Apple Updates Anti-Malware Definitions to Address Fake Flash Player Trojan

[sza]

in order to prevent this from happening, maybe the best way is to ship flash player with mac os x.

[nwcs]

Quote:

Originally Posted by KnightWRX

OpenDNS does not prevent this at all and OpenDNS has all sorts of other issues.

It's not a perfect cure but it helps more than it would hurt.

[unobtainium]

Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_5 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8L1 Safari/6533.18.5)

I get that this isn't a virus, but I'd also like to point out that the overwhelming majority of Windows-based malware also consists of trojans rather than actual viruses. In addition, I don't think the distinction means much to your average end user.

[KnightWRX]

Quote:

Originally Posted by nwcs

It's not a perfect cure but it helps more than it would hurt.

It doesn't help at all in this case. And it hijacks NXDOMAIN responses to serve up ads instead, which goes against the very spec of DNS.

No thank you.

[redbotsoftware]

Quote:

Originally Posted by Sjhonny

This has nothing to do with Flash.

...and nothing to do with Trojans, right?

[lostngone]

Quote:

Originally Posted by nwcs

Another reason to use OpenDNS as your DNS. Even if you get fooled by something this obvious there's at least a net to catch you before you fall.

What net?
OpenDNS does not follow RFCs for name resolution. They hijack and redirected failed name look-ups.

[UntamedNL]

A short question:
I am kinda new too Mac OSX so I wonder if i need to download that anti malware program Apple gives. Or does that come standard on OS X Lion? I can't find it in my programs.

Thanks!

[accessoriesguy]

Quote:

Originally Posted by devilstrider

Been out of the loop for 10 weeks and MacRumors is getting my up to speed fast. I love this site.

I'm amazed how their front page gets more than 1 new rummor/news post about Apple every day

[KnightWRX]

Quote:

Originally Posted by redbotsoftware

...and nothing to do with Trojans, right?

It is a trojan but is really does have nothing to do with Flash. This could be posing as an update to Safari, Mail.app, iPhone or anything else basically.

Quote:

Originally Posted by lostngone

What net?
OpenDNS does not follow RFCs for name resolution. They hijack and redirected failed name look-ups.

They also provide some anti-phishing and typo correction, which basically means if you really wanted to go to that phishing site or to gogle.com, you can't.

And again : It doesn't help at all in this case. Once the host file is modified, unless you changed your nsswitch.conf to make dns take priority over the host file, the system resolver will honor the entry in the host file.

[archurban]

Quote:

Originally Posted by Sjhonny

Is this a sign?

Or just coincidence that in less then half a year two trojans show up in mac land.

yes, it's beginning. mac is not ruled out from malware, virus anymore. it means that mac os X could be vulnerable (even worst than windows 7). in terms of system protection, mac os x is very weak. you should remember it.

[accessoriesguy]

Quote:

Originally Posted by UntamedNL

A short question:
I am kinda new too Mac OSX so I wonder if i need to download that anti malware program Apple gives. Or does that come standard on OS X Lion? I can't find it in my programs.

Thanks!

it comes standard built in. My advice to any mac owner, is just keep up with the updates. It lets you know of any once every week automatically i believe

[Sjhonny]

Quote:

Originally Posted by KnightWRX

Trojans have been around for much longer than that on OS X, this is a sign of status quo is anything. It just gets reported more than it used to.

Well that's what I mean. I know they have existed for like forever, but I think we can agree on the fact that there hundreds, maybe even thousands trojans available in the wild, but they just pass the review unnoticed. But since there tend to afloat more (they even get posted on MR!), wouldn't this also imply there are more unnoticed samples?

somewhat offtopic: Does anyone know of a Rootkit for OS X (obsolete or not)?

[Oletros]

Quote:

Originally Posted by Xian Zhu Xuande

Any platform (outside one which is completely controlled like iOS) is susceptible to trojans, which depends on a user to fall for a trick and take necessary actions.

Even iOS has had trojan/spyware

[Sjhonny]

Quote:

Originally Posted by redbotsoftware

...and nothing to do with Trojans, right?

It's a Trojan that appears to be a Flash update. Besides some images and some text they have nothing in common. If I paint my Opel red and draw a stallion on front, do I have a Ferrari?

[JAT]

Quote:

Originally Posted by BC2009

Funny.... I updated Flash yesterday on my kids' Mac mini and I thought that writing a Trojan that masquerades as an update to Flash would be brilliant since Flash is updated so often and getting prompted that you need to update Flash to view a website is very common..... And then today, here it is.

Hmm, what are you thinking about today?

[Xian Zhu Xuande]

Quote:

Originally Posted by Sjhonny

Ever heard of the site jealbreakme.com? There's no single man made OS (with extensive GUI elements and under the hood frameworks etc.) currently Trojan free.

Jailbreakme.com uses an actual exploit in the operating system. I was speaking generally about a basic trojan—one which tricks the user into installing it only to become something unexpected. Through the App Store the only way this can happen is if Apple actually allows it to slip through inspection. To hype that slim possibility as statistically significant would be hyperbolic. Actually, it is a little hyperbolic to use jailbreakme.com as an example of there being a real trojan threat on iOS, whether combining an exploit or otherwise.

Quote:

Originally Posted by Oletros

Even iOS has had trojan/spyware

If you jailbreak it, some. If you don't jailbreak it, what? Spyware, perhaps, in the form of applications extracting information which isn't clearly announced to the user, but not on par with what many people expect when they hear the word 'Spyware' these days.

[inkswamp]

Quote:

Originally Posted by longofest

A question I have though, is under what conditions should ANY software modify the hosts file? Should Apple even allow programs that have been granted administrative rights to alter the hosts file? There is only a very limited benvolent use case for such an action, and that very related to what they did here: some anti-ad or anti-spyware utilities modify a host file to redirect known ad-producing domains to a "safe" domain. I personally think any modification of the host file should be given a warning like this:

The hosts file is not the only file in OS X that can be altered to yield malicious results. Apple would have to undertake an enormous amount of effort to protect every file that a given instance of malware can tamper with.

The problem, to me, seems to be traditional installers that do all kinds of things behind the user's back. I don't understand why Apple even supports installers anymore. Apple created a brilliant method of software installation with app bundles. Just drag and drop the app to your Applications folders and it's done. I'd always assumed that's where OS X was headed eventually and that installers were on their way out.

[JAT]

Quote:

Originally Posted by KnightWRX

It is a trojan but is really does have nothing to do with Flash. This could be posing as an update to Safari, Mail.app, iPhone or anything else basically.

Quote:

Originally Posted by Sjhonny

It's a Trojan that appears to be a Flash update.

I take it you guys are from out of town, and not familiar with USC?

[coolfactor]

Quote:

Originally Posted by Macintox

menu go to folder ..type this: /etc/
then open - hosts
the inside should look like this if it has not been modified
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost

Question is does Xprotect have the capability to undo damage done by this malware? Can it repair the hosts file?

[Xian Zhu Xuande]

Quote:

Originally Posted by KnightWRX

OpenDNS does not prevent this at all and OpenDNS has all sorts of other issues.

Yep. Every time I've tried to use it I've come across some kind of crazy problem or another, usually involving accessing certain types of content on the internet. I don't have much love for OpenDNS.

[coolfactor]

Quote:

Originally Posted by inkswamp

The hosts file is not the only file in OS X that can be altered to yield malicious results. Apple would have to undertake an enormous amount of effort to protect every file that a given instance of malware can tamper with.

The problem, to me, seems to be traditional installers that do all kinds of things behind the user's back. I don't understand why Apple even supports installers anymore. Apple created a brilliant method of software installation with app bundles. Just drag and drop the app to your Applications folders and it's done. I'd always assumed that's where OS X was headed eventually and that installers were on their way out.

I agree. The App Store nulls the drag-and-drop installation that we've come to love, and I think many third-party developers have abused multi-step installers, maybe in an attempt to make the software installation process familiar to Windows converts.

Long live application bundles. There's no reason that an application can't install the necessary support files upon the first launch. That would make it self-repairing if those files were ever removed afterwards. No need for a separate installer.

[BC2009]

Quote:

Originally Posted by JAT

Hmm, what are you thinking about today?

Today I am thinking it would be brilliant if Apple gave away free MacBook Airs with the purchase of an iPhone charging adapter. Let's see if I really focus on that if it comes true tomorrow.

[JAT]

Quote:

Originally Posted by BC2009

Today I am thinking it would be great if brilliant if Apple gave away free MacBook Airs with the purchase of an iPhone charging adapter. Let's see if I really focus on that if it comes true tomorrow.

I'll be honest. I could use another iPhone charging adapter.

[KnightWRX]

Quote:

Originally Posted by coolfactor

Question is does Xprotect have the capability to undo damage done by this malware? Can it repair the hosts file?

It's just a text file. Open it with your favorite text editor and delete the unwanted entries.

[Detlev]

Quote:

Originally Posted by MacRumors

Search results on the fake Google pages actually lead to pop-up windows that load external content which was broken at the time of discovery

The detail in which these developers are going to mimic real software is simply striking.