“Following our recent security memo about the Mac Flashback Trojan horse, Intego has seen an increase in the number of Mac users infected by this malware,” Intego’s Mac Security Blog reports.
“After publicizing this threat, many users have posted both in the comments on this blog, and on other blogs and forums about having either seen this malware download, or actually installing it,” Intego reports. “The first things you see are the crashed plugin graphic and the purported error messages. After this, the fake Adobe Flash installer screen pops up, and then the Flashback Trojan horse installation package downloads. At this point, if you have the default Safari settings – which allow ‘safe’ downloads to open automatically – you will see an Installer window open.”
If you end up on a site that is serving this malware, you will see something similar to this:
Intego reports, “If you see a web page similar to that shown above, do not run any installer, and if the Installer window does not open, check your Downloads folder for any package file that contains the name Flash, then delete it. Only download Flash Player installers from the Adobe web site.”
Note: If anyone who has been infected by this Trojan horse knows the URL at which they got it, or has a sample, please send an e-mail (with sample attached, and zipped, if possible) to sample@virusbarrier.com
Read more in the full article here.
MacDailyNews Note: Users should also uncheck the “Open ‘safe’ files after downloading” option in Apple’s Safari browser under General Preferences. This will help ensure that the Flashback installer is not automatically run if downloaded. Users check to see whether they were infected by looking for the file “~/Library/Preferences/Preferences.dylib” on their Mac. (To view Library contents in Mac OS X Lion, in Finder’s Go menu (Shift+Command+G), type “~/Library” and click Go to view the folder.)
Here’s our usual oft-repeated reminder for Mac users and anyone who’s trying to use any other platform: Do not download and authorize the installation of applications (Trojans) from untrusted sources. No OS can protect users from themselves (or we wouldn’t be able to install any software). Those who grant attackers access to their Macs, should not be surprised to find their Macs are compromised.
Related articles:
Apple updates OS X Lion, Snow Leopard malware definitions to address new trojan – September 26, 2011
New OS X trojan horse sends screenshots, files to remote servers – September 23, 2011
Apple: How to avoid or remove MACDefender malware (permanent fix coming in Mac OS X update) – May 24, 2011
Apple: How to avoid or remove MACDefender malware (permanent fix coming in Mac OS X update) – May 24, 2011
MACDefender trojan protection and removal guide – May 20, 2011
Apple investigating ‘MACDefender’ trojan – May 19, 2011
Apple malware: 6 years of crying wolf – May 6, 2011
Is Mac under a virus attack? No. – May 4, 2011
Intego: MACDefender rogue anti-malware program attacks Macs via SEO poisoning – May 2, 2011
Sophos details new Mac OS X Trojan – February 28, 2011
Warning: Mac users beware of yet another trojan masquerading as video codec – June 11, 2009
CNN blows it; gets all worked up about a Mac Trojan that isn’t the first nor is it the last – April 23, 2009
Mac trojan expands to affect pirated versions of Photoshop CS4 – January 26, 2009
Intego: Mac trojan horse found in pirated Apple iWork ‘09 – January 22, 2009
New Mac OS X Trojan horse identified – June 23, 2008
Mac OS X Scareware trojan ‘MacSweep from Imunizator’ tries to scam Mac users – March 29, 2008
Mac trojan makers churn out slightly modified versions to evade anti-malware detection – November 08, 2007
Mac DNS Changer Trojan [OSX/Puper] relatively simple; works like the Windows version – November 01, 2007
New Mac OS X Trojan warning – February 16, 2006
Apple: ‘Opener’ is not a virus, Trojan horse, or worm – November 02, 2004
Users running the latest versions of Snow Leopard or Lion shouldn’t have issues with this malware because Apple has added it to their malware definitions in an automatic background update.
This is really all you need to know about this story.
It’s now a non-story.
The first clue that it is fake?
“Update fix a crush of Adobe Flash Player”
Pathetic
Oh those wanna be hackers in mom’s basement. They need to pay more attention at school in their spelling class.
I agree. When I see most spam, I’m like, what are they thinking? How do people fall for these terribly written messages? Google translate does a better job.
Although, MDN would probably tell you that if you have a crush on Flash, you do need fixed. 🙂
Poor English always a giveaway for those with malicious intent, whether malware, virus or phishing attempts. Although, to be fair, I’ve seen some official Canon products user manuals that use really bad English. Not surprising since they are probably direct translations of Japanese, by Japanese. Reminds me of the hilarious subtitles you see in some Japanese language films e.g. films starring Godzilla.
Maybe at last Mac users will realise they are not immune to malware; http://graphiclineweb.wordpress.com/2011/09/23/mac_malware/
Nobody is immune to malware. Can’t protect idiots from themselves.
Virus, another story 🙂
We’ve never said we were immune to “malware”. We’ve said we were immune to viruses and worms. And we pretty much are.
Trojans? It’s next to impossible to secure a system from those, because they hack the user, not the system.
——RM
… among us DO realize our computers are not “immune to malware”. We take modest precautions to reduce the chance we will suffer from one of the few nasty bits out there. We don’t surf from an Admin account, for example. We don’t allow auto-login, either. All accounts have “strong” passwords, all different. I’ve worked in Enterprise-level IT departments that put Windows desktops on every desk … and each one violates each of these truly basic protections. Then they support – and complain about – the larger IT departments needed to keep all these naked systems free of crud.
preach!
The ONLY people who state that ‘Mac users think they’re immune to malware’, etc., are FUD TROLLS who wish it were true. Another of their fantasies is that Microsoft Windows is just as secure as Mac OS X. Dream on. 😛
I’ve been writing about Mac Security since 2007. I was inspired by the anti-Apple security FUD fest that began in 2005.
Mac-Security Blog
Just a note of thanks for your blog — it”s informative and I enjoy it.
A non-issue for all but the dumbest of the computer illiterate.
Oh and in that context, I always thought that the choice by Apple to enable Safari to open ‘safe’ files by default was monumentally stupid. Not just because of potential issues like these, but because it’s extremely disruptive and jarring to suddenly have your point of focus taken over by the Finder or an installer after a large download. Especially if you’re busy working. Hate it. Hate. It.
I wonder if this malware is written because the perps know a lot of Mac users do not have Flash installed, or because they want to further trample Flash?
Wow! This stuff is dangerous. It can even infect Mac users.
A-choo! Bless you!
safer to treat anything from adobe, real or otherwise, as malware…
So now script kiddies are modifying the malware from San Jose… It does look remarkably similar to the original version of Flash — especially the “crush of Adobe” on your system. 😆
I follow Gruber’s lead, and have removed Flash from my Mac. I don’t plan on downloading any Flash plugins.
Has anyone seen an in-depth article on this issue from someone other than a Security software company, like a legit Mac site?
As yet I haven’t seen a report from a reputable Mac journal detailing what this trojan does (if anything), how to know if someone’s computer is affected (what files to look for), and how to remove it.
Would TImeMachine restore it during a rebuild from a backup?
Instead all I’m hearing so far is fear-mongering from security sites who are saying it “might do this, look this way or that, and doesn’t work very well” … to be sure, download our proprietary software. Of course their software always finds all sorts of things that “could” possibly be a virus etc, causing unneeded fears, especially for elderly and vulnerable folks.
For such an apparently insidious “trojan” much more clarity is needed.
This (probably) came to me in a very official looking Adobe e-mail offering a free Upgrade to Flash, enumerating all the benefits. Checking the headers, the message originated in Australia. As there was also a misspelling, I chose to delete it.