Skip navigation

Flashback.C Trojan-Downloader

6820 Views 11 Replies Latest reply: Oct 21, 2011 1:28 AM by MadMacs0 RSS
orienteer Calculating status...
Currently Being Moderated
Oct 20, 2011 2:46 AM

ars technica recently published a story about Flashback.C and a link to F-Secure to fix it.

Now I'm, panicking, as I did update Flash recently, but can't remember the look of the update screen.

It's such a common practice that Flash needs updating frequently that it didn't seem unusual. I'm really careful about this sort of thing and I only updated after ignoring a few previous notices.

 

The instructions on F-Secure tell you what files are created and to delete them. But the problem I had when checking is that it's not conclusive.

Example:

  • The following line is inserted into "/Applications/Safari.app/Contents/Info.plist":
    • <key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
      <string>/Applications/Safari.app/Contents/Resources/%payload_filename%</string>< /dict>

  • The following line is inserted to "/Applications/Firefox.app/Contents/Info.plist":
    • <key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
      <string>/Applications/Firefox.app/Contents/Resources/%payload_filename%</string> </dict>

 

The installer then restarts running instances of Safari and Firefox in order to take the payload into effect.The installer also disables the built-in anti-malware feature in Mac OS X. It unloads the XProtectUpdater daemon, and then wipes out the following files:

  • /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist
  • /usr/libexec/XProtectUpdater

 

I don't have that entry line in my plist files, but I also don't have the file /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

How can I check that the Flash update I did wasn't this trojan?

I checked the version of Flash I'm running and it is the latest (11.0.1.152), so it looks like it has been updated recently.

iMac, Mac OS X (10.6.8)
  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Oct 20, 2011 3:06 AM (in response to orienteer)

    How can I check that the Flash update I did wasn't this trojan?

    I checked the version of Flash I'm running and it is the latest (11.0.1.152), so it looks like it has been updated recently.

     

    If that's the version you installed then you are probably ok.  Where did you download the installer from (adobe and macupdate are reliable)?  Also look in your /Library/Internet Plug-Ins for the Flash Player.plugin and flashplayer.xpt.  You should also have a prefPane called Flash Player.

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Oct 20, 2011 3:14 AM (in response to orienteer)

    Here is a complete list of the (Flashback trojan) files installed:

     

    1. .MacOSX/environment.plist
    2. Library/LaunchAgents/com.apple.SystemUI.plist
    3. Library/Preferences/perflib
    4. Library/Preferences/Preferences.dylib
    5. Library/Logs/swlog

     

    Use the free Easy Find and search for the files  (start with #4 "Preferences.dylib" first)

     

    http://download.cnet.com/EasyFind/3000-2248_4-8707.html

     

     

    Delete all those (may need to turn on hidden files with TinkerTool to get the .MacOSX folder to show, then turn it off) and reboot

     

    more info here, follow Linc Davis posts,

     

    https://discussions.apple.com/thread/3349492?start=60&tstart=0

     

     

    Best thing to do is backup files and Wipe and install

     

    https://discussions.apple.com/message/16276201#16276201

  • jsd2 Level 5 Level 5 (6,200 points)
    Currently Being Moderated
    Oct 20, 2011 6:04 AM (in response to orienteer)

    I believe the files on that "complete list" only apply to the earlier versions of the Flashback Trojan.

     

    From a recent Intego Security blog posting:

    -------

    We’ve seen several variants of the Flashback Trojan horse, since Intego first discovered this malware on September 26. The latest version, Flashback.D, has gotten a bit sneakier.

    .

    .

    Finally, it no longer installs the easy-to-spot ~/Library/Preferences/Preferences.dylib. Instead, it installs the backdoor inside Safari, and does so in two ways. It adds information to Safari’s info.plist file, with the location of the backdoor, and it adds the actual backdoor module at /Applications/Safari.app/Contents/Resources/UnHackMeBuild.

    --------------------------

    Mac Mini, Mac OS X (10.6.8), dual-boot Lion OS X 10.7.2
  • WZZZ Level 6 Level 6 (11,880 points)
    Currently Being Moderated
    Oct 20, 2011 7:46 AM (in response to jsd2)

    I just rebooted this morning. I'm seeing the latest XProtect update from Apple appears still as Oct. 14 for .A. So Apple is way behind the curve on .B (if there is a .B) .C & .D.

     

     

     

    >orienter: I don't have any of those files, but I also don't have the file: /System/Library

     

    It's here. And you must have /System/Library or your computer wouldn't be working at all.

     

    XProtect.plist location: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist .

  • NoHoQB Calculating status...
    Currently Being Moderated
    Oct 20, 2011 9:14 AM (in response to WZZZ)

    WZZZ, I found the XProtect.plist but how do I find out what version it is?

    Thanks!

  • jsd2 Level 5 Level 5 (6,200 points)
    Currently Being Moderated
    Oct 20, 2011 10:44 AM (in response to orienteer)

    I think you are fine. One precaution for the future is never to click on a link in a popup notice that says that you need to download a Flash update (or anything else!). Instead, dismiss the popup and go directly to Adobe's download site via your browser.

  • WZZZ Level 6 Level 6 (11,880 points)
    Currently Being Moderated
    Oct 20, 2011 3:56 PM (in response to orienteer)
    orienteer wrote: My XProtect.plist is dated 17 Oct and only has OSX.FlashBack.A listed.

    Hmm, as I said above, my most recent is dated Oct 14. ???

     

     

    I don't have any of those files, but I also don't have the file: /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

    should I?

    Badly misread that before. Yes, you should have it. Don't know why it would be AWOL. Check again?

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Oct 21, 2011 1:28 AM (in response to WZZZ)

    WZZZ wrote:

     

    I just rebooted this morning. I'm seeing the latest XProtect update from Apple appears still as Oct. 14 for .A. So Apple is way behind the curve on .B (if there is a .B) .C & .D.

    According to Intego they found this version a week ago and call it Flashback.D, so Apple may be OK. Based on the MD5 hash that F-Secure posted, ClamXav matches it with OSX.Flashback-3 which was also made available on Oct 14. I can only guess that Apple must be calling everything .A.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.