Ralph Deen

Q: new malware disguised as flash installer

I'm a dummy....fell for the ruse, any ideas on how to get rid of this new malware?  thanks

iMac, Mac OS X (10.6.8)

Posted on Sep 27, 2011 7:45 AM

Close

Q: new malware disguised as flash installer

  • All replies
  • Helpful answers

first Previous Page 4 of 9 last Next
  • by Linc Davis,

    Linc Davis Linc Davis Sep 27, 2011 6:00 PM in response to SteveKir
    Level 10 (208,037 points)
    Applications
    Sep 27, 2011 6:00 PM in response to SteveKir

    Do youknow what the risks are? Eg., keyboard logging (which must be the most dangerous), corrupting system files, email or internet snooping, etc. etc.

     

    Any of that is possible, though as far as I'm aware it has never happened before now. When you enter your administrator password, you give the developer of the software that prompts for it the same degree of control over your computer that you have yourself. Think about that every time you do it, and maybe you'll have taken the first step toward real data security. I should say that I don't know whether you installed a trojan or not. For all I know, you may merely have installed Flash.

  • by MadMacs0,

    MadMacs0 MadMacs0 Sep 27, 2011 9:06 PM in response to WZZZ
    Level 5 (4,801 points)
    Sep 27, 2011 9:06 PM in response to WZZZ

    WZZZ wrote:

     

    Maybe MadMacs0 will let us know as soon as ClamX has cataloged it.

    It appears to have been there most of the day.  They probably forgot to label it as "OSX"

    ClamAV database updated (27 Sep 2011 09-39 -0400): daily.cvd
    Version: 13681

    Submission-ID: 25229096
    Sender: Virus Total
    Sender: VirScan.org
    Added: Trojan.Flashback

    I hope to be able to confirm something more tomorrow, but it would still help us all to get a URL sent off to mailinator.

  • by Louie Sherwin,

    Louie Sherwin Louie Sherwin Sep 27, 2011 9:40 PM in response to MadMacs0
    Level 1 (0 points)
    Sep 27, 2011 9:40 PM in response to MadMacs0

    MadMacs0 wrote:

     

    Louie Sherwin wrote:

     

    ...What happens if I delete the SystemUI.plist file. Anything terrible that I will mess up?

    Well I'm not the best source of info on this as I'm running Leopard, but that file doesn't exist anywhere on my Mac.

     

    Well what happens to me is that I can no longer login to my user account :-(

     

    Also everyone should not that SystemUI.plist file references an additional file that it wants to load. That is perflib which is also in my Preferences folder and is a binary file.

     

    It seems that this application puts something else in my startup scripts that I cannot find and it causes my login to hang.

     

    Anyone have any ideas?

  • by MadMacs0,

    MadMacs0 MadMacs0 Sep 28, 2011 12:29 AM in response to Louie Sherwin
    Level 5 (4,801 points)
    Sep 28, 2011 12:29 AM in response to Louie Sherwin

    Louie Sherwin wrote:

     

    everyone should not that SystemUI.plist file references an additional file that it wants to load. That is perflib which is also in my Preferences folder and is a binary file.

    Thanks for passing that on.

    It seems that this application puts something else in my startup scripts that I cannot find and it causes my login to hang.

     

    Anyone have any ideas?

    Assume you've checked all the obvious LaunchAgents, LaunchDaemons, Startup Items in ~/Library/, /Library/ and /System/Library/ along with System Preferences->Accounts-><username>->Login Items.  The latter can be found in ~/Library/Preferences/com.apple.loginitems.plist.  There's also one of those in /Library/Preferences/ but mine is blank and I would not thinik that it could effect a user login.

     

    Anything in /Library/Logs/HangReporter/ that would help?

     

    I've known Frameworks and Prefs Panels to be able to start processes, but that's like looking for a needle in a haystack if you don't know where to start.

  • by SteveKir,

    SteveKir SteveKir Sep 28, 2011 12:50 AM in response to andyBall_uk
    Level 3 (546 points)
    Sep 28, 2011 12:50 AM in response to andyBall_uk

      @Steve - check in Finder - Get Info - where from... if it says "download.macromedia.com/pub/labs/flashplatformruntimes/"... it was from adobe.

    It does not say that. There is nothing about the download source.

  • by Tycoon24,

    Tycoon24 Tycoon24 Sep 28, 2011 1:12 AM in response to Louie Sherwin
    Level 1 (15 points)
    Sep 28, 2011 1:12 AM in response to Louie Sherwin

    The malicious code is installed in a file at ~/Library/Preferences/Preferences.dylib, according to Intego's security researchers: http://blog.intego.com/2011/09/27/more-about-the-flashback-trojan-horse/

     

    "The Trojan horse installs a backdoor, at ~/Library/Preferences/Preferences.dylib, which communicates with a remote server, sending and receiving data using RC4 encryption. [...] The backdoor is able to download further software, but, for now, we are not seeing this activity. It is also able to update itself, and creates an Sha1 hash of the malware to see if it has changed."

  • by MadMacs0,

    MadMacs0 MadMacs0 Sep 28, 2011 2:36 AM in response to MadMacs0
    Level 5 (4,801 points)
    Sep 28, 2011 2:36 AM in response to MadMacs0

    I received a note from a ClamXav user that he had downloaded the Trojan and ClamXav did not catch it.  The URL he downloaded it from is in mailinator mailbox "flashbacktrojan".

     

    I went to the site and briefly saw the page described this evening by Intego here but then it redirected me to the Google home page without downloading the Trojan.  Tried with Opera, FireFox and Safari. Whenever I tried a second time it redirected to Google immediately, so it must have left a cookie. I suspect it's because it knows I'm running Leopard on a PPC. Last few bits of malware have been Intel only.

  • by MadMacs0,

    MadMacs0 MadMacs0 Sep 28, 2011 2:38 AM in response to SteveKir
    Level 5 (4,801 points)
    Sep 28, 2011 2:38 AM in response to SteveKir

    SteveKir wrote:

     

      @Steve - check in Finder - Get Info - where from... if it says "download.macromedia.com/pub/labs/flashplatformruntimes/"... it was from adobe.

    It does not say that. There is nothing about the download source.

    There's another way to check using Terminal to read the extended attributes, but I doubt that it's worth the effort if it's not showing up in the Finder info box.

  • by Linc Davis,

    Linc Davis Linc Davis Sep 28, 2011 6:19 AM in response to MadMacs0
    Level 10 (208,037 points)
    Applications
    Sep 28, 2011 6:19 AM in response to MadMacs0

    The URL he downloaded it from is in mailinator mailbox "flashbacktrojan".

     

    Gone. Please send it there again.

  • by WZZZ,

    WZZZ WZZZ Sep 28, 2011 6:34 AM in response to Linc Davis
    Level 6 (13,112 points)
    Mac OS X
    Sep 28, 2011 6:34 AM in response to Linc Davis

    Linc Davis wrote:

     

    The URL he downloaded it from is in mailinator mailbox "flashbacktrojan".

     

    Gone. Please send it there again.

    Maybe it can just be posted directly here in some obfuscated way so it doesn't parse?

  • by laverne's mom,

    laverne's mom laverne's mom Sep 28, 2011 6:47 AM in response to WZZZ
    Level 2 (395 points)
    Sep 28, 2011 6:47 AM in response to WZZZ

    I've been reading this and am a bit confused.  I usually check  Firefox's Plug -in updates page and when it says update now, click on that and I thougth it took me to the Adobe site and I download from there.  I'm pretty sure that it looked like the flash update is supposed to.  and the plug in check says its up to date now.  I am running Snow Leopard, not Lion, and can't find anything in preferences which looks like the file you all have been talking about.  Where would that file which indicates the trojan be in Snow Leopard?

     

    Thank you,

     

    laverne's mom

  • by WZZZ,

    WZZZ WZZZ Sep 28, 2011 6:55 AM in response to laverne's mom
    Level 6 (13,112 points)
    Mac OS X
    Sep 28, 2011 6:55 AM in response to laverne's mom

    If you went to Firefox>Check your plug-ins and that took you to theAdobe site, you got the real thing. This thing is coming from a malicious link that may appear somewhere on a page.

     

    If you have Flash 10.3, you can also go to Sys Prefs>Other>Flash Player. In the Advanced panel>Updates>Check now. You should also have the default "Check for updates" checked.

  • by cathy fasano,

    cathy fasano cathy fasano Sep 28, 2011 6:53 AM in response to Ralph Deen
    Level 2 (350 points)
    Mac OS X
    Sep 28, 2011 6:53 AM in response to Ralph Deen

    Do we know whether the trojan also installs the legitimate flash player?  (That would be clever...)

  • by Louie Sherwin,

    Louie Sherwin Louie Sherwin Sep 28, 2011 7:00 AM in response to MadMacs0
    Level 1 (0 points)
    Sep 28, 2011 7:00 AM in response to MadMacs0

    MadMacs0 wrote:

     

    Louie Sherwin wrote:

     

    everyone should not that SystemUI.plist file references an additional file that it wants to load. That is perflib which is also in my Preferences folder and is a binary file.

    Thanks for passing that on.

    It seems that this application puts something else in my startup scripts that I cannot find and it causes my login to hang.

     

    Anyone have any ideas?

    Assume you've checked all the obvious LaunchAgents, LaunchDaemons, Startup Items in ~/Library/, /Library/ and /System/Library/ along with System Preferences->Accounts-><username>->Login Items.  The latter can be found in ~/Library/Preferences/com.apple.loginitems.plist.  There's also one of those in /Library/Preferences/ but mine is blank and I would not thinik that it could effect a user login.

     

    Anything in /Library/Logs/HangReporter/ that would help?

     

    I've known Frameworks and Prefs Panels to be able to start processes, but that's like looking for a needle in a haystack if you don't know where to start.

     

    Ok  the next clue....In my Console log

     

    com.apple.launchd.peruser.501[266]   dyld: could not load inserted library: <username>/Preferences/Preferences.dylib

     

    It will repeat this line until I hit the power button and reboot.

     

    I don't see anything yet in the locations that you suggest. I am still poking around with a root shell in the new admin account I created on the same system.

  • by cathy fasano,

    cathy fasano cathy fasano Sep 28, 2011 7:09 AM in response to Louie Sherwin
    Level 2 (350 points)
    Mac OS X
    Sep 28, 2011 7:09 AM in response to Louie Sherwin

    Have you tried creating an empty file as Preferences/Preferences.dylib ?  Or a copy of a legitimate library that does something else?  Something has told the OS to expect that the file is there, so can you fool it into thinking that the file is there using some other file?

first Previous Page 4 of 9 last Next