“Following our recent security memo about the Mac Flashback Trojan horse, Intego has seen an increase in the number of Mac users infected by this malware,” Intego’s Mac Security Blog reports.
“After publicizing this threat, many users have posted both in the comments on this blog, and on other blogs and forums about having either seen this malware download, or actually installing it,” Intego reports. “The first things you see are the crashed plugin graphic and the purported error messages. After this, the fake Adobe Flash installer screen pops up, and then the Flashback Trojan horse installation package downloads. At this point, if you have the default Safari settings – which allow ‘safe’ downloads to open automatically – you will see an Installer window open.”
If you end up on a site that is serving this malware, you will see something similar to this:
Intego reports, “If you see a web page similar to that shown above, do not run any installer, and if the Installer window does not open, check your Downloads folder for any package file that contains the name Flash, then delete it. Only download Flash Player installers from the Adobe web site.”
Note: If anyone who has been infected by this Trojan horse knows the URL at which they got it, or has a sample, please send an e-mail (with sample attached, and zipped, if possible) to sample@virusbarrier.com
Read more in the full article here.
MacDailyNews Note: Users should also uncheck the “Open ‘safe’ files after downloading” option in Apple’s Safari browser under General Preferences. This will help ensure that the Flashback installer is not automatically run if downloaded. Users check to see whether they were infected by looking for the file “~/Library/Preferences/Preferences.dylib” on their Mac. (To view Library contents in Mac OS X Lion, in Finder’s Go menu (Shift+Command+G), type “~/Library” and click Go to view the folder.)
Here’s our usual oft-repeated reminder for Mac users and anyone who’s trying to use any other platform: Do not download and authorize the installation of applications (Trojans) from untrusted sources. No OS can protect users from themselves (or we wouldn’t be able to install any software). Those who grant attackers access to their Macs, should not be surprised to find their Macs are compromised.
Related articles:
Apple updates OS X Lion, Snow Leopard malware definitions to address new trojan – September 26, 2011
New OS X trojan horse sends screenshots, files to remote servers – September 23, 2011
Apple: How to avoid or remove MACDefender malware (permanent fix coming in Mac OS X update) – May 24, 2011
Apple: How to avoid or remove MACDefender malware (permanent fix coming in Mac OS X update) – May 24, 2011
MACDefender trojan protection and removal guide – May 20, 2011
Apple investigating ‘MACDefender’ trojan – May 19, 2011
Apple malware: 6 years of crying wolf – May 6, 2011
Is Mac under a virus attack? No. – May 4, 2011
Intego: MACDefender rogue anti-malware program attacks Macs via SEO poisoning – May 2, 2011
Sophos details new Mac OS X Trojan – February 28, 2011
Warning: Mac users beware of yet another trojan masquerading as video codec – June 11, 2009
CNN blows it; gets all worked up about a Mac Trojan that isn’t the first nor is it the last – April 23, 2009
Mac trojan expands to affect pirated versions of Photoshop CS4 – January 26, 2009
Intego: Mac trojan horse found in pirated Apple iWork ‘09 – January 22, 2009
New Mac OS X Trojan horse identified – June 23, 2008
Mac OS X Scareware trojan ‘MacSweep from Imunizator’ tries to scam Mac users – March 29, 2008
Mac trojan makers churn out slightly modified versions to evade anti-malware detection – November 08, 2007
Mac DNS Changer Trojan [OSX/Puper] relatively simple; works like the Windows version – November 01, 2007
New Mac OS X Trojan warning – February 16, 2006
Apple: ‘Opener’ is not a virus, Trojan horse, or worm – November 02, 2004