Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Tweaked Trojan Disables Automatic Updating of OS X Anti-Malware Tools

Well, I received a Flash updater popup yesterday, and installed it. It was legitimate. Adobe released a new update, which is what I received.

I checked for the suspect entries in the info.plist, and they're not there. The XProtectUpdater is intact, and dated 10/12, when I updated to 10.7.2.
 
Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)

Although *NIX OSs certainly have less known exploits

Windows has what, 1,000s that still haven't been patched.
 
Therbo said:
Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)



If apple merged iOS and OS X (which they won't)

The entire OS X developer community (PHP, Perl, C++ etc) will leave
Click to expand...

And a bunch of us normal mac users as well, including me..
 
xizar said:
I apologize if this seems overly specious, but what does "wipe out" mean? Delete? Replace with an empty text file?
Click to expand...

The disassembly notes say that it overwrites your plist file with blanks. So yes, what you posted is what you should see for a xprotectupdater.plist.
 
Therbo said:
Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)



If apple merged iOS and OS X (which they won't)

The entire OS X developer community (PHP, Perl, C++ etc) will leave
Click to expand...

Oh come on ... it's going to happen, but not only with OS X and iOS, but in general. The problem here is that you look at it as it is today and think it will be some half-assed 'something'. We are going that direction and it will happen.

----------
Mr. McMac said:
And a bunch of us normal mac users as well, including me..
Click to expand...

Same goes for you as well.
 
Jerome Morrow said:
It's been like that for ten years.
Click to expand...

An additional ingredient missing in the original comment is that it also needs a worthwhile probability of working. And since all these types of attack only work on a very small percentage of the population, you need to have a very large population to make it worthwhile.

The Mac now has a very large population....
 
i think this is a little more confusing for most users than people are granting.
- both the real Flash update and the trojan will prompt users to install while randomly browsing the web.
- both the real Flash update and the trojan prompt for admin password since they both need access to system files.

as far as I can tell, the main difference is in the install window you see.
legitimate Flash updates should look like this:
Adobe-flash-player-10.3.jpg


and do not use the standard system installer window like the trojan does:
flashback_c_installer.jpg
 
Here's a good article about not only what the REAL Flash updater looks like, but also what commands you can run to see if you are infected:

http://reviews.cnet.com/8301-13727_7-20119265-263/latest-adobe-flash-trojan-for-os-x-gets-revised/

Regardless of what the trojan program looks like....it's only a matter of time before they tweak these attacks to look exactly like the official installer. That's the problem. Flash is a pref pane now....and will automatically popup to tell you there is an update.

At this point....you just really can't trust that popup. You have no idea if that popup if from the official install, or somehow popped up from a webpage you are viewing.

The only real safe thing to do is, if you get the popup, official or not, close it. Go to: http://get.adobe.com/flashplayer/ and grab the latest version.

Of course if you are using Chrome, your version is updated automatically. You also can't visit the Get Flash Player page in Chrome, because it will see you are running Chrome, which has it built in. You'll have to use Safari or Firefox.

-Kevin
 
mzd said:
i think this is a little more confusing for most users than people are granting.
- both the real Flash update and the trojan will prompt users to install while randomly browsing the web.
- both the real Flash update and the trojan prompt for admin password since they both need access to system files.

as far as I can tell, the main difference is in the install window you see.
legitimate Flash updates should look like this:
Image

and do not use the standard system installer window like the trojan does:
Image
Click to expand...

Right now, that's correct. But it's only a matter of time before they tweak their attack to look like the official one.

-Kevin

----------
SockRolid said:
Yet another reason to hate Flash.
Click to expand...

It's not about Flash. Like someone else said.....on a Mac they could prompt an update for Quicktime or iTunes or iPhoto....and a lot of unsuspecting users will be fooled.

-Kevin
 
A legitimate Flash "UPDATE" does not invoke the Installer app, it uses a simple notification box which you can cancel.
09_28_10_FlashUpdate1.jpg



It will prompt for an administrator password if you choose to run it.

The fake installer uses the Installer routine.
fake_flash_mac.jpg
 
SOOOOOO IS THIS IT?




I went back in my recent downloads, found the update that I installed (popped up like any normal update and looked exactly the same). This article had me worried so when I went back to my downloads folder and saw the update I clicked on it and this messaged popped up
 

Attachments

  • Screen Shot.jpg
    Screen Shot.jpg
    513.9 KB · Views: 557
Well I had the above notification and I moved it to the trash. What I'm wondering is why it did not infect anything? My computer is running fine, and how come it let me move it to the trash so simply? Did it never truly install?

The update popped up like any other update from Adobe, I did not type in my password and it did not invoke the installer app, it was just the simple notification box. Any opinions as to why I got this and why it did not harm my computer?
 
mzd said:
i think this is a little more confusing for most users than people are granting.
- both the real Flash update and the trojan will prompt users to install while randomly browsing the web.
- both the real Flash update and the trojan prompt for admin password since they both need access to system files.

as far as I can tell, the main difference is in the install window you see.
legitimate Flash updates should look like this:
Image

and do not use the standard system installer window like the trojan does:
Image
Click to expand...

Good point. And a lot of people will simply say: "Thank goodness, Adobe is finally using the standard system installer window" and not think anything of it.
 
Kflik said:
Well I had the above notification and I moved it to the trash. What I'm wondering is why it did not infect anything? My computer is running fine, and how come it let me move it to the trash so simply? Did it never truly install?

The update popped up like any other update from Adobe, I did not type in my password and it did not invoke the installer app, it was just the simple notification box. Any opinions as to why I got this and why it did not harm my computer?
Click to expand...

Was that as far as you got? Or did you click Open from that dialog box?

If that's as far as you got, that's Apple's scanner kicking in to tell you not to continue. If you moved it to the trash, then you should be fine.

If you opened it, and ran it....then you might be infected.

-Kevin
 
Notice, yet again, how this is somehow connected to Flash.

It doesn't have to be, but we keep seeing Flash's involvement. LOL
 
Doesn't anyone realise that Adobe doesn't use the Mac Installer program and instead use their own half-assed Flex nonsense? :)
 
kbmb said:
Was that as far as you got? Or did you click Open from that dialog box?

If that's as far as you got, that's Apple's scanner kicking in to tell you not to continue. If you moved it to the trash, then you should be fine.

If you opened it, and ran it....then you might be infected.

-Kevin
Click to expand...

Well did you see my post two posts up from the one you quoted?

I attached a screen shot of what warning I got when I clicked on the update in the downloader.

I did not get the box people are showing a picture of, I got the REGULAR update box people are showing a picture of....looks just like EVERY updater box I've ever gotten.

I did not "run" anything though. I believe I just followed the normal instructions.
BUT IF I did follow normal instructions, it would have installed right? BUT if it installed wouldn't it not allow me to simply bring it up with that warning box and have me move it to the trash like I did???

confused....
 
Therbo said:
Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)

If apple merged iOS and OS X (which they won't)

The entire OS X developer community (PHP, Perl, C++ etc) will leave
Click to expand...

So true.

They already made a first attempt with Lion and I, counting myself to the PHP devs, still see no reason to update to a OS oversimplified to fit the stupidest of users but not professionals.

Of course they defend Lion because admitting they ran the car into a tree at full speed would be a selfkill but I am certain they got a taste of this development direction's future and won't do that again with 10.8.

Coming back to topic, all the important stuff was told with

Therbo said:
Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)

Mac OS X built in UNIX permissions prevent a virus from going further then your home folder, unless you give it your password and you have sudo (Aka a Administrator)

Unless of course they found a exploit in the unix permission system, then the world is screwed

This is a Trojan, the installer actually has to ask for your password since the XProtect file is owned by root, so you yourself dont have access to it, and neither does the program since its ram by you, unless you give it your password and your an administrator.

This is why an education user will never need an anti virus on OS X/Linux/BSD etc, because the anti virus couldn't do more then what you can do
Click to expand...
and
tirerim said:
Yes, they were, but that still doesn't make Macs invulnerable. All it takes is a good privilege escalation attack (which are certainly not unheard of on *nix-based OSes), and then for someone to automate it.
Click to expand...

Macs aren't invulnerable, nor is iOS, this is definately true, but because of its UNIX base system it is freaking way harder to write some "real" Malware for it, or find an usable exploit for it, that works fully automatic without any action required from the target user.

As with Antivirus Applications, they definately are a waste of money on a Mac for now.
If you really get to catch a virus on OS X (that still has to be written of course) which you can't knock off yourself by just not entering your admin password stupidly into every window popping up out of nowhere that asks for it, that virus has the same OS privileges as the Antivirus software and could easily deactivate it. This is where you probably need a second HDD with another OS install and some handwork. No Antivirus can help you in such a case.

tl,dr =
Trojans: Users with brains relax, users with no brain shell out money for some Antivirus software
Viruses: Users with brains get a second HDD with another OS install handy, users with no brain find yourself some user with a brain.
 
LOL. As someone that grew up with PCs, trojans and virsues don't scare me. I've never lost a battle to them! BRING IT ON MAC TROJANS.
 
Trojans, viruses, keyloggers et al, can all be very problematic. I think that there are many Mac users who over the years have become accustomed to having a very secure and trouble free experience as it pertains to these problems. And because of this it's possible to let your guard down.

That doesn't mean that I think Mac users are stupid or have a false sense of security but, it's easy to become complacent and perhaps not be as vigil at all times and maybe not check the URL when downloading an update to Flash (or any other update for that matter). It should be noted that the majority of infections that occur on Windows computers are facilitated by the user. Whether downloading and running a suspected file or using someone's infected flash drive to transfer infected files or opening an email you shouldn't have. These people weren't stupid but they let their guard down. This could happen to anyone.

When I moved to Mac from Windows I knew that I was leaving the threat of viruses behind (for the most part) but at the same time I know how difficult life can become when your system gets infected (Doesn't matter whether it's a virus a trojan or any other type of malware). It happened to me one time in all the years of using Windows but it taught me a very valuable lesson. I don't want to worry about it and being that I'm human I know I also can let my guard down just long enough to make a mistake. For that reason I run ESET's Cybersecurity on my Mac which is an excellent anti malware app that I don't even know (except the icon in the menu bar) is even running. It takes almost zero resources and to me it's just worth having for those times when a mistake can happen.

I know a lot of long time die hard Mac users will say "You don't need it", "It's a waste", "Just use common sense". But assuming we are all human any one of us can make a mistake. Is it worth $30 a year to minimize these problems even more? It is to me.

A couple people here mentioned using Time Machine to restore an infected system. But if your system has been infected for a while before you realize it, odds are that your Time Machine backups can also be infected so it may not necessarily help you.

My two cents. Let's all be very careful.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back