Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Tweaked Trojan Disables Automatic Updating of OS X Anti-Malware Tools
- Thread starter MacRumors
- Start date
- Sort by reaction score
If the user is duped into password authenticating the installation of this malware, then it can use those granted privileges to modify the file that contains the malware definitions and prevent new definition updates via any method (most likely both).
Once a definition exists for this threat, XProtect will detect it and warn the user prior to the user password authenticating the installation of the trojan.
User should always be cautious when installing software and updates; especially, installs that require password authentication to complete.
Fix
Because the Trojan appends launch instructions to property lists within the Safari and Firefox programs, if you would like to check to see if a system has been infected with this Trojan, you can open the Terminal and run the following commands:
If you have Safari:
defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment
If you have Firefox:
defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment
On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.
Peace out Homies...Keep it Safe.
Because the Trojan appends launch instructions to property lists within the Safari and Firefox programs, if you would like to check to see if a system has been infected with this Trojan, you can open the Terminal and run the following commands:
If you have Safari:
defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment
If you have Firefox:
defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment
On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.
Peace out Homies...Keep it Safe.
Because the Trojan appends launch instructions to property lists within the Safari and Firefox programs, if you would like to check to see if a system has been infected with this Trojan, you can open the Terminal and run the following commands:
If you have Safari:
defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment
If you have Firefox:
defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment
On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.
Peace out Homies...Keep it Safe.
Thanks dawg. I remain uninfected!
Because the Trojan appends launch instructions to property lists within the Safari and Firefox programs, if you would like to check to see if a system has been infected with this Trojan, you can open the Terminal and run the following commands:
If you have Safari:
defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment
If you have Firefox:
defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment
On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.
Peace out Homies...Keep it Safe.
Thanks dude- I'm safe.
Weird thing though- I was just prompted to update the Adobe Flash Player after opening MACRUMORS..... it could have been a legit update from Adobe, but I wasn't taking any chances.
At this point I think it is necessary to add the following. Flash Player updates (official ones) from Adobe quite often include security hole fixes or tightened security policy. Please don't slip into the mind of thinking thta you shouldn't update your Flash Player - this is not sensible thining.
Just ensure you go to http://get.adobe.com/flashplayer/ and download the installer from there. All will be fine then
I wish,
these "children" who design such viruses, would put their obvious brilliance towards the betterment of Man and our world, rather than bring down such a ***** storm of crap designed to do harm.
these "children" who design such viruses, would put their obvious brilliance towards the betterment of Man and our world, rather than bring down such a ***** storm of crap designed to do harm.
Oh, god, here we go again with the virus vs malware vs trojan vs etc., etc.
Malware is a generic category (malicious software). Viruses, trojans, spyware and all other crap that f***ks with your computer are malware.
Macs have never been infected by a virus up to this date. Yes, it is possible sometime in the future a virus could be developed that will infect a Mac. Nothing to this date!
Trojan is NOT a virus - it is a form of malware. Unlike a virus which can infect a computer without action on the part of the user, trojans have to be invited in. In short - the user has to screw up.
The best defense is an educated user.
(GGJstudios - How did I do??
1. Agreed
2. Oh so you don't consider Macs running the classic Mac OS Macs ? because Macs that ran the Classic Mac OS have been infected by viruses before. You should rephrase that to say Macs have not been infected by a virus since OS X.
3. Although a Trojan isn't a virus, a Trojan can be used to put a virus on a computer and act like a spy by stealing info. so a Trojan should be seen as much as a threat as a virus.
Because the Trojan appends launch instructions to property lists within the Safari and Firefox programs, if you would like to check to see if a system has been infected with this Trojan, you can open the Terminal and run the following commands:
If you have Safari:
defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment
If you have Firefox:
defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment
On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.
Peace out Homies...Keep it Safe.
Hi guys,
Ran the terminal lines with "does not exist" error messages as result.
On the other hand I'm unable to find the com.apple.xprotectupdater.plist file in library folder.....
In which folder in library am I suppose to find it?
Should I be concerned?????
I understand that this is not a virus, however, this is still a big problem that Apple need to solve, and it isn't heartening that Windows hasn't solved it well either. This is a nicely crafted social engineering attack, and while obvious visual differences exist between the trojan installer and Adobe's own installer, it's still close enough to fool less savvy users. People are used to having to install/update flash, and telling people not to fall for it isn't going to work unless you're already informed enough not to fall for it.
Problems:
[Adobe]
- Flash must be updated for system security.
- The current updater appears from nowhere to prompt for update installation.
- Flash installation requires an admin password.
- Flash is the perfect guise for a trojan (people know of it, assume they have it, know it needs updating, but don't know it well. The only GUI is the installer, and few pay attention to how that looks)
[Apple]
- Safari thinks installer packages are "safe files" and will open them automatically (unless unchecked in preferences) allowing trojans to launch installation upon download. Ridiculous.
- X-Protect.plist & xprotectupdater - static locations / filenames.
- Flash is third party: Apple can't really control (or fix) it.
It's hard not to see Apple as at fault here for allowing the opening of "safe" files automatically. PDFs aren't safe, let alone installer packages, and now the downloads list is accessible from the Safari toolbar in Lion, it's tough to justify auto-opening files. I'd also like to see Apple keep improving XProtect. At the moment it's crude protection against crude malware. I'd like to see it advance very quickly, but for now, the moral of the story remains:
Safari -> Preferences -> [General Tab] -> Untick: "Open 'safe' files after downloading"
Interestingly, this malware checks for Little Snitch, and if found, deletes itself.
Most of Adobe's problems are inherent of the product that Flash is: a web facing browser plugin. I can't defend Flash's security record, and dislike Flash as a whole, but that's not what the problem is in this case.
[EDIT] It'd be nice if the front page article showed the differences between the two installers, not just the fake one, to help quell some nerves. (Images taken from FPA & adder7712)
FAKE:
REAL:
Problems:
[Adobe]
- Flash must be updated for system security.
- The current updater appears from nowhere to prompt for update installation.
- Flash installation requires an admin password.
- Flash is the perfect guise for a trojan (people know of it, assume they have it, know it needs updating, but don't know it well. The only GUI is the installer, and few pay attention to how that looks)
[Apple]
- Safari thinks installer packages are "safe files" and will open them automatically (unless unchecked in preferences) allowing trojans to launch installation upon download. Ridiculous.
- X-Protect.plist & xprotectupdater - static locations / filenames.
- Flash is third party: Apple can't really control (or fix) it.
It's hard not to see Apple as at fault here for allowing the opening of "safe" files automatically. PDFs aren't safe, let alone installer packages, and now the downloads list is accessible from the Safari toolbar in Lion, it's tough to justify auto-opening files. I'd also like to see Apple keep improving XProtect. At the moment it's crude protection against crude malware. I'd like to see it advance very quickly, but for now, the moral of the story remains:
Safari -> Preferences -> [General Tab] -> Untick: "Open 'safe' files after downloading"
Interestingly, this malware checks for Little Snitch, and if found, deletes itself.
Most of Adobe's problems are inherent of the product that Flash is: a web facing browser plugin. I can't defend Flash's security record, and dislike Flash as a whole, but that's not what the problem is in this case.
[EDIT] It'd be nice if the front page article showed the differences between the two installers, not just the fake one, to help quell some nerves. (Images taken from FPA & adder7712)
FAKE:
REAL:
Last edited:
Why???????
Can someone, anyone tell me why anyone would spend all that time and money to develop a trojan horse? What do they get out of it? Who pays for it? Am I just a naive user?? What is the end-game here? I don't get it.
Can someone, anyone tell me why anyone would spend all that time and money to develop a trojan horse? What do they get out of it? Who pays for it? Am I just a naive user?? What is the end-game here? I don't get it.
This is true but this is less applicable to OS X than other OSs.
See the following post from earlier in this thread for further explanation:
https://forums.macrumors.com/posts/13672712/
Despite the installer launching automatically, the user still has to click through the installer to install the malware.
So, the security implications of the installer launching automatically aren't very significant.
Last edited:
I don't believe I mentioned any other OSs. If it is true, it is true.
The security implications are huge. You've gone from a file sitting in "downloads" to a socially engineered installer prompting the user to click "continue." If they fall for the trick, game over. The user may have to be fooled, but foolish users are nothing new. The subterfuge couldn't take place without the installer opening and prompting the user to install Flash.
If you think that mitigating a social engineering factor wouldn't affect computer security when faced with a trojan, you're insane.
Flash updates usually patch memory corruption vulnerabilities.
Runtime security mitigations prevent these vulnerabilities from being exploited.
No methods are known that allow bypassing the runtime security mitigations in Lion.
Flash was no longer a reliable exploitation vector in SL. This is even more true now that Flash is 64-bit.
Combined with reliable DAC that prevents access to vectors to make malware profitable, Flash doesn't represent a huge risk factor in OS X.
The only relevant Flash vulnerabilities in relation to OS X are XSS vulnerabilities that are used in sophisticated phishing emails. But, these threats require user interaction to be successful and are easily avoided.
The subterfuge could also occur via the user manually launching the file in downloads due to being labelled a Flash update then clicking through the installer and password authenticating the installation.
The mitigation is already in place. XProtect is integrated into File Quarantine.
Once a definition for the malware is included in XProtect, the installer won't open automatically. Instead a warning prompt will appear to tell the user the payload of the installer is malware.
But, a better mitigation is the user applying knowledge about safe computing practices. This is better because it doesn't rely on waiting for a definition to be released. See #8, #9, and #14 in the "Mac Security Suggestions" link in my sig for more info.
Last edited:
If you disable Safari's "feature" to automatically open "safe" downloads, then neither will auto-launch. If you configure your web browser to always prompt for download locations, then it won't be able to auto-download either, since you'll be asked to select a destination (and you can click "cancel").
This is an unreliable way to tell. The next version of the malware may look like the Adobe installer, and Adobe may change their installer in the future.
The best approach is to never launch any app (installer or otherwise) that you didn't explicitly get yourself. If something tries to auto-download, delete it no matter what it claims to be.
If you need to update Flash (or any other piece of software), download your updates directly from the publisher (e.g. http://www.adobe.com) and you'll be fine.
From your description, it appears that Apple's malware-detector identified the malware before the installer ran.
Malware doesn't infect your computer by simply being on your hard drive. Something has to launch it. If you don't launch it, and no other software (like a web browser or plugin) doesn't launch it, then it doesn't do anything.
If you would launch it (and ignore warnings from your OS and/or virus scanner) then you'd be in trouble.
As for ease of deletion, not all malware is hard to get rid of. Some can simply be dragged to the trash. Others are much harder to remove, possibly even requiring a reinstall of your OS.
Because the Trojan appends launch instructions to property lists within the Safari and Firefox programs, if you would like to check to see if a system has been infected with this Trojan, you can open the Terminal and run the following commands:
If you have Safari:
defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment
If you have Firefox:
defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment
On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.
Peace out Homies...Keep it Safe.
The domain/default pair of (/Applications/Safari.app/Contents/Info.plist, LSEnvironment) does not exist
UGH.............. What's that mean exactly?
Can someone, anyone tell me why anyone would spend all that time and money to develop a trojan horse? What do they get out of it? Who pays for it? Am I just a naive user?? What is the end-game here? I don't get it.
For the lulz.
Don't download Adobe software from anywhere except Adobe. Apply the same logic to any software. Always download from the publisher.
Manual Removal Instructions
Scan the whole system and take note of the detected files
Remove the entry
<key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
<string>%path_of_detected_file_from_step_1%</string></dict>
From:
/Applications/Safari.app/Contents/Info.plist
/Applications/Firefox.app/Contents/Info.plist
Delete all detected files
---
I manually found my .plist and I don't have that listed in my Safari plist.
BUT...
/System/Library/LaunchDaemons/com.apple.xprotectupdater.plist
I don't have a LaunchDaemons folder in my library...
Scan the whole system and take note of the detected files
Remove the entry
<key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
<string>%path_of_detected_file_from_step_1%</string></dict>
From:
/Applications/Safari.app/Contents/Info.plist
/Applications/Firefox.app/Contents/Info.plist
Delete all detected files
---
I manually found my .plist and I don't have that listed in my Safari plist.
BUT...
/System/Library/LaunchDaemons/com.apple.xprotectupdater.plist
I don't have a LaunchDaemons folder in my library...
CNET has a nice step by step article for Mac novices like me that would confirm if your system was affected.
http://reviews.cnet.com/8301-13727_7-20122551-263/flashback-os-x-malware-variant-disables-xprotect/
Exerpt from the article:
Again, this malware is very rare and will not affect most Macs out there, but if you suspect one of your Macs has been infected then you can do a rudimentary check on your system by running the following two commands in the Terminal (copy and paste them):
defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment
These commands will read the property list within the applications and check to see if they have been modified to launch other applications when opened. In the output for these commands, if you see text that includes "DYLD_INSERT_LIBRARIES" followed by a path that points to a specific file, then your system has been infected. If you do not see this text output and instead see "The domain/default pair...does not exist," then your system has not been infected.
Read more: http://reviews.cnet.com/8301-13727_...ware-variant-disables-xprotect/#ixzz1bKnLUZoQ
http://reviews.cnet.com/8301-13727_7-20122551-263/flashback-os-x-malware-variant-disables-xprotect/
Exerpt from the article:
Again, this malware is very rare and will not affect most Macs out there, but if you suspect one of your Macs has been infected then you can do a rudimentary check on your system by running the following two commands in the Terminal (copy and paste them):
defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment
These commands will read the property list within the applications and check to see if they have been modified to launch other applications when opened. In the output for these commands, if you see text that includes "DYLD_INSERT_LIBRARIES" followed by a path that points to a specific file, then your system has been infected. If you do not see this text output and instead see "The domain/default pair...does not exist," then your system has not been infected.
Read more: http://reviews.cnet.com/8301-13727_...ware-variant-disables-xprotect/#ixzz1bKnLUZoQ
Ran the terminal lines with "does not exist" error messages as result.
On the other hand I'm unable to find the com.apple.xprotectupdater.plist file in library folder.....
In which folder in library am I suppose to find it?
Should I be concerned?????
Same here. I'm also concerned because I got a pop-up saying my Flash Player was out of date. I cancelled that window and went to the System Preferences app (MacOSX 10.6.8) and used the Flash Player pref pane to see if I needed to update to a newer version by clicking "check now". Needed to update so I DL'd it from Adobe and installed.
But as mentioned by poster I quoted I also can't find the com.apple.xprotectupdater.plist file.
Never mind... operator error. I was looking in wrong Library. It's there so I'm OK.
I have to say it's annoying that a third party app is the weak spot my OS security.
Last edited:
Not true.
The real Flash Updater runs in background and does not rely on any Safari settings.
The updater periodically checks for updates (this is why the updater appears at random) and notifies you when it finds one.
The real Flash Updater does not download anything until you select the Install button.