Skip navigation

new malware disguised as flash installer

15118 Views 128 Replies Latest reply: Oct 24, 2011 12:59 PM by MadMacs0 RSS
  • Kurt Lang Level 7 Level 7 (31,490 points)
    Currently Being Moderated
    Sep 27, 2011 12:40 PM (in response to Shirley Drabble1)
    Sorry I meant does Apple have the software built remotely so we don't have to download it.

    That's very vague. Unless you write and compile the software yourself, all software is built remotely and needs to either be purchased on disk or downloaded. What software are you referring to?

  • cathy fasano Level 2 Level 2 (340 points)
    Currently Being Moderated
    Sep 27, 2011 1:01 PM (in response to Shirley Drabble1)

    Shirley Drabble1 wrote:

     

    I tried spotlight for that .dylib file but the results were inconclusive. I am guessing SPotlight doesn't look in libraries

    What if anything should I do now?

    Go to the Applications/Utilities folder, and near the bottom is an application Terminal.app  Double click on it, and when the terminal window appears, copy/paste the following command into the terminal window:

     

    ls -ld ~/Library/Preferences/P*

    ls -l ~/Library/LaunchAgents/

     

    Nothing on my system looks remotely similar to ~/Library/Preferences/Preferences.dylib or ~/Library/LaunchAgents/com.apple.SystemUI.plist, so I hope that means I'm ok...

  • SteveKir Level 3 Level 3 (545 points)
    Currently Being Moderated
    Sep 27, 2011 1:02 PM (in response to Kurt Lang)

    Woops! I hope I haven't been caught. In my Download Folder, dated 6 August, is

     

    "flashplayer11_b2_install_mac_080811.dmg".

     

    When the .dmg is opened it shows a file "Install Adobe Flash Player", and has an icon:

    Icon.jpgIs that safe? (No trouble yet.)

  • Kurt Lang Level 7 Level 7 (31,490 points)
    Currently Being Moderated
    Sep 27, 2011 1:05 PM (in response to SteveKir)

    That is the Trojan. Do not install it.

  • andyBall_uk Level 6 Level 6 (17,515 points)
    Currently Being Moderated
    Sep 27, 2011 1:30 PM (in response to Kurt Lang)

    >>That is the Trojan...

     

    there was apparently a genuine file with the same name, so that isn't certain.

    a number of sites showe it, availble from http://labs.adobe.com/downloads/flashplayer11.html

     

     

    @Steve - check in Finder - Get Info - where from... if it says "download.macromedia.com/pub/labs/flashplatformruntimes/"... it was from adobe.

  • Linc Davis Level 10 Level 10 (107,760 points)
    Currently Being Moderated
    Sep 27, 2011 1:38 PM (in response to MadMacs0)

    Please don't post it here, instead, go tohttp://mailinator.com/, create a mailbox, post it there and return here with the name you gave the mailbox.

     

    You don't create mailboxes in Mailinator. Just send mail to a Mailinator address, and the account is created automatically. The messages are deleted after a few hours.

  • SteveKir Level 3 Level 3 (545 points)
    Currently Being Moderated
    Sep 27, 2011 1:38 PM (in response to Kurt Lang)

    Oh dear! I downloaded it and ran it about a week or so ago. However, I do not have the file mentioned in the MacFixit site mentioned above, shown below:

     

    ‘Intego says the program installs its malicious dynamic library in the/username/Library/Preferences/ folder as the file "Preferences.dyld,"so you can go to that location and remove that file to dispose of the code.’

     

    I have searched for a file called “"Preferences.dyld"and it is not there. But I have lots of files starting with “dyld” (no dot). They are all in my external backup HD which is a clone of my system disc, done by Carbon Copy Cloner. They are either in a top level folder called _CCC Archives, or in a top level folder called Developer which I am fairly sure is part of Apple’s Xcode which I down loaded a few days ago.

     

    One good thing is that whenever I give my credit card details over the Internet, the documents involved (screen grabs of the transaction) are stored in an encrypted disc image, and my bank account details have never appeared in my computer.

     

    Have I escaped? If not, what to do? Get Intego pronto?


  • Linc Davis Level 10 Level 10 (107,760 points)
    Currently Being Moderated
    Sep 27, 2011 1:41 PM (in response to SteveKir)

    I have searched for a file called “"Preferences.dyld"and it is not there.

     

    The name of the file is "Preferences.dylib". Spotlight won't find it even if you use the right name.

  • Sam Beaver Level 1 Level 1 (120 points)
    Currently Being Moderated
    Sep 27, 2011 1:45 PM (in response to Ralph Deen)

    thanks for the heads up. this install flash thing had popped open earlier today, but never got around to installing it.

  • Shirley Drabble1 Level 3 Level 3 (975 points)
    Currently Being Moderated
    Sep 27, 2011 1:48 PM (in response to Kurt Lang)

    Sorry. I meant is this part of Apple Firewall set up and is it controlled remotely rather than from my own system. OH and this is what happened when I typed into terminal

     

     

    Last login: Tue Sep 13 19:43:53 on console

    **************:~ *********$ ls -ld ~/Library/Preferences/P*

    drwxr-xr-x  2 *********  staff  68 20 Dec  2009 /Users/*************/Library/Preferences/PiratePoppers

    -rw-r--r--@ 1 *******  staff  86  1 Dec  2009 /Users/*************/Library/Preferences/Pref Kunvert 1.0.2***********-MacBook-Pro:~ ***********$

    *****************MacBook-Pro:~ ************$ ls -l ~/Library/LaunchAgents/

    total 88

    -rw-r--r--  1 ***********  staff  589  5 Oct  2010 com.adobe.ARM.925793fb327152fd34795896fa1fb9ffa268b2a852256fe56609efa3.plist

    -rw-r--r--  1 *************  staff  543 23 Oct  2010 com.akamai.client.plist

    -rw-r--r--  1 *************  staff  463 15 Oct  2010 com.apple.FTMonitor.plist

    -rw-r--r--  1 *************  staff  425 28 Jul 22:45 com.apple.FolderActions.enabled.plist

    -rw-r--r--  1 ************* staff  589 13 Sep 19:44 com.apple.FolderActions.folders.plist

    -rw-r--r--  1 ************* staff  581 20 Mar  2010 com.apple.MobileMeSyncClientAgent.plist

    -rw-r--r--  1 ************* staff  817 20 Mar  2010 com.apple.SafariBookmarksSyncer.plist

    -rw-r--r--  1 ************* staff  552 20 Oct  2010 com.apple.apsd-ft.plist

    -rw-r--r--  1 *************  staff  411 13 Oct  2010 com.apple.imagent.plist

    -rw-r--r--  1 *************  staff  447 13 Oct  2010 com.apple.marcoagent.plist

    -rw-r--r--  1 *************  staff  561 10 Jul 23:26 com.zeobit.MacKeeper.Helper

    *************-MacBook-Pro:~ *************$

    *************-MacBook-Pro:~ *************$

     

     

    This looks OK to me, is it the sort of response I should expect if I don;t have anything nasty.:-)

    This is getting a bit confusing.

    Oh and I run CLAMXAV as antivirus would that pick it up at all. I am always aware that I could pass on a nasty thourhg emails or whatever to my non- MAc user friends.

    Thnks

    ****** to hide my system name

  • SteveKir Level 3 Level 3 (545 points)
    Currently Being Moderated
    Sep 27, 2011 1:54 PM (in response to Linc Davis)

    Hmmm. I have now used Finder to list "~Library/Preferences" in a standard Finder window and there is no sign of "Preferences.dylib". Does that mean it is not there?

     

    And, do you know why Spotlight would not find it?

     

    Thanks

  • Kurt Lang Level 7 Level 7 (31,490 points)
    Currently Being Moderated
    Sep 27, 2011 2:08 PM (in response to andyBall_uk)

    Hi Andy,

     

    It would certainly help if Adobe would stick with one name. I just downloaded the Flash player from their site, and the file has this name:

     

    install_flash_player_osx_intel.dmg

     

    Though the name would be different for Windows, Linux or a PowerPC Mac.

     

    More important is to watch what comes up when you launch the installer. The Trojan looks like this:

    Flashback_270x201.png

    The real Adobe installer displays this:

    OfficialFlashInstaller_270x178.png

    The image above I incorrectly flagged was the icon that displays when you open the Adobe .dmg file:

    flash icon.png

    Upon opening that, the installer package should look like this:

    Screen shot 2011-09-27 at 3.59.31 PM.png

    Be very wary of anything else you may download.

  • Linc Davis Level 10 Level 10 (107,760 points)
    Currently Being Moderated
    Sep 27, 2011 2:04 PM (in response to SteveKir)

    I have now used Finder to list "~Library/Preferences" in a standard Finder window and there is no sign of "Preferences.dylib". Does that mean it is not there?

     

    Not necessarily. The file could be hidden in the Finder. You could have a variant of the trojan that doesn't install that file, or the information you're relying on could be inaccurate. Trying to detect trojans by poking around with the Finder, without really knowing what you're looking for, is not much use.

     

    And, do you know why Spotlight would not find it?

     

    It doesn't show that type of file. If you want comprehensive file searches by name, you either have to use a shell command, which is unsuitable for non-technical users, or a third-party tool such as EasyFind.

  • andyBall_uk Level 6 Level 6 (17,515 points)
    Currently Being Moderated
    Sep 27, 2011 2:12 PM (in response to Kurt Lang)

    >>It would certainly help if Adobe would stick with one name.

     

    they do, mostly - at least for the one at  http://get.adobe.com/flashplayer/ rather than the developer previews. The filename mentioned above was a beta of v 11 -

    the current release candidate is flashplayer11_rc1_install_mac_090611.dmg, for example.

  • SteveKir Level 3 Level 3 (545 points)
    Currently Being Moderated
    Sep 27, 2011 2:13 PM (in response to Linc Davis)

    I have now used EasyFind to search for Files and Folders called "Preferences.dylib" and it has not found it.

     

    Am I safe?

1 2 3 4 ... 9 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (2)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.