Tweaked Trojan Disables Automatic Updating of OS X Anti-Malware Tools

[Exhale]

It wont really effect the currents mac IMO. If someone wanted to do harm to the OS then they would have by now. There are alot of smart people out there who could program a Trojan which did alot more than just this.

Its a typical botnet from the looks of things; it listens for commands from a remote server. Only the creator knows what those commands would be. Trojans like this are normally the actual infector. The payload is typically delivered via separate programs that these trojans in turn are triggered to download. That payload could easily be something that steals & encrypts your personal files, demanding a ransom for its return.

Of course it could be programmed to cause a lot of damage on its own - but malware writers have not really been interested in that for a good decade now. The most important thing is to deliver an infector, and only after that actually devise a payload. It gives far more flexibility, and greatly reduces detection rates.

 

[stage1]

If you downloaded from Adobe Updater or from Adobe.com i'm sure you're safe... if you downloaded from some pr0n site or crappy page maybe you're in trouble...

I was just on yahoo checking the news this morning and an update popped up that said I needed to upgrade

It looked completely like any other flash upgrade that i've installed previously.
I'm really worried now.

 

[redscull]

1 - how can we tell if a machine is infected?
2 - how, if infected, can we remove it, short of a clean install?

I second these questions. I know I've seen this prompt multiple times recently, though I didn't even realize it was the virus/trojan at the time. I'm pretty sure I hit cancel every time I've seen it, but maybe one time I didn't?

 

[crazy dave]

CRAP!! I downloaded a flash update today on my macbook!

What should I do help!! I'm not joking.

If you downloaded the real Flash update, then you have absolutely nothing to worry about. This is only if you visit a really shady website who tells you to update Flash and instead of actually going to the real Flash's website you download and install the "Flash" version from said shady website. If you did that, then you might have a problem.

 

[acidfast7]

How do I prevent this from happening on OS 10.5.8?

 

[crazy dave]

I second these questions. I know I've seen this prompt multiple times recently, though I didn't even realize it was the virus/trojan at the time. I'm pretty sure I hit cancel every time I've seen it, but maybe one time I didn't?

Not all such prompts are fakes, just make sure you go the Flash website to install your updates or that you have the latest version.

 

[stage1]

I hope more light is shed on this, I'm worried now

 

[Diode]

If anything it's a sign that the mac platform is becoming large enough to warrant people writing viruses for it.

So there's that....

 

[redscull]

Not all such prompts are fakes, just make sure you go the Flash website to install your updates or that you have the latest version.

I realize this, but how can people double-check since it's now in the past that this did or did not happen? I have Time Machine active, but that's not very helpful if I don't know how far I need to go back because I don't know how to identify the infection.

 

[CodeBreaker]

I second these questions. I know I've seen this prompt multiple times recently, though I didn't even realize it was the virus/trojan at the time. I'm pretty sure I hit cancel every time I've seen it, but maybe one time I didn't?

This link may help : http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_c.shtml
But this version of the trojan wipes out the XProtectUpdater. A combo update may reinstall it.

 

[crazy dave]

I was just on yahoo checking the news this morning and an update popped up that said I needed to upgrade

It looked completely like any other flash upgrade that i've installed previously.
I'm really worried now.

Yahoo is almost certainly fine. I wouldn't get too worried about it.

 

[Drunken Master]

I'm actually with ya on that. I feel so bad when anyone on any platform has to deal with this crap. Lock as many up as possible and throw em in camps. Put em on a PPV where they are tortured like in Hostel, they'll learn sooner or later.

Not actually serious about torture and stuff to be clear.

Nah, they should probably beat each other to within an inch of their lives with their bare hands. I'd pay $44.95 to see that.

 

[tubular]

answering my own question

If I take a look at my com.apple.xprotectupdater.plist, and it hasn't been blanked out, as the F-secure writeup says the Trojan does, then I'm assuming that things are okay.

(Damn you, crafty Ulysses, and your wily schemes.)

 

[Versus]

Wow. This reminds me of what would happen if LA suddenly got hit with a blizzard. Everyone would be scurrying around looking for a jacket and shovel.

Seriously though, while I carry an iPhone, I am a PC in real life. It is with heavy heart that I welcome you to our world. It sucks.

Again not being familiar with Macs and OSX, I would always suggest to anyone with any kind of maleware to reformat. That's what I do. It's a pain in the ass, but it's infinitely better than spending three days on a AV forum having them instruct you to download 14 different programs that preform100 different scans and then post the logs to eventually tell you you're "clean". Peace of mind is worth a lost weekend, in my opinion.

 

[Marcush1286]

i tH0uGh7 m4c d0Nt g3T v1rus

Only PowerPC macs are IMMUNE.. Its when Apple opened to INTEL is now why we are getting viruses and malware.

 

[435713]

Nah, they should probably beat each other to within an inch of their lives with their bare hands. I'd pay $44.95 to see that.

Hell I do own a Mac, I'd pay $89.99.

 

[crazy dave]

I realize this, but how can people double-check since it's now in the past that this did or did not happen? I have Time Machine active, but that's not very helpful if I don't know how far I need to go back because I don't know how to identify the infection.

If you've kept your security updates up-to-date you should be fine. Previously Apple's security updates I think have been pretty good about getting rid of this thing. This is a brand new one that stops your computer from getting updates. As tubular noted, if you're infected by the brand new one (very unlikely) your com.apple.xprotectupdater.plist will be blanked out.

 

[bjett92]

Wow. This reminds me of what would happen if LA suddenly got hit with a blizzard. Everyone would be scurrying around looking for a jacket and shovel.

Seriously though, while I carry an iPhone, I am a PC in real life. It is with heavy heart that I welcome you to our world. It sucks.

Macs are nowhere near the PC world when it comes to malware. PCs have viruses, Macs do not. This won't even be a problem to an an educated user.

 

[Jerome Morrow]

Some douche bag goes out to piss in the wind and suddenly everyone is afraid.

 

[Detrius]

If you downloaded the real Flash update, then you have absolutely nothing to worry about. This is only if you visit a really shady website who tells you to update Flash and instead of actually going to the real Flash's website you download and install the "Flash" version from said shady website. If you did that, then you might have a problem.

That's the problem. As of Flash 10.3, the real Flash updates download automatically as you're browsing the web. The only truly good solution is to use Chrome, which includes Flash. Uninstall Flash from the system. Then, if you ever get a notice to install a Flash upgrade, you know it's malware.

 

[bpaluzzi]

If anything it's a sign that the mac platform is becoming large enough to warrant people writing viruses for it.

So there's that....

Only PowerPC macs are IMMUNE.. Its when Apple opened to INTEL is now why we are getting viruses and malware.

Both of these posts are laughably uninformed.

The Mac's resistance to viruses has nothing to do with market share, nor did it have to do with the PowerPC architecture.

There still has never been a virus reported on OS X. Not likely to change any time soon. And that would be the case if Apple had 99% of the PC market.

 

[Saphire]

Is purchasing a good virus checker any use or are they all a waste of money.

 

[Therbo]

Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)

Mac OS X built in UNIX permissions prevent a virus from going further then your home folder, unless you give it your password and you have sudo (Aka a Administrator)

Unless of course they found a exploit in the unix permission system, then the world is screwed

This is a Trojan, the installer actually has to ask for your password since the XProtect file is owned by root, so you yourself dont have access to it, and neither does the program since its ram by you, unless you give it your password and your an administrator.

This is why an education user will never need an anti virus on OS X/Linux/BSD etc, because the anti virus couldn't do more then what you can do

 

[Jerome Morrow]

Is purchasing a good virus checker any use or are they all a waste of money.

Waste of time and money.

 

[Four oF NINE]

I hope more light is shed on this, I'm worried now

Do you have an Apple computer? Dude! You probably have nothing at all to worry about, especially from Adobe! Relax and cheer up!