Apple Updates Anti-Malware Definitions to Address Fake Flash Player Trojan

[marconiusrex]

How do I tell if the flash player update is legit?

So I just saw a Flash Player pop up today asking me to update my flash player...how can I tell if it's legit or if it's the trojan??????

 

[GGJstudios]

So I just saw a Flash Player pop up today asking me to update my flash player...how can I tell if it's legit or if it's the trojan??????

Read post #92.

 

[Drag'nGT]

I never get flash player pop-ups to update... weird.

Is Lion as affected by this as SL? If Lion has more security than SL, how does that play into real world use? Let's use this trojan as an example...

 

[MagnusVonMagnum]

Actually, that's not for your benefit, but for the benefit of the thousands of readers who still think any malware is a virus and don't understand the implications of the difference. Remember, this forum is read by more than long-time members.

I'm saying repeating it over and over again is more annoying than helpful and this is due to the non-interest of the parties involved who make the mistake while the rest of us have to keep wading through endless repetition of what basically boils down to semantics for a lay person. Thus, I'm not sure what 'implications' you are speaking of. To the layman (more often Mac users as anyone, IMO) it simply doesn't matter whether a piece of malware is a 'virus' or a 'trojan' or something else. The technicality and/or labeling of it and how it operates doesn't make it any less dangerous to someone who opens it. This is why people confuse the terms. The don't CARE enough about the details to learn them. Driving it into their heads with a nail gun won't help.

There are many reasons. Chief among them is, why update unless you need to? Neither SL nor Lion offer anything that I need or want, so why change for the sake of changing?

As long as the software you want to run is available, that's fine. A lot of things are already Snow Leopard or newer only (and in the case of my old PowerMac, Intel only as well).

 

[GGJstudios]

I'm saying repeating it over and over again is more annoying than helpful and this is due to the non-interest of the parties involved who make the mistake while the rest of us have to keep wading through endless repetition

That's pretty much the nature of the forum. Those who have been around a while see the same questions and answers repeated over and over, for the new ones joining who don't search the forums before asking questions.

I'm not sure what 'implications' you are speaking of. To the layman (more often Mac users as anyone, IMO) it simply doesn't matter whether a piece of malware is a 'virus' or a 'trojan' or something else.

It matters a lot whether something is a virus or a trojan. You need antivirus software to protect against a virus. You don't need AV to protect against a trojan.

The technicality and/or labeling of it and how it operates doesn't make it any less dangerous to someone who opens it.

It's not a technicality or semantics. The user doesn't have to "open it" to have their system infected with a virus. A virus can infect without the user's knowledge or permission, which is why you need antivirus software as a defense. A trojan, by contrast, cannot do anything to harm your system unless the user takes deliberate action to install it and launch it. That's a very meaningful difference to any user who cares about keeping their Mac malware free.

 

[vitzr]

Apple and their followers love to brag "it just works". It's so far superior to Windows & so simple to use. Then in the next breath the user is supposed to be technically savvy enough to know the difference between malware, virus, worms, trojans, etc. Talk about sending them mixed messages. Moving forward now we have a new OS in Lion that includes certain features resembling iOS, further leading the unsuspecting beginner into a false sense of simplicity.

I'd much rather see Apple keep the mobile OS & desktop OS separate as before, and make it known like anything else of a technical nature, the owner has an obligation to take personal responsibility to learn what's required to use and maintain the system.

 

[AppleScruff1]

Software Update won't include updates for non-Apple apps. If you get the update notice from already installed software, that should be safe. If, however, you visit a website, like I did this morning, that says you need an updated version of Flash player, don't install it there. Instead, go to Adobe's site directly and download and install the player.

To download Flash player: http://get.adobe.com/flashplayer/
To find your currently installed version: http://www.adobe.com/software/flash/about/

Excellent advice to stay safe.

 

[AidenShaw]

A virus can infect without the user's knowledge or permission, which is why you need antivirus software as a defense. A trojan, by contrast, cannot do anything to harm your system unless the user takes deliberate action to install it and launch it. That's a very meaningful difference to any user who cares about keeping their Mac malware free.

Perhaps you should search for the term "drive-by malware" - that describes malware that exploits a browser, application or system vulnerability and installs without the user's authorization.

 

[GGJstudios]

Perhaps you should search for the term "drive-by malware" - that describes malware that exploits a browser, application or system vulnerability and installs without the user's authorization.

Name one such malware example that can possibly affect Mac OS X. Besides, I think you're referring to drive-by downloads, such as the MacDefender, but they do not install without the user's permission. There has never been any malware in the wild that installs on Mac OS X without the user's active participation.

 

[AidenShaw]

There has never been any malware in the wild that installs on Mac OS X without the user's active participation.

Perhaps not yet.

I did point out a hole in your description of "virus" vs. "trojan" - admit that, rather than argue about whether such an exploit has been shown to exist for Apple OSX. (Wikipedia considers a "drive-by" to be a "worm".)

 

[munkery]

Drive-by-downloads are only used in mass automated malware.

Drive-by-downloads by themselves only install a payload with user-level access without user intervention.

Mass automated malware requires a reliable vector to gather sensitive data on a large scale from many targets to be available to make the malware profitable.

No true drive-by-downloads have appeared in the wild for OS X because there are no reliable vectors to gather sensitive data on a large scale from many targets to make the malware profitable with only user-level access in Mac OS X.

Historically, Windows provides many more vectors for this type of malware to gather sensitive data with only user-level access or because DAC is easily bypassed to gain system-level access.

See the following link for more details:

https://forums.macrumors.com/posts/13013889/

 

[AidenShaw]

Drive-by-downloads ....(yada, yada, yada)

Again, the argument isn't whether drive-by malware is known to exist for Apple OSX.

It's whether there was a hole in the earlier poster's description of what is a virus and what is a trojan - and the need for user intervention. The drive-by is clearly in-between her overly-simple explanation of "virus" and "trojan".

It would be more useful for everyone, Munkery, if you would help explain "virus", "trojan", "worm", "drive-by" and other terms for everyone - rather than defending Apple OSX from a charge that was never made.

 

[munkery]

Perhaps you should search for the term "drive-by malware" - that describes malware that exploits a browser, application or system vulnerability and installs without the user's authorization.

There has never been any malware in the wild that installs on Mac OS X without the user's active participation.

Perhaps not yet.

I was responding to the string of content shown above.

BTW, drive-by-download is a delivery method use to initiate the spread of malware via using a malicious website as a host.

The following are drive-by-download scenarios:

If it infects without authentication and self propagates from infected targets by infecting items that will be transported to new targets by the user, then it is a virus.

If it infects without authentication and self propagates from infected targets by infecting other systems on the network via exploiting vulnerable exposed services, then it is a worm.

If it infects without authentication and does not self propagate from infected targets, then it is a trojan. This is what is typically referred to as a drive-by-download.

If it does not infect without authentication and does not self propagate from infected targets, then it is a trojan.

If it does not infect without authentication and self propagates from infected targets via any method, then it is a trojan.

Most malware fits into the category of trojan.

 

[honem]

...but Flash isn't an "application"... it's a plug-in. I'm personally glad there's an installer to put it in the right location rather than just a plugin file on a .dmg that says "drag me to ~/Library/Internet blah blah blah/" and then restart your browsers"

And then... what about kernel extensions? Drivers? Sorry, but there are plenty of things that need installers.

Interesting thing is Apple do make an Installer program themselves called Installer.app

It will install whatever you wish in any place you wish with whatever permissions you lik. And yes third party non Apple software can use it. I've seen a few things using it including Applejack which gets installed to /private/var/root

I wish more software on the Mac would use Installer.app as it means

(a) There's a standardized way of going in and figuring what's getting installed and where.
(b) It writes an install receipt into the Receipts database which means
Repair Permissions can use this to repair the permissions on the files that piece of software installs.
(c) Commandline install is possible bringing the possibility of script based installs for many different computers at once
(d) Other fringe benefits from knowing exactly whats been installed and where like for example being able to uninstall things easily.

Disclaimer : Yes I know there are probably fast solutions of doing (c) already. Also uninstaller for (d) may not exist but the possibility is still there.

----------

/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

I think you missed a part of the path there friend :

04:32:46-honem/$ ls /Library/CoreServices/CoreTypes.bundle/Contents/Resources/XP*

ls: /Library/CoreServices/CoreTypes.bundle/Contents/Resources/XP*: No such file or directory

04:32:54-honem/$ ls /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XP*

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

 

[munkery]

Installer is typically only used for software that requires password authentication to install due to modifying the system-level during installation.

App bundles are self contained so no need to install them using installer.

 

[GGJstudios]

Perhaps not yet.

I did point out a hole in your description of "virus" vs. "trojan" - admit that, rather than argue about whether such an exploit has been shown to exist for Apple OSX. (Wikipedia considers a "drive-by" to be a "worm".)

Wikipedia, while a great source of information, is not always accurate and therefore is not an authoritative source, as it can be edited by anyone in the general public. A drive-by is not a worm.

It's whether there was a hole in the earlier poster's description of what is a virus and what is a trojan - and the need for user intervention. The drive-by is clearly in-between his overly-simple explanation of "virus" and "trojan".

Fixed that for you. There is no "hole" in the description. The description is accurate.

It would be more useful for everyone, Munkery, if you would help explain "virus", "trojan", "worm", "drive-by" and other terms for everyone - rather than defending Apple OSX from a charge that was never made.

Those terms have already been explained in the Mac Virus/Malware Info link already posted in this thread and many others. The definitions didn't come from me or Wikipedia, but from Symantec.

I think you missed a part of the path there friend

You're absolutely correct. When I copied the path, I missed the first part, which wasn't showing on the screen. The correct path is:
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

 

[MagnusVonMagnum]

That's pretty much the nature of the forum. Those who have been around a while see the same questions and answers repeated over and over, for the new ones joining who don't search the forums before asking questions.

Dude, I said the same THREAD. The first two pages is littered with it. People are bringing it up before someone even says the wrong thing. It's ridiculous. This thread is about a specific Apple program, not the ignorance of people of the terms virus, trojan, etc. from general malware. It's basically hijacking the thread from the start.

It matters a lot whether something is a virus or a trojan. You need antivirus software to protect against a virus. You don't need AV to protect against a trojan.

What antivirus software??? This is a Mac forum.

Besides, most "antivirus" software (for Windows since almost all of it is for that platform or looking for malware designed against that platform) ALSO protects against trojans, key loggers, data miners and other forms of malware. The days of pure virus protection software ended a decade ago. Your point is once again pretty much moot. The average Windows user just needs to know to get something like AVG. It does the rest.

It's not a technicality or semantics. The user doesn't have to "open it" to have their system infected with a virus. A virus can infect without the user's knowledge or permission, which is why you need antivirus software as a defense. A trojan, by contrast, cannot do anything to harm your system

Dude, I know what a virus is. You're now beating a dead horse (that was dragged into the thread from previous threads) which takes me back to the point at the top of the page. Trojans can be more dangerous than a virus because IF they fool you into thinking it's the real program (or worse yet, it is the real program, but tampered with to include/install a key logger or some other nasty with it), they now have direct access to everything on your machine, not just some odd little quirk like filling dead space with useless junk on the hard drive that could be reversed, but more often than not, identity theft of some kind is the goal (because that's where the MONEY is whereas hackers in the past just got their kicks from wreaking general havoc).

In days long by, you could get a given piece of software (often shareware, freeware, etc.) at any number of distribution sites. Nowadays, you better find the source site and avoid other places because you can never know for sure when something has been tampered with (although that's where programs like AVG for Windows come in handy as they can often spot it unless it's brand new).

 

[munkery]

The average Windows user just needs to know to get something like AVG. It does the rest.

Antivirus software does not have 100% detection rates.

Antivirus software is easily bypassed.

http://funoverip.net/2011/04/100pc-...th-metasploit-browser-exploits-from-ms11-003/

Users should rely on knowledge about safe computing practices for protection and only rely on AV software as a backup to hopefully mitigate any errors that are made in relation to following safe computing practices.

 

[GGJstudios]

The average Windows user just needs to know to get something like AVG.

AVG IS antivirus software. The point is, you can't protect against a virus simply by exercising reasonably safe computing practices. They can infect your system even if you're not being careless. You need software to defend against a virus. Whether you call that software anti-virus, anti-malware, security software or baked beans is completely irrelevant to the point, which is that you need software to protect against a virus. By contrast, you do NOT need software to protect against a trojan, which requires user action to work, and can be successfully avoided by prudent user action alone.

Trojans can be more dangerous than a virus

That depends on the particular trojan or virus, but the danger level is also irrelevant to this discussion. You challenged whether the definition of a virus vs trojan is important to the average user. The fact remains that there is a fundamental difference between those two forms of malware that makes the distinction completely relevant and important to a user, in terms of action required for defense.

 

[munkery]

A drive-by-download injected into an ad on a legit website that installs a payload only in userspace (so that it doesn't require user interaction to install but also does not self propagate and, therefore, is only a trojan) can't be avoided by prudent action alone.

 

[GGJstudios]

A drive-by-download injected into an ad on a legit website that installs a payload only in userspace (so that it doesn't require user interaction to install but also does not self propagate and, therefore, is only a trojan) can't be avoided by prudent action alone.

The point is, it can't install itself. Simply downloading a file doesn't infect a system, as in the case of MacDefender. It did a drive-by download, and could even launch the installer if Safari settings permitted it, but it could not install itself or affect the system in any way except taking up space, unless the user actively completed the installation. Please give one example of a drive-by download that actually installs itself on Mac OS X.

 

[munkery]

The point is, it can't install itself. Simply downloading a file doesn't infect a system, as in the case of MacDefender. It did a drive-by download, and could even launch the installer if Safari settings permitted it, but it could not install itself or affect the system in any way except taking up space, unless the user actively completed the installation. Please give one example of a drive-by download that actually installs itself on Mac OS X.

Yes, some drive-by-downloads can install by themselves without user interaction and still only be a trojan.

Drive-by-downloads that corrupt a process in memory to spawn a shell and install a payload are completely invisible to the user.

The conversation was not specific to OS X given that posts were referring to AVG and, therefore, included other OS platforms.

But, this could occur in OS X. One of my previous posts explains why this is not happening in the wild against OS X.

Drive-by-downloads are only used in mass automated malware.

Drive-by-downloads by themselves only install a payload with user-level access without user intervention.

Mass automated malware requires a reliable vector to gather sensitive data on a large scale from many targets to be available to make the malware profitable.

No true drive-by-downloads have appeared in the wild for OS X because there are no reliable vectors to gather sensitive data on a large scale from many targets to make the malware profitable with only user-level access in Mac OS X.

Historically, Windows provides many more vectors for this type of malware to gather sensitive data with only user-level access or because DAC is easily bypassed to gain system-level access.

 

[GGJstudios]

Yes, some drive-by-downloads can install by themselves without user intervention and still only be a trojan.

But, this could occur in OS X.

While this could possibly occur in OS X, so could the release of a virus. However, neither has ever occurred for Mac OS X, so for the purposes of my comments regarding virus vs trojan protection for Mac OS X users, the facts are still the same. As you well know, I greatly appreciate the discussion of possibilities and theories and especially value your contribution of technical malware and security information. In this case, my statements are for any readers who come here are looking for a simple answer as to what to do to protect themselves from malware.

No malware exists in the wild that a Mac OS X user can't completely avoid by being careful what they install. No Mac OS X malware exists that can install itself, without the user actively participating in the installation.

 

[qwerty1]

My host file looks *********. Is this normal? I have what that one guy said I should have but what about the rest? I updated flash this morning. It popped up and I was like ok and just entered my password and updated it. Did I just install the trojan?

should I delete everything except for what that one guy posted?


##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost

# Block Adobe Activation
127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 adobe-dns.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com
127.0.0.1 hl2rcv.adobe.com

# Block Adobe Activation
127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 adobe-dns.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com
127.0.0.1 hl2rcv.adobe.com

# Block Adobe Activation
127.0.0.1 activate.adobe.com

 

[honem]

My host file looks *********. Is this normal? I have what that one guy said I should have but what about the rest? I updated flash this morning. It popped up and I was like ok and just entered my password and updated it. Did I just install the trojan?

Okay mini hosts file tutorial before running out the door Go!

In this file "#" = a comment

And the format is "address - domain name". A domain name is the word form of a site's IP address on the internet eg "adobe.com"

Domain names are resolved in DNS from the right hand side -> left hand side with anything to the left of the main domain name being the sub domain. When you register a domain name you get to assign sub domains without having to re-register another domain name. So an addresses "frogsarecool.adobe.com" is still registered to whoever registered "adobe.com" an is probably assigned by them as well.

Now 127.0.0.1 is a special address called the loopback address. Anything mapped to this goes to /dev/null or the ether ie no where.

Ok now look at your .hosts file.

All it means as it's mapping a lot of adobe sub-domains to 127.0.0.1 Any traffic going to those address aren't going to go anywhere. From the comment (remember the "#" from above?) looks like it's blocking Adobe Activation.

Do you have anything on your computer that's designed to block programs from "phoning home" to activate? Pirated software prehaps ?