1 2 3 4 5 6 Previous Next 128 Replies Latest reply: Oct 24, 2011 12:59 PM by MadMacs0 Go to original post
  • 45. Re: new malware disguised as flash installer
    Linc Davis Level 10 Level 10 (118,460 points)

    Do youknow what the risks are? Eg., keyboard logging (which must be the most dangerous), corrupting system files, email or internet snooping, etc. etc.

     

    Any of that is possible, though as far as I'm aware it has never happened before now. When you enter your administrator password, you give the developer of the software that prompts for it the same degree of control over your computer that you have yourself. Think about that every time you do it, and maybe you'll have taken the first step toward real data security. I should say that I don't know whether you installed a trojan or not. For all I know, you may merely have installed Flash.

  • 46. Re: new malware disguised as flash installer
    MadMacs0 Level 4 Level 4 (3,735 points)

    WZZZ wrote:

     

    Maybe MadMacs0 will let us know as soon as ClamX has cataloged it.

    It appears to have been there most of the day.  They probably forgot to label it as "OSX"

    ClamAV database updated (27 Sep 2011 09-39 -0400): daily.cvd
    Version: 13681

    Submission-ID: 25229096
    Sender: Virus Total
    Sender: VirScan.org
    Added: Trojan.Flashback

    I hope to be able to confirm something more tomorrow, but it would still help us all to get a URL sent off to mailinator.

  • 47. Re: new malware disguised as flash installer
    Louie Sherwin Level 1 Level 1 (0 points)

    MadMacs0 wrote:

     

    Louie Sherwin wrote:

     

    ...What happens if I delete the SystemUI.plist file. Anything terrible that I will mess up?

    Well I'm not the best source of info on this as I'm running Leopard, but that file doesn't exist anywhere on my Mac.

     

    Well what happens to me is that I can no longer login to my user account :-(

     

    Also everyone should not that SystemUI.plist file references an additional file that it wants to load. That is perflib which is also in my Preferences folder and is a binary file.

     

    It seems that this application puts something else in my startup scripts that I cannot find and it causes my login to hang.

     

    Anyone have any ideas?

  • 48. Re: new malware disguised as flash installer
    MadMacs0 Level 4 Level 4 (3,735 points)

    Louie Sherwin wrote:

     

    everyone should not that SystemUI.plist file references an additional file that it wants to load. That is perflib which is also in my Preferences folder and is a binary file.

    Thanks for passing that on.

    It seems that this application puts something else in my startup scripts that I cannot find and it causes my login to hang.

     

    Anyone have any ideas?

    Assume you've checked all the obvious LaunchAgents, LaunchDaemons, Startup Items in ~/Library/, /Library/ and /System/Library/ along with System Preferences->Accounts-><username>->Login Items.  The latter can be found in ~/Library/Preferences/com.apple.loginitems.plist.  There's also one of those in /Library/Preferences/ but mine is blank and I would not thinik that it could effect a user login.

     

    Anything in /Library/Logs/HangReporter/ that would help?

     

    I've known Frameworks and Prefs Panels to be able to start processes, but that's like looking for a needle in a haystack if you don't know where to start.

  • 49. Re: new malware disguised as flash installer
    SteveKir Level 3 Level 3 (545 points)

      @Steve - check in Finder - Get Info - where from... if it says "download.macromedia.com/pub/labs/flashplatformruntimes/"... it was from adobe.

    It does not say that. There is nothing about the download source.

  • 50. Re: new malware disguised as flash installer
    Tycoon24 Level 1 Level 1 (15 points)

    The malicious code is installed in a file at ~/Library/Preferences/Preferences.dylib, according to Intego's security researchers: http://blog.intego.com/2011/09/27/more-about-the-flashback-trojan-horse/

     

    "The Trojan horse installs a backdoor, at ~/Library/Preferences/Preferences.dylib, which communicates with a remote server, sending and receiving data using RC4 encryption. [...] The backdoor is able to download further software, but, for now, we are not seeing this activity. It is also able to update itself, and creates an Sha1 hash of the malware to see if it has changed."

  • 51. Re: new malware disguised as flash installer
    MadMacs0 Level 4 Level 4 (3,735 points)

    I received a note from a ClamXav user that he had downloaded the Trojan and ClamXav did not catch it.  The URL he downloaded it from is in mailinator mailbox "flashbacktrojan".

     

    I went to the site and briefly saw the page described this evening by Intego here but then it redirected me to the Google home page without downloading the Trojan.  Tried with Opera, FireFox and Safari. Whenever I tried a second time it redirected to Google immediately, so it must have left a cookie. I suspect it's because it knows I'm running Leopard on a PPC. Last few bits of malware have been Intel only.

  • 52. Re: new malware disguised as flash installer
    MadMacs0 Level 4 Level 4 (3,735 points)

    SteveKir wrote:

     

      @Steve - check in Finder - Get Info - where from... if it says "download.macromedia.com/pub/labs/flashplatformruntimes/"... it was from adobe.

    It does not say that. There is nothing about the download source.

    There's another way to check using Terminal to read the extended attributes, but I doubt that it's worth the effort if it's not showing up in the Finder info box.

  • 53. Re: new malware disguised as flash installer
    Linc Davis Level 10 Level 10 (118,460 points)

    The URL he downloaded it from is in mailinator mailbox "flashbacktrojan".

     

    Gone. Please send it there again.

  • 54. Re: new malware disguised as flash installer
    WZZZ Level 6 Level 6 (12,225 points)

    Linc Davis wrote:

     

    The URL he downloaded it from is in mailinator mailbox "flashbacktrojan".

     

    Gone. Please send it there again.

    Maybe it can just be posted directly here in some obfuscated way so it doesn't parse?

  • 55. Re: new malware disguised as flash installer
    laverne's mom Level 2 Level 2 (395 points)

    I've been reading this and am a bit confused.  I usually check  Firefox's Plug -in updates page and when it says update now, click on that and I thougth it took me to the Adobe site and I download from there.  I'm pretty sure that it looked like the flash update is supposed to.  and the plug in check says its up to date now.  I am running Snow Leopard, not Lion, and can't find anything in preferences which looks like the file you all have been talking about.  Where would that file which indicates the trojan be in Snow Leopard?

     

    Thank you,

     

    laverne's mom

  • 56. Re: new malware disguised as flash installer
    WZZZ Level 6 Level 6 (12,225 points)

    If you went to Firefox>Check your plug-ins and that took you to theAdobe site, you got the real thing. This thing is coming from a malicious link that may appear somewhere on a page.

     

    If you have Flash 10.3, you can also go to Sys Prefs>Other>Flash Player. In the Advanced panel>Updates>Check now. You should also have the default "Check for updates" checked.

  • 57. Re: new malware disguised as flash installer
    cathy fasano Level 2 Level 2 (340 points)

    Do we know whether the trojan also installs the legitimate flash player?  (That would be clever...)

  • 58. Re: new malware disguised as flash installer
    Louie Sherwin Level 1 Level 1 (0 points)

    MadMacs0 wrote:

     

    Louie Sherwin wrote:

     

    everyone should not that SystemUI.plist file references an additional file that it wants to load. That is perflib which is also in my Preferences folder and is a binary file.

    Thanks for passing that on.

    It seems that this application puts something else in my startup scripts that I cannot find and it causes my login to hang.

     

    Anyone have any ideas?

    Assume you've checked all the obvious LaunchAgents, LaunchDaemons, Startup Items in ~/Library/, /Library/ and /System/Library/ along with System Preferences->Accounts-><username>->Login Items.  The latter can be found in ~/Library/Preferences/com.apple.loginitems.plist.  There's also one of those in /Library/Preferences/ but mine is blank and I would not thinik that it could effect a user login.

     

    Anything in /Library/Logs/HangReporter/ that would help?

     

    I've known Frameworks and Prefs Panels to be able to start processes, but that's like looking for a needle in a haystack if you don't know where to start.

     

    Ok  the next clue....In my Console log

     

    com.apple.launchd.peruser.501[266]   dyld: could not load inserted library: <username>/Preferences/Preferences.dylib

     

    It will repeat this line until I hit the power button and reboot.

     

    I don't see anything yet in the locations that you suggest. I am still poking around with a root shell in the new admin account I created on the same system.

  • 59. Re: new malware disguised as flash installer
    cathy fasano Level 2 Level 2 (340 points)

    Have you tried creating an empty file as Preferences/Preferences.dylib ?  Or a copy of a legitimate library that does something else?  Something has told the OS to expect that the file is there, so can you fool it into thinking that the file is there using some other file?

1 2 3 4 5 6 Previous Next