viruses on windows are gone. I am sure there is something out there that can do this, but same goes for mac os. The whole unix privileges thing doesn't mean crap if the user (which is where most of it goes wrong on either platform) gives the trojan permission to run. And on windows vista and 7 since most software has been updated to work with proper permissions you don't see uac any more than you are asked for you password on macos.


Sure, that's why last week I deleted 5 virus from my girlfriend's PC with windows 7 that has an antivirus installed!!!

blackhand1001
Oct 19, 2011, 02:32 PM
Sure, that's why last week I deleted 5 virus from my girlfriend's PC with windows 7 that has an antivirus installed!!!

Those are not viruses, they are trojan horses. She installed them herself(probably because she clicks whatever pops up on the screen).

I recommend everyone here read up on UAC (its more than what apple would like you to think based on their old commercial)
http://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx

anjonjp
Oct 19, 2011, 02:34 PM
CRAP!! I downloaded a flash update today on my macbook!

What should I do help!! I'm not joking.

Actually, so did I and that is my concern also. I don't understand why you have 8 negatives - there really was a Flash update on my MacBook too.

Can someone else add their input? If this Trojan is masquerading as a Flash Player update, how can we distinguish?

mdnz
Oct 19, 2011, 02:38 PM
Actually, so did I and that is my concern also. I don't understand why you have 8 negatives - there really was a Flash update on my MacBook too.

Can someone else add their input? If this Trojan is masquerading as a Flash Player update, how can we distinguish?

Compare the image from the first post to the image I posted just a few posts ago. If you installed the one I showed, you're safe.

rocknblogger
Oct 19, 2011, 03:37 PM
Sorry but it all sound like a paid insert... Sounds like the kind of arguments insurance vendors use.

There are a number of people in this thread that say they installed a flash update but are unsure if it was legit. Doesn't that prove and support exactly what I said? I just don't see the resistance of long time Mac users to some sort of AV app. Just because it hasn't happened does not mean it never will. You can't be that closed minded to believe that. Can you?

And I'm just a regular user like anyone else here. I have no stake in any kind of AV software.

Therbo
Oct 19, 2011, 03:57 PM
Those are not viruses, they are trojan horses. She installed them herself(probably because she clicks whatever pops up on the screen).

I recommend everyone here read up on UAC (its more than what apple would like you to think based on their old commercial)
http://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx

It took Microsoft till 2007 to make a half-decent half-baked multi-user system, i'm impressed (sarcasm).

I think *NIX had a better implementation since the 70s,

Oh BTW, wasen't there an exploit that actually turned off UAC, LOL.

vahnx
Oct 19, 2011, 03:57 PM
They don't, this is a Trojan. Big difference :rolleyes:

Not to the average user. Trojans and viruses fall under the same category and meaning.

Therbo
Oct 19, 2011, 03:58 PM
Not to the average user. Trojans and viruses fall under the same category and meaning.

Trojan: Free Porn. Install PornPlayer v3, Please Enter Your Password (SURE I WANT PORN), Infected. PLEASE ENTER YOUR PASSWORD AGAIN AND AGAIN OVER AND OVER FOR MORE PORN, YAY

Virus: Visit Porn in IE, code deletes /system32 without you knowing.


Simple way of putting it,

munkery
Oct 19, 2011, 04:12 PM
I recommend everyone here read up on UAC

Below is some information and links for those interested in UAC and other security mitigations in Windows.

1) Until Vista, the admin account in Windows did not implement DAC in a way to prevent malware by default. Also, Windows has a far greater number of privilege escalation vulnerabilities that allow bypassing DAC restrictions even if DAC is enabled in Windows.

Much of the ability to turn these vulnerabilities into exploits is due to the insecurity of the Windows registry. Also, more easily being able to link remote exploits to local privilege escalation exploits in Windows is due to the Windows registry.

Mac OS X does not use an exposed monolithic structure, such as the Windows registry, to store system settings. Also, exposed configuration files in OS X do not exert as much influence over associated processes as the registry does in Windows.

Mac OS X Snow Leopard has contained only 4 elevation of privilege vulnerabilities since it was released; obviously, neither of these were used in malware. Lion has contained 2 so far but one of these vulnerabilities doesn't affect all account types because of being due to a permissions error rather than code vulnerability.

The following link shows the number of privilege escalation vulnerabilities in Windows 7 related to just win32k:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=win32k+7

More information about privilege escalation in Windows 7:

http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/ -> guide to develop exploits to bypass UAC by manipulating registry entries for kernel mode driver vulnerabilities.

https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf -> more complete documentation about Windows kernel exploitation.

http://mista.nu/research/mandt-win32k-paper.pdf -> more complete documentation about alternative methods to exploit the Windows kernel.

http://threatpost.com/en_us/blogs/tdl4-rootkit-now-using-stuxnet-bug-120710 -> article about the TDL-4 botnet which uses a UAC bypass exploit when infecting Windows 7.

2) Windows has the potential to have full ASLR but most software does not fully implement the feature. Most software in Windows has some DLLs (dynamic link libraries = Windows equivalent to dyld) which are not randomized.

http://secunia.com/gfx/pdf/DEP_ASLR_2010_paper.pdf -> article overviewing the issues with ASLR and DEP implementation in Windows.

Also, methods have been found to bypass ASLR in Windows 7.

http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf -> article describing bypassing ASLR in Windows 7.

Mac OS X has full ASLR implemented on par with Linux. This includes ASLR with position independent executables (PIE). DLLs in Windows have to be pre-mapped at fixed addresses to avoid conflicts so full PIE is not possible with ASLR in Windows.

Using Linux distros with similar runtime security mitigations as Lion for a model, client-side exploitation is incredibly difficult without some pre-established local access. Of course, this is self defeating if the goal of the exploitation is to achieve that local access in the first place.

See the paper linked below about bypassing the runtime security mitigations in Linux for more details.

http://www.blackhat.com/presentations/bh-europe-09/Fritsch/Blackhat-Europe-2009-Fritsch-Bypassing-aslr-slides.pdf

The author only manages to do so while already having local access to the OS.

3) Mac OS X Lion has DEP on stack and heap for both 64-bit and 32-bit processes. Third party software that is 32-bit may lack this feature until recompiled in Xcode 4 within Lion. Not much software for OS X is still 32-bit.

But, not all software in Windows uses DEP; this includes 64-bit software. See first article linked in #2.

4) Mac OS X implements canaries using ProPolice, the same mitigation used in Linux. ProPolice is considered the most thorough implementation of canaries. It is known to be much more effective than the similar system used in Windows.

http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-silberman/bh-us-04-silberman-paper.pdf -> article comparing ProPolice to stack canary implementation in Windows.

5) Application sandboxing and mandatory access controls (MAC) in OS X are the same thing. More specifically, applications are sandboxed in OS X via MAC. Mac OS X uses the TrustedBSD MAC framework, which is a derivative of MAC from SE-Linux. This system is mandatory because it does not rely on inherited permissions. Both mandatorily exposed services (mDNSresponder, netbios...) and many client-side apps (Safari, Preview, TextEdit…) are sandboxed in Lion.

Windows does not have MAC. The system that provides sandboxing in Windows, called mandatory integrity controls (MIC), does not function like MAC because it is not actually mandatory. MIC functions based on inherited permissions so it is essentially an extension of DAC (see #1). If UAC is set with less restrictions or disabled in Windows, then MIC has less restrictions or is disabled.

http://www.exploit-db.com/download_pdf/16031 -> article about Mac sandbox.

http://msdn.microsoft.com/en-us/library/bb648648(v=VS.85).aspx -> MS documentation about MIC.

https://media.blackhat.com/bh-eu-11/Tom_Keetch/BlackHat_EU_2011_Keetch_Sandboxes-Slides.pdf -> researchers have found the MIC in IE is not a security boundary.

6) In relation to DAC and interprocess sandboxing in OS X in comparison with some functionality of MIC in Windows 7 (see #5), the XNU kernel used in OS X has always had more secure interprocess communication (IPC) since the initial release of OS X.

Mac OS X, via being based on Mach and BSD (UNIX foundation), facilitates IPC using mach messages secured using port rights that implement a measure of access controls on that communication. These access controls applied to IPC make it more difficult to migrate injected code from one process to another.

Adding difficulty to transporting injected code across processes reduces the likelihood of linking remote exploits to local exploits to achieve system level access.

As of OS X Lion, the XPC service has also been added to implement MAC (see #5) on IPC in OS X. (http://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html)

7) Windows has far more public and/or unpatched vulnerabilities than OS X.

http://www.vupen.com/english/zerodays/ -> list of public 0days.

http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker -> another list of public 0days. (Most if not all of the Apple vulnerabilities in this list were patched in the latest Apple security update -> http://support.apple.com/kb/HT5002)

http://m.prnewswire.com/news-releases/qihoo-360-detects-oldest-vulnerability-in-microsoft-os-110606584.html -> article about 18 year old UAC bypass vulnerability.

8) Password handling in OS X is much more secure than Windows.

The default account created in Windows does not require a password. The protected storage API in Windows incorporates the users password into the encryption key for items located in protected storage. If no password is set, then the encryption algorithm used is not as strong. Also, no access controls are applied to items within protected storage.

In Mac OS X, the system prompts the user to define a password at setup. This password is incorporated into the encryption keys for items stored in keychain. Access controls are implemented for items within keychain.

Also, Mac OS X Lion uses a salted SHA512 hash, which is still considered cryptographically secure. It is more robust than the MD4 NTLMv2 hash used to store passwords in Windows 7.

http://www.windowsecurity.com/articles/How-Cracked-Windows-Password-Part1.html -> article about Windows password hashing.

9) The new runtime security mitigation improvements to be included in Windows 8 have already been defeated.

http://vulnfactory.org/blog/2011/09/21/defeating-windows-8-rop-mitigation/

To put this into perspective, methods to bypass the new runtime security mitigations in Mac OS X Lion are not yet available.

In regards to recent earlier version of Mac OS X:

The following image relates to varying levels of security mitigations in different Linux distros but it is applicable in revealing that the runtime security mitigations in some earlier versions of Mac OS X prior to Lion were far from inadequate.

308164

source -> http://www.blackhat.com/presentations/bh-europe-09/Fritsch/Blackhat-Europe-2009-Fritsch-Bypassing-aslr-slides.pdf

The following section of that image represents a comparison of Mac OS X Leopard/Snow Leopard to Windows Vista/7.

308165

While Mac OS X Leopard/SL lack full ASLR, Windows Vista/7 have stack canaries (aka stack cookies) that are trivial to bypass.

The following link shows the issues with stack canaries in Windows. -> http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-silberman/bh-us-04-silberman-paper.pdf

So:

Windows Vista/7 = NX + ASLR
Mac OS X Leopard/SL = NX + stack cookies

308165

The image shows that NX in combination with stack canaries is more difficult to bypass than a combination of NX and ASLR.

Admittedly, some apps in Leopard/SL don't use stack canaries but some apps in Vista/7 don't use ASLR. -> http://secunia.com/gfx/pdf/DEP_ASLR_2010_paper.pdf

But, this information does make it seem that the criticism of runtime security mitigations within earlier versions of Mac OS X has been biased and somewhat not as pertinent as some headlines suggest.

The bias in much of the infosec community is obvious.

heimbachae
Oct 19, 2011, 04:14 PM
So here's a question: does anyone know if there was a legit flash update over the last week? I ,like a few, do remember updating recently on my and my parent's iMacs and I'm now wondering if I didn't just run it by mistake. I wasn't on any sites, it just popped up (I thought from the widget in Preferences) so I just clicked through and haven't worried about it since. Haven't noticed any decrease in speed or anything out of the oridinary. Let me know.

Sankersizzle
Oct 19, 2011, 04:25 PM
So, we still haven't figured out a way to check if we've been infected?

I am privy to dubious internet dealings, and wouldn't mind knowing if someone is all up in my business.

----------

The F-Secure site has a general description: Link (http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_c.shtml). I scrolled down to the bottom, where it listed the files that this Trojan wipes out and confirmed that at least one of these was still on my system.

[HD] /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

I clicked on the plist file, and there's content in it, so it's not be overwritten with a blank.

The other file is in the /usr directory, and frankly I'm not worried enough to try and remember how to make this ordinarily hidden directory visible.

I believe that this will indicate whether you are infected or not, but of course if I'm wrong I'm sure someone will chime in.

Luck.

I just checked, I don't even have an com.apple.xprotectupdater.plist file in that directory... Running 10.7.2.

munkery
Oct 19, 2011, 04:55 PM
I just checked, I don't even have an com.apple.xprotectupdater.plist file in that directory... Running 10.7.2.

In /Library or /System/Library?

Which directory did you check?

heimbachae
Oct 19, 2011, 05:05 PM
So, we still haven't figured out a way to check if we've been infected?

just found this http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_c.shtml

Sankersizzle
Oct 19, 2011, 05:08 PM
In /Library or /System/Library?

Which directory did you check?

Both :confused:

charlituna
Oct 19, 2011, 06:07 PM
I don't understand why these fools waste everyone's time by writing viruses, and I mean for any platform. Can't they put that energy and effort into something positive? :mad:

When a little bit of work nets them a crapload of credit cards etc of course they won't stop. And that whole MacDefender thing probably got them a fair bit. mainly from users that don't understand that much about technology and haven't been taught to think things like "I don't remember installing an anti-virus program on the computer"

Same thing with the fake review scams etc. You would think after the first person was caught they would stop but of course they don't

----------

1 - how can we tell if a machine is infected?

Directly on the machine you likely can't.

But to tell if you are at risk, ask yourself if you have downloaded flash player recently (say in the last 4 months) and when you did was it because a site said you needed to so you clicked a download link. ANd did that link take you to the Adobe webpage for flash or just start downloading a file that you then installed.

IF that is the events that occurred, you are very possibly infected. If you took yourself to the Adobe page on your own you are fine.

----------

If you've kept your security updates up-to-date you should be fine. Previously Apple's security updates I think have been pretty good about getting rid of this thing. This is a brand new one that stops your computer from getting updates.

But only until Apple tracks it down, reverse engineers it and releases a new security update that wipes out the wipe out AND redoes how it sets things up so the trojan is no good.

and the dance carries on

----------



If apple merged iOS and OS X (which they won't)

I would be careful saying they won't. The two systems have a lot of the same underpinnings and yes could merge at some point.

And that might not be a bad thing. The auto save features from iOS can be useful as can the whole Launchpad etc. It would be nice if they would let us turn them on and off if we like. And as long as they leave Finder in place for those that like that style who cares about Launchpad.

iOS could pick up a new filing system that might still not let us go in directly (a la a Finder) but would at least put things in one common bucket so for example if I originally open a PDF in ibooks I could close that and open it in Goodreader without having to synch over a second copy or still have the original email to save it to said second program. Or how about if I write a song in Garageband I can save it in a common spot and immediately play it in my 'music' or even use it in iMovie. Without having to dance the sync it to my computer and back over dance.

and with a common OS perhaps we'll get more integration of the computer versions of software with the iOS. Like being able to start a movie in the iOS iMovie and move it to the computer.

these sorts of things are being asked for by many folks as options. And if we had a single OS with two faces perhaps we would get them.

Tech Elementz
Oct 19, 2011, 06:31 PM
So it switches the updating from automatic to manual use?

OR does it prevent manual updates as well?

adder7712
Oct 19, 2011, 06:58 PM
That's what you get for installing "Flash" with a dodgy Flash installer.

Adobe's installers are different.

http://www.maclife.com/files/u220903/Adobe_Flash_Player_installer_380px.jpg If yours look like this, no sweat.

iCaleb
Oct 19, 2011, 07:13 PM
I just checked and I still have that plist file. :)






Wipes sweat off forehead. :p

munkery
Oct 19, 2011, 07:31 PM
So it switches the updating from automatic to manual use?

OR does it prevent manual updates as well?

If the user is duped into password authenticating the installation of this malware, then it can use those granted privileges to modify the file that contains the malware definitions and prevent new definition updates via any method (most likely both).

Once a definition exists for this threat, XProtect will detect it and warn the user prior to the user password authenticating the installation of the trojan.

User should always be cautious when installing software and updates; especially, installs that require password authentication to complete.

Simsonic
Oct 19, 2011, 08:08 PM
Because the Trojan appends launch instructions to property lists within the Safari and Firefox programs, if you would like to check to see if a system has been infected with this Trojan, you can open the Terminal and run the following commands:

If you have Safari:

defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment

If you have Firefox:

defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment

On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.

Peace out Homies...Keep it Safe. :eek:

Sankersizzle
Oct 19, 2011, 08:17 PM
Because the Trojan appends launch instructions to property lists within the Safari and Firefox programs, if you would like to check to see if a system has been infected with this Trojan, you can open the Terminal and run the following commands:

If you have Safari:

defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment

If you have Firefox:

defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment

On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.

Peace out Homies...Keep it Safe. :eek:

Thanks dawg. I remain uninfected!

Simsonic
Oct 19, 2011, 08:52 PM
Thanks dawg. I remain uninfected!

You're welcome.

SteveKnobs
Oct 19, 2011, 09:27 PM
Because the Trojan appends launch instructions to property lists within the Safari and Firefox programs, if you would like to check to see if a system has been infected with this Trojan, you can open the Terminal and run the following commands:

If you have Safari:

defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment

If you have Firefox:

defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment

On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.

Peace out Homies...Keep it Safe. :eek:

Thanks dude- I'm safe.

Weird thing though- I was just prompted to update the Adobe Flash Player after opening MACRUMORS..... it could have been a legit update from Adobe, but I wasn't taking any chances.

macgeof
Oct 20, 2011, 01:32 AM
Thanks dude- I'm safe.

Weird thing though- I was just prompted to update the Adobe Flash Player after opening MACRUMORS..... it could have been a legit update from Adobe, but I wasn't taking any chances.

At this point I think it is necessary to add the following. Flash Player updates (official ones) from Adobe quite often include security hole fixes or tightened security policy. Please don't slip into the mind of thinking thta you shouldn't update your Flash Player - this is not sensible thining.

Just ensure you go to http://get.adobe.com/flashplayer/ and download the installer from there. All will be fine then

Cheffy Dave
Oct 20, 2011, 02:58 AM
these "children" who design such viruses, would put their obvious brilliance towards the betterment of Man and our world, rather than bring down such a ***** storm of crap designed to do harm.

madmax_2069
Oct 20, 2011, 03:24 AM
Oh, god, here we go again with the virus vs malware vs trojan vs etc., etc.

Malware is a generic category (malicious software). Viruses, trojans, spyware and all other crap that f***ks with your computer are malware.

Macs have never been infected by a virus up to this date. Yes, it is possible sometime in the future a virus could be developed that will infect a Mac. Nothing to this date!

Trojan is NOT a virus - it is a form of malware. Unlike a virus which can infect a computer without action on the part of the user, trojans have to be invited in. In short - the user has to screw up.

The best defense is an educated user.

(GGJstudios - How did I do?? :D :p:p)

1. Agreed

2. Oh so you don't consider Macs running the classic Mac OS Macs ? because Macs that ran the Classic Mac OS have been infected by viruses before. You should rephrase that to say Macs have not been infected by a virus since OS X.

3. Although a Trojan isn't a virus, a Trojan can be used to put a virus on a computer and act like a spy by stealing info. so a Trojan should be seen as much as a threat as a virus.

Birdy1062
Oct 20, 2011, 03:29 AM
Because the Trojan appends launch instructions to property lists within the Safari and Firefox programs, if you would like to check to see if a system has been infected with this Trojan, you can open the Terminal and run the following commands:

If you have Safari:

defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment

If you have Firefox:

defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment

On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.

Peace out Homies...Keep it Safe. :eek:

Hi guys,

Ran the terminal lines with "does not exist" error messages as result.

On the other hand I'm unable to find the com.apple.xprotectupdater.plist file in library folder.....:confused:
In which folder in library am I suppose to find it?

Should I be concerned?????:eek:

Ed91
Oct 20, 2011, 04:09 AM
I understand that this is not a virus, however, this is still a big problem that Apple need to solve, and it isn't heartening that Windows hasn't solved it well either. This is a nicely crafted social engineering attack, and while obvious visual differences exist between the trojan installer and Adobe's own installer, it's still close enough to fool less savvy users. People are used to having to install/update flash, and telling people not to fall for it isn't going to work unless you're already informed enough not to fall for it.

Problems:

[Adobe]
- Flash must be updated for system security.
- The current updater appears from nowhere to prompt for update installation.
- Flash installation requires an admin password.
- Flash is the perfect guise for a trojan (people know of it, assume they have it, know it needs updating, but don't know it well. The only GUI is the installer, and few pay attention to how that looks)

[Apple]
- Safari thinks installer packages are "safe files" and will open them automatically (unless unchecked in preferences) allowing trojans to launch installation upon download. Ridiculous.
- X-Protect.plist & xprotectupdater - static locations / filenames.
- Flash is third party: Apple can't really control (or fix) it.

It's hard not to see Apple as at fault here for allowing the opening of "safe" files automatically. PDFs aren't safe, let alone installer packages, and now the downloads list is accessible from the Safari toolbar in Lion, it's tough to justify auto-opening files. I'd also like to see Apple keep improving XProtect. At the moment it's crude protection against crude malware. I'd like to see it advance very quickly, but for now, the moral of the story remains:

Safari -> Preferences -> [General Tab] -> Untick: "Open 'safe' files after downloading"

Interestingly, this malware checks for Little Snitch, and if found, deletes itself.

Most of Adobe's problems are inherent of the product that Flash is: a web facing browser plugin. I can't defend Flash's security record, and dislike Flash as a whole, but that's not what the problem is in this case.


[EDIT] It'd be nice if the front page article showed the differences between the two installers, not just the fake one, to help quell some nerves. (Images taken from FPA & adder7712)

FAKE:
http://i4.photobucket.com/albums/y136/Ed91/flashback_c_installer.jpg

REAL:
http://i4.photobucket.com/albums/y136/Ed91/Adobe_Flash_Player_installer_380px.jpg

Shrink
Oct 20, 2011, 05:48 AM
It's disturbing that, after decades of malware, that people will still consider installing software from untrusted sources. Especially when the software is a free download.
More accurately, Mac OS X has never been infected by a virus up to this date. There have been viruses for the classic Mac platform, although most are very old and not likely to be in the wild, and wouldn't work on a modern Mac even if you downloaded it.
Where did you download it from? The official source is from Adobe: http://get.adobe.com/flashplayer/. You shouldn't consider installing a copy downloaded from anywhere else.

Good distinction. I didn't know that. Thanks for the correction.:)

RichardI
Oct 20, 2011, 06:24 AM
Can someone, anyone tell me why anyone would spend all that time and money to develop a trojan horse? What do they get out of it? Who pays for it? Am I just a naive user?? What is the end-game here? I don't get it.:mad:

munkery
Oct 20, 2011, 06:25 AM
- Flash must be updated for system security.

This is true but this is less applicable to OS X than other OSs.

See the following post from earlier in this thread for further explanation:

http://forums.macrumors.com/showpost.php?p=13672712&postcount=143

- Safari thinks installer packages are "safe files" and will open them automatically (unless unchecked in preferences) allowing trojans to launch installation upon download. Ridiculous.

Despite the installer launching automatically, the user still has to click through the installer to install the malware.

So, the security implications of the installer launching automatically aren't very significant.

Ed91
Oct 20, 2011, 07:37 AM
This is true but this is less applicable to OS X than other OSs.


I don't believe I mentioned any other OSs. If it is true, it is true.


Despite the installer launching automatically, the user still has to click through the installer to install the malware.

So, the security implications of the installer launching automatically aren't very significant.

The security implications are huge. You've gone from a file sitting in "downloads" to a socially engineered installer prompting the user to click "continue." If they fall for the trick, game over. The user may have to be fooled, but foolish users are nothing new. The subterfuge couldn't take place without the installer opening and prompting the user to install Flash.

If you think that mitigating a social engineering factor wouldn't affect computer security when faced with a trojan, you're insane.

munkery
Oct 20, 2011, 08:36 AM
I don't believe I mentioned any other OSs. If it is true, it is true.

Flash updates usually patch memory corruption vulnerabilities.

Runtime security mitigations prevent these vulnerabilities from being exploited.

No methods are known that allow bypassing the runtime security mitigations in Lion.

Flash was no longer a reliable exploitation vector in SL. This is even more true now that Flash is 64-bit.

Combined with reliable DAC that prevents access to vectors to make malware profitable, Flash doesn't represent a huge risk factor in OS X.

The only relevant Flash vulnerabilities in relation to OS X are XSS vulnerabilities that are used in sophisticated phishing emails. But, these threats require user interaction to be successful and are easily avoided.

The security implications are huge...The subterfuge couldn't take place without the installer opening and prompting the user to install Flash.

The subterfuge could also occur via the user manually launching the file in downloads due to being labelled a Flash update then clicking through the installer and password authenticating the installation.

If you think that mitigating a social engineering factor wouldn't affect computer security when faced with a trojan, you're insane.

The mitigation is already in place. XProtect is integrated into File Quarantine.

Once a definition for the malware is included in XProtect, the installer won't open automatically. Instead a warning prompt will appear to tell the user the payload of the installer is malware.

But, a better mitigation is the user applying knowledge about safe computing practices. This is better because it doesn't rely on waiting for a definition to be released. See #8, #9, and #14 in the "Mac Security Suggestions" link in my sig for more info.

sotorious
Oct 20, 2011, 09:19 AM
macs are starting to become more popular so viruses will be appearing everywhere.

shamino
Oct 20, 2011, 09:20 AM
i think this is a little more confusing for most users than people are granting.
- both the real Flash update and the trojan will prompt users to install while randomly browsing the web.
- both the real Flash update and the trojan prompt for admin password since they both need access to system files.
If you disable Safari's "feature" to automatically open "safe" downloads, then neither will auto-launch. If you configure your web browser to always prompt for download locations, then it won't be able to auto-download either, since you'll be asked to select a destination (and you can click "cancel").
... as far as I can tell, the main difference is in the install window you see.
legitimate Flash updates should look like this...
This is an unreliable way to tell. The next version of the malware may look like the Adobe installer, and Adobe may change their installer in the future.

The best approach is to never launch any app (installer or otherwise) that you didn't explicitly get yourself. If something tries to auto-download, delete it no matter what it claims to be.

If you need to update Flash (or any other piece of software), download your updates directly from the publisher (e.g. http://www.adobe.com) and you'll be fine.
Well I had the above notification and I moved it to the trash. What I'm wondering is why it did not infect anything? My computer is running fine, and how come it let me move it to the trash so simply? Did it never truly install?
From your description, it appears that Apple's malware-detector identified the malware before the installer ran.

Malware doesn't infect your computer by simply being on your hard drive. Something has to launch it. If you don't launch it, and no other software (like a web browser or plugin) doesn't launch it, then it doesn't do anything.

If you would launch it (and ignore warnings from your OS and/or virus scanner) then you'd be in trouble.

As for ease of deletion, not all malware is hard to get rid of. Some can simply be dragged to the trash. Others are much harder to remove, possibly even requiring a reinstall of your OS.

Anotoneher
Oct 20, 2011, 09:25 AM
Because the Trojan appends launch instructions to property lists within the Safari and Firefox programs, if you would like to check to see if a system has been infected with this Trojan, you can open the Terminal and run the following commands:

If you have Safari:

defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment

If you have Firefox:

defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment

On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.

Peace out Homies...Keep it Safe. :eek:

The domain/default pair of (/Applications/Safari.app/Contents/Info.plist, LSEnvironment) does not exist

UGH.............. What's that mean exactly?

duffman9000
Oct 20, 2011, 09:28 AM
Can someone, anyone tell me why anyone would spend all that time and money to develop a trojan horse? What do they get out of it? Who pays for it? Am I just a naive user?? What is the end-game here? I don't get it.:mad:

For the lulz (http://www.urbandictionary.com/define.php?term=LULZ).

Don't download Adobe software from anywhere except Adobe. Apply the same logic to any software. Always download from the publisher.

Anotoneher
Oct 20, 2011, 09:39 AM
Manual Removal Instructions

Scan the whole system and take note of the detected files
Remove the entry
<key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
<string>%path_of_detected_file_from_step_1%</string></dict>
From:
/Applications/Safari.app/Contents/Info.plist
/Applications/Firefox.app/Contents/Info.plist
Delete all detected files

---

I manually found my .plist and I don't have that listed in my Safari plist.

BUT...

/System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

I don't have a LaunchDaemons folder in my library...

bpaluzzi
Oct 20, 2011, 09:56 AM
macs are starting to become more popular so viruses will be appearing everywhere.

Wow.

lrodk
Oct 20, 2011, 10:01 AM
CNET has a nice step by step article for Mac novices like me that would confirm if your system was affected.

http://reviews.cnet.com/8301-13727_7-20122551-263/flashback-os-x-malware-variant-disables-xprotect/

Exerpt from the article:

Again, this malware is very rare and will not affect most Macs out there, but if you suspect one of your Macs has been infected then you can do a rudimentary check on your system by running the following two commands in the Terminal (copy and paste them):

defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment

defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment

These commands will read the property list within the applications and check to see if they have been modified to launch other applications when opened. In the output for these commands, if you see text that includes "DYLD_INSERT_LIBRARIES" followed by a path that points to a specific file, then your system has been infected. If you do not see this text output and instead see "The domain/default pair...does not exist," then your system has not been infected.



Read more: http://reviews.cnet.com/8301-13727_7-20122551-263/flashback-os-x-malware-variant-disables-xprotect/#ixzz1bKnLUZoQ

NY Guitarist
Oct 20, 2011, 11:09 AM
Ran the terminal lines with "does not exist" error messages as result.

On the other hand I'm unable to find the com.apple.xprotectupdater.plist file in library folder.....:confused:
In which folder in library am I suppose to find it?

Should I be concerned?????:eek:

Same here. I'm also concerned because I got a pop-up saying my Flash Player was out of date. I cancelled that window and went to the System Preferences app (MacOSX 10.6.8) and used the Flash Player pref pane to see if I needed to update to a newer version by clicking "check now". Needed to update so I DL'd it from Adobe and installed.

But as mentioned by poster I quoted I also can't find the com.apple.xprotectupdater.plist file.

Never mind... operator error. I was looking in wrong Library. It's there so I'm OK.

I have to say it's annoying that a third party app is the weak spot my OS security.

rjohnstone
Oct 20, 2011, 12:55 PM
If you disable Safari's "feature" to automatically open "safe" downloads, then neither will auto-launch. If you configure your web browser to always prompt for download locations, then it won't be able to auto-download either, since you'll be asked to select a destination (and you can click "cancel").

Not true.
The real Flash Updater runs in background and does not rely on any Safari settings.
The updater periodically checks for updates (this is why the updater appears at random) and notifies you when it finds one.
The real Flash Updater does not download anything until you select the Install button.

Birdy1062
Oct 20, 2011, 02:27 PM
Same here. I'm also concerned because I got a pop-up saying my Flash Player was out of date. I cancelled that window and went to the System Preferences app (MacOSX 10.6.8) and used the Flash Player pref pane to see if I needed to update to a newer version by clicking "check now". Needed to update so I DL'd it from Adobe and installed.

But as mentioned by poster I quoted I also can't find the com.apple.xprotectupdater.plist file.

Never mind... operator error. I was looking in wrong Library. It's there so I'm OK.

I have to say it's annoying that a third party app is the weak spot my OS security.

Where did you find it? Still unable to locate it.....:confused::confused::confused:

snberk103
Oct 21, 2011, 11:26 AM
Where did you find it? Still unable to locate it.....:confused::confused::confused:

Does this help?

collegitdept
Oct 21, 2011, 01:21 PM
Does this help?

When was your last XProtect updated?

Apparently the last update to XProtect was on October 11th.

Not back in late September.

Is this true?

munkery
Oct 21, 2011, 02:08 PM
When was your last XProtect updated?

Apparently the last update to XProtect was on October 11th.

Not back in late September.

Is this true?

XProtect checks daily for updates but the file containing the definitions is only modified if new definitions are added.

Around Oct 11 was the most recent addition of a new definition to the list.

Birdy1062
Oct 21, 2011, 06:44 PM
Does this help?


Oh Yes!

Tks snberk103!:p:p:p:p:p:p

Latest modified on 15/08/11?