Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Tweaked Trojan Disables Automatic Updating of OS X Anti-Malware Tools

tubular said:
1 - how can we tell if a machine is infected?
2 - how, if infected, can we remove it, short of a clean install?
Click to expand...

stage1 said:
CRAP!! I downloaded a flash update today on my macbook!

What should I do help!! I'm not joking.
Click to expand...


The F-Secure site has a general description: Link. I scrolled down to the bottom, where it listed the files that this Trojan wipes out and confirmed that at least one of these was still on my system.

[HD] /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

I clicked on the plist file, and there's content in it, so it's not be overwritten with a blank.

The other file is in the /usr directory, and frankly I'm not worried enough to try and remember how to make this ordinarily hidden directory visible.

I believe that this will indicate whether you are infected or not, but of course if I'm wrong I'm sure someone will chime in.

Luck.
 
nex4k said:
So true.

They already made a first attempt with Lion and I, counting myself to the PHP devs, still see no reason to update to a OS oversimplified to fit the stupidest of users but not professionals.

Of course they defend Lion because admitting they ran the car into a tree at full speed would be a selfkill but I am certain they got a taste of this development direction's future and won't do that again with 10.8.

Coming back to topic, all the important stuff was told with


and


Macs aren't invulnerable, nor is iOS, this is definately true, but because of its UNIX base system it is freaking way harder to write some "real" Malware for it, or find an usable exploit for it, that works fully automatic without any action required from the target user.

As with Antivirus Applications, they definately are a waste of money on a Mac for now.
If you really get to catch a virus on OS X (that still has to be written of course) which you can't knock off yourself by just not entering your admin password stupidly into every window popping up out of nowhere that asks for it, that virus has the same OS privileges as the Antivirus software and could easily deactivate it. This is where you probably need a second HDD with another OS install and some handwork. No Antivirus can help you in such a case.

tl,dr =
Trojans: Users with brains relax, users with no brain shell out money for some Antivirus software
Viruses: Users with brains get a second HDD with another OS install handy, users with no brain find yourself some user with a brain.
Click to expand...

Even keeping regular backups is totally fine. I don't like the time consuming process of cloning my HDD, but it would be pretty easy for me to just do a reinstall and restore everything from time machine.

Time machine is really useful when you don't keep the drive plugged in for hourly backups - you don't want the files a trojan messed with being backed up without warning. Instead, I do one backup at the end of the day, so long as nothing suspicious has occurred.
 
Taz Mangus said:
It is a cat and mouse game. I suspect Apple will come up with a update to resolve this issue.
Click to expand...

I think that Apple could solve the problem by giving 0.0001% of their cash to the right person in Russia. Microsoft spends more than that giving money to the Russian police, which also helps.

Seems that at least four malware writers don't like the idea.
 
Last edited:
tubular said:
1 - how can we tell if a machine is infected?
2 - how, if infected, can we remove it, short of a clean install?
Click to expand...

I agree with these questions.

I'm particularly worried because CNN's flash player was acting funky last night and kept throwing up a window saying I needed to install some flash plugin, for which mouse clicks didn't work and to dismiss it I needed to hit the tab key a few times to select a button, and then hit return to deny it permission to install. (Hitting return to allow it to install for whatever reason didn't work.)
 
ArtOfWarfare said:
I agree with these questions.

I'm particularly worried because CNN's flash player was acting funky last night and kept throwing up a window saying I needed to install some flash plugin, for which mouse clicks didn't work and to dismiss it I needed to hit the tab key a few times to select a button, and then hit return to deny it permission to install. (Hitting return to allow it to install for whatever reason didn't work.)
Click to expand...

Read this article to see commands to see if you are infected.
http://reviews.cnet.com/8301-13727_7-20119265-263/latest-adobe-flash-trojan-for-os-x-gets-revised/

Because the Trojan appends launch instructions to property lists within the Safari and Firefox programs, if you would like to check to see if a system has been infected with this Trojan, you can open the Terminal and run the following commands:

Code: 
defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment
On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.


Read more: http://reviews.cnet.com/8301-13727_...h-trojan-for-os-x-gets-revised/#ixzz1bFV3dMSr
Click to expand...

-Kevin
 
mzd said:
i think this is a little more confusing for most users than people are granting.
- both the real Flash update and the trojan will prompt users to install while randomly browsing the web.
- both the real Flash update and the trojan prompt for admin password since they both need access to system files.

as far as I can tell, the main difference is in the install window you see.
legitimate Flash updates should look like this:
Image

and do not use the standard system installer window like the trojan does:
Image
Click to expand...
It's a bit like knock-off clothing, the devil's in the details:
You can see that the welcoming text in the fake installer is placed obscurely. Adobe would never launch something like that.
 
igazza said:
iOS is the future :)
Click to expand...
That may turn out to be more correct than many realize.

I see a day coming not long from now in which it will be very difficult, if not impossible, to download anything for your Mac outside of Apple's AppStore.
 
dinjin201 said:
Even keeping regular backups is totally fine. I don't like the time consuming process of cloning my HDD, but it would be pretty easy for me to just do a reinstall and restore everything from time machine.

Time machine is really useful when you don't keep the drive plugged in for hourly backups - you don't want the files a trojan messed with being backed up without warning. Instead, I do one backup at the end of the day, so long as nothing suspicious has occurred.
Click to expand...

The reason to have a second OS install on a separate HDD was not to clone anything but have an untampered OS that can access the files on your (infected) main HDD with lesser chance to infect it too when you're trying to get the malware away by hand. See, on the main HDD the malware is then likely to run in the background and could possibly interrupt you as you're trying to clean up, but if you run another OS install, it's not running.

Time Machine is fine too but restoring from it equals a fresh install or it takes even longer, seen time-wise. Both ways guarantee a complete removal of the malware. I also don't have my TM HDD connected to my Mac all the time, I only do backups occasionally or when the 10-day-warning window pops up.

Saphire said:
New to mac so asking a Daft question, how do you get into termal on Imac.
Click to expand...

Reading your post, I guess it's better if you don't use it until a couple of years have passed and you got really really familiar with OS X, otherwise there is a high risk that you shred your whole system with the wrong single command you typed in.
 
Jbaffoh said:
Well, I received a Flash updater popup yesterday, and installed it. It was legitimate. Adobe released a new update, which is what I received. I checked for the suspect entries in the info.plist, and they're not there. The XProtectUpdater is intact, and dated 10/12, when I updated to 10.7.2.
Click to expand...

I second that. A flash updater popped up, which was probably legit since I wasn't surfing at the time, but I went directly to Adobe to check Flash version. I think the new version is 11.X and I was running 10.X. So unless there was some url spoofing going on I'm sure mine updated correctly.

Definitely scary though. I seem to recall another recent Flash update that occurred during a breaking trojan story.
 
rocknblogger said:
Trojans, viruses, keyloggers et al, can all be very problematic. I think that there are many Mac users who over the years have become accustomed to having a very secure and trouble free experience as it pertains to these problems. And because of this it's possible to let your guard down.

That doesn't mean that I think Mac users are stupid or have a false sense of security but, it's easy to become complacent and perhaps not be as vigil at all times and maybe not check the URL when downloading an update to Flash (or any other update for that matter). It should be noted that the majority of infections that occur on Windows computers are facilitated by the user. Whether downloading and running a suspected file or using someone's infected flash drive to transfer infected files or opening an email you shouldn't have. These people weren't stupid but they let their guard down. This could happen to anyone.

When I moved to Mac from Windows I knew that I was leaving the threat of viruses behind (for the most part) but at the same time I know how difficult life can become when your system gets infected (Doesn't matter whether it's a virus a trojan or any other type of malware). It happened to me one time in all the years of using Windows but it taught me a very valuable lesson. I don't want to worry about it and being that I'm human I know I also can let my guard down just long enough to make a mistake. For that reason I run ESET's Cybersecurity on my Mac which is an excellent anti malware app that I don't even know (except the icon in the menu bar) is even running. It takes almost zero resources and to me it's just worth having for those times when a mistake can happen.

I know a lot of long time die hard Mac users will say "You don't need it", "It's a waste", "Just use common sense". But assuming we are all human any one of us can make a mistake. Is it worth $30 a year to minimize these problems even more? It is to me.

A couple people here mentioned using Time Machine to restore an infected system. But if your system has been infected for a while before you realize it, odds are that your Time Machine backups can also be infected so it may not necessarily help you.

My two cents. Let's all be very careful.
Click to expand...

Sorry but it all sound like a paid insert... Sounds like the kind of arguments insurance vendors use.
 
Detrius said:
That's the problem. As of Flash 10.3, the real Flash updates download automatically as you're browsing the web. The only truly good solution is to use Chrome, which includes Flash. Uninstall Flash from the system. Then, if you ever get a notice to install a Flash upgrade, you know it's malware.
Click to expand...

What percent of the general public could take your advice about uninstalling Flash? The easy 10-step process is detailed here:http://kb2.adobe.com/cps/909/cpsid_90906.html.

Flash has turned into a huge exploitable avenue of attack for Macs (and PCs). Adobe has been using a variety of their own flavor-of-the-moment installers that start up after the user has been informed that Flash needs to be updated. This has been going on for years. We've been trained to mindlessly go through this drill (same thing with Acrobat, but don't get me started.)

So, for a human-engineered exploit, all you need is something that looks like a video player and an enticing subject. Fill the frame with a 'Flash plugin is out-of-date' message linked to a Trojan. Badda-boom -- people have been trained to click and install this. If the installer looks weird or different, that seems normal based on past experience.

I'm usually just pissed that updating Flash requires a browser restart along with the dozens of tabs and windows I have open. Now I have to worry whether it's a Trojan loading or not.
 
Last edited:
This is very interesting because several times I have had an application pop up out of the blue saying it was to update Flash. Something about it opening out of the blue seemed suspicious to me, and I didn't install it at first, but then I remembered I had disabled the automatic opening of downloads from Safari, which is how the previous trojan had worked I thought, so I did install it. I'm guessing now I probably did fall for something.

Edit: Opening safe files was checked in Safari . . . shows I should not have relied on MobileMe syncing preferences.
 
stage1 said:
I was just on yahoo checking the news this morning and an update popped up that said I needed to upgrade :confused:

It looked completely like any other flash upgrade that i've installed previously.
I'm really worried now.
Click to expand...

I think Adobe is using an AIR like interface for its flash setup package, not the Apple pkg interface.
 
has anyone gotten the flash player on mac to do automatic updates? I have the option checked but it never seems to say there is a new version. I always have to go to adobe.com and update it manually even when autoupdate is checked in the system prefs.
 
Therbo said:
Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)


Unless of course they found a exploit in the unix permission system, then the world is screwed
Click to expand...

Or an exploit is found for an executable that has the SETUID bit set and is owned by superuser. And yes, this happens with frequency; and yes, the UNIX/Linux world has been screwed numerous times.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back