Flashback Trojan Returns With a Multi-Pronged Infection Strategy

MacRumors

macrumors bot
Original poster
Apr 12, 2001
49,082
10,431



Last year, we profiled a Mac trojan horse known as "Flashback" that was masquerading as a Flash Player installer. While Apple has taken steps to protect users from the threat using its File Quarantine system under which users' computers initiate daily checks for updated malware definitions, the malware's authors have continued to tweak the trojan to improve its ability to both infect systems and evade detection.

Security firm Intego has issued a report on a new variant of the trojan, known as Flashback.G, which adopts a multi-pronged strategy in attacking users' systems. The first two methods rely on vulnerabilities in Java, and while the vulnerabilities are patched in systems running up-to-date versions of Java, outdated systems can be silently infected through these security holes.




Flashback.G's self-signed certificate seeking to trick users into allowing installation
On up-to-date systems lacking the Java vulnerabilities, Flashback.G presents a self-signed certificate claiming to be from Apple in an attempt to fool users into allowing the trojan to be installed on their systems. Once installed, the trojan begins searching for user names and passwords it can relay to the malware's authors.
This malware patches web browsers and network applications essentially to search for user names and passwords. It looks for a number of domains - websites such as Google, Yahoo!, CNN; bank websites; PayPal; and many others. Presumably, the people behind this malware are looking for both user names and passwords that they can immediately exploit - such as for a bank website - as well as others that may be reused on different sites.
Notably, Intego reports that the trojan aborts its own installation if it detects the presence of any of several antivirus applications on a user's Mac, presumably seeking to remain below the radar while focusing on vulnerable systems.

Intego recommends that users on Mac OS X Snow Leopard make sure that Java is fully up-to-date by running a check through Software Update, and for all users to be aware of the social engineering trick the trojan uses in attempting to gain permission for installation. The company of course also recommends that users equip their systems with antivirus software.

While malware has not been a tremendous threat to Mac users so far, its presence has been growing. Apple has stepped up its efforts to combat malware by enhancing its File Quarantine system to provide for the daily definition checks. OS X Mountain Lion will see another significant step with the introduction of Gatekeeper, a system by which users can limit installation of apps to sources such as the Mac App Store and developers who have registered with Apple as "identified developers".

Apple's Developer-ID program will utilize digital signatures on applications to link applications with a specific developer. If the developer is later discovered to be distributing malware or otherwise behaving improperly, installations of its existing apps can be deactivated by Gatekeeper. Gatekeeper does have its limitations, however, as it only scans applications downloaded through a handful of mechanisms such as browsers and can not detect applications that are modified by malware after their initial launch.

Article Link: Flashback Trojan Returns With a Multi-Pronged Infection Strategy
 

androiphone

macrumors 65816
Dec 13, 2009
1,000
1
and this is why the 2 most important parts of computing are:

1. keep your computer up-to-date

and

2. use a little common sense when something pops up (though I admit that is easier to more knowledgeable people like us than the wider 'mass' consumer)
 

MJL

macrumors 6502a
Jun 25, 2011
845
1
Apple computers do not get a virus. Yeah right. (as the Tui advertisment goes).
 

roadbloc

macrumors G3
Aug 24, 2009
8,784
213
UK
And to think people said that the fact that OS X lacked malware had nothing to do with it's marketshare.
 

Small White Car

macrumors G4
Aug 29, 2006
10,911
1,196
Washington DC
Apple computers do not get a virus. Yeah right. (as the Tui advertisment goes).
First off, no one in any position of authority has ever said Macs don't or can't get viruses.

Secondly, this is a trojan, so talking about viruses here is kind of beside the point.


And to think people said that the fact that OS X lacked malware had nothing to do with it's marketshare.
Their computer marketshare is far, far larger than their malware market share.

So yeah, I'm STILL saying that there are other factors at play. If that wasn't true you'd see malware market share matching sales market share. And that hasn't happened.
 

macomrade

macrumors newbie
Sep 14, 2005
12
0
Maryland, USA
Feel like the fact that this makes front-page news is a testament of OS X's resiliency to such threats. Could probably count on one hand the malware for X over it's 10 year tenure. And I don't really see this changing, even with the popularity of the Mac soaring. Robust, engineered software security will always win out.
 

jman240

macrumors 6502a
May 26, 2009
736
81
So for those of us who got their parents Macs..

Anyone recommend a good A/V program while we wait for ML to come out?
 

karohan

macrumors 6502
Jun 25, 2010
396
0
Whatever, still malware.
It sounds pedantic, but it is sort of an important distinction to make. Viruses can be spread without any user input, while trojans still require the user to at some point (albeit unknowingly) permit them.
 

grapes911

Moderator emeritus
Jul 28, 2003
6,994
3
Citizens Bank Park
And to think people said that the fact that OS X lacked malware had nothing to do with it's marketshare.
The argument has usually been applied to viruses. Trojans require user input and can effect anything. Yes, security holes are taken advantage of to make this Trojan look legit, but there is no defense for the most basic Trojan. If I wrote and app that said you'll be granted three wishes after you enter your password, but instead I use your password to delete all files on you computer, that is a Trojan. There is no defense for such things expect common sense.

Whatever, still malware.
It's a huge distinction.

So for those of us who got their parents Macs..

Anyone recommend a good A/V program while we wait for ML to come out?
The best AV program is to not download from or even visit shady sites.
 

Acerone

macrumors regular
Mar 3, 2009
142
23
and this is why the 2 most important parts of computing are:

1. keep your computer up-to-date

and

2. use a little common sense when something pops up (though I admit that is easier to more knowledgeable people like us than the wider 'mass' consumer)
You just reminded me to check for an update and sure enough my 2011 MBA had one...
 

uknowimright

macrumors 6502a
Dec 30, 2011
810
412
They're right.

What do we get? Two per year?

And these aren't even viruses.
not as many as Windows but not as little as you would like to think Mr. LTD

Security firm F-Secure has spotted 58 separate threats targeting OS X in the past nine months.

F-Secure has published a report looking at Mac threats between April and December 2011 which showed June and October as being particularly busy months for Mac malware while only one threat was spotted in August.

Of the 58 threats spotted in total, 15 were classified as "backdoor" threats, seven were Trojans, 29 were Trojan downloaders and the other seven were classified simply as "rogue."
http://www.pcworld.com/article/248459/mac_malware_threats_increase.html
 

Nielsenius

macrumors 6502a
Apr 16, 2011
565
0
Virginia
Is this a virus created for the purpose of allowing a hacker to access a user's computer or is it simply a destructive troll virus?
 

Sweetcheetah

macrumors member
Jun 28, 2007
49
17
Bellingham, WA
It's like, GET A LIFE $*%$#ING MALWARE PEOPLE!!! Both PC and MAC. I feel sorry for those consumers both PC and Mac that have to deal with those and have to suffer the consequences. I guess this is what life is about... part of it anyway because we live in an unsafe world. Well, just be thankful for those of us who are more aware of the situation and can handle it. I sure am thankful for these kinds of websites... which this forum is my favorite. Thanks MacRUMORS, just wish that Malware and virus was JUST that, benign rumors.
 

CylonGlitch

macrumors 68030
Jul 7, 2009
2,932
129
SoCal
You just reminded me to check for an update and sure enough my 2011 MBA had one...
Crap, I just did a "Check for Update" and it asked for the Administrator user name and password. Should I be worried?
:cool:

LOL.. Yeah, guess I should check for an update... but wasn't it just announced there was one yesterday? Something about the EFI bios?

Well, what do you know, one "Security" update. Installing it now. :D
 

CorporateFelon

macrumors regular
Oct 26, 2007
177
0
Boston, MA
The argument has usually been applied to viruses. Trojans require user input and can effect anything. Yes, security holes are taken advantage of to make this Trojan look legit, but there is no defense for the most basic Trojan. If I wrote and app that said you'll be granted three wishes after you enter your password, but instead I use your password to delete all files on you computer, that is a Trojan. There is no defense for such things expect common sense.


It's a huge distinction.
Unfortunately on older systems the users do not get the popup about the security certificate. It installs itself automatically.

From the actual blog posted as referenced in the article.
The malware first tries to install itself using one of two Java vulnerabilities. If this is successful, users will be infected with no intervention.
 

jman240

macrumors 6502a
May 26, 2009
736
81
The best AV program is to not download from or even visit shady sites.
Yeah if you can train my parents to do that be my guest. I don't live with them, they use a Mac.

Anyway, I found ClamXAV and Sophos. Anyone have experience with these?
 

mendosa05

macrumors newbie
Feb 24, 2012
2
0
Would there be any way of checking an infection? My wife thinks she may have clicked something similar yesterday night but was related to Yahoo mail certificate?

Many thanks.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.