11 Replies Latest reply: Oct 21, 2011 1:28 AM by MadMacs0
orienteer Level 1 Level 1 (0 points)

ars technica recently published a story about Flashback.C and a link to F-Secure to fix it.

Now I'm, panicking, as I did update Flash recently, but can't remember the look of the update screen.

It's such a common practice that Flash needs updating frequently that it didn't seem unusual. I'm really careful about this sort of thing and I only updated after ignoring a few previous notices.

 

The instructions on F-Secure tell you what files are created and to delete them. But the problem I had when checking is that it's not conclusive.

Example:

  • The following line is inserted into "/Applications/Safari.app/Contents/Info.plist":
    • <key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
      <string>/Applications/Safari.app/Contents/Resources/%payload_filename%</string>< /dict>

  • The following line is inserted to "/Applications/Firefox.app/Contents/Info.plist":
    • <key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
      <string>/Applications/Firefox.app/Contents/Resources/%payload_filename%</string> </dict>

 

The installer then restarts running instances of Safari and Firefox in order to take the payload into effect.The installer also disables the built-in anti-malware feature in Mac OS X. It unloads the XProtectUpdater daemon, and then wipes out the following files:

  • /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist
  • /usr/libexec/XProtectUpdater

 

I don't have that entry line in my plist files, but I also don't have the file /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

How can I check that the Flash update I did wasn't this trojan?

I checked the version of Flash I'm running and it is the latest (11.0.1.152), so it looks like it has been updated recently.


iMac, Mac OS X (10.6.8)
  • 1. Re: Flashback.C Trojan-Downloader
    X423424X Level 6 Level 6 (14,190 points)

    How can I check that the Flash update I did wasn't this trojan?

    I checked the version of Flash I'm running and it is the latest (11.0.1.152), so it looks like it has been updated recently.

     

    If that's the version you installed then you are probably ok.  Where did you download the installer from (adobe and macupdate are reliable)?  Also look in your /Library/Internet Plug-Ins for the Flash Player.plugin and flashplayer.xpt.  You should also have a prefPane called Flash Player.

  • 2. Re: Flashback.C Trojan-Downloader
    ds store Level 7 Level 7 (30,305 points)

    Here is a complete list of the (Flashback trojan) files installed:

     

    1. .MacOSX/environment.plist
    2. Library/LaunchAgents/com.apple.SystemUI.plist
    3. Library/Preferences/perflib
    4. Library/Preferences/Preferences.dylib
    5. Library/Logs/swlog

     

    Use the free Easy Find and search for the files  (start with #4 "Preferences.dylib" first)

     

    http://download.cnet.com/EasyFind/3000-2248_4-8707.html

     

     

    Delete all those (may need to turn on hidden files with TinkerTool to get the .MacOSX folder to show, then turn it off) and reboot

     

    more info here, follow Linc Davis posts,

     

    https://discussions.apple.com/thread/3349492?start=60&tstart=0

     

     

    Best thing to do is backup files and Wipe and install

     

    https://discussions.apple.com/message/16276201#16276201

  • 3. Re: Flashback.C Trojan-Downloader
    orienteer Level 1 Level 1 (0 points)

    Thanks for the responses.

    I don't have any of those files, but I also don't have the file: /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

    should I?

     

    I have the /Library/Internet Plug-Ins for the Flash Player.plugin and flashplayer.xpt and I have a prefPane called Flash Player.

    The date of the Flash Player.plugin is the same as the Adobe Flash Player Install Manager.app in my Utilities folder, but the xpt file is a month older.

     

    I did try and search for this using "flashback.C" as the search term and only got 2 matches and not the 3349492 you linked to.

  • 4. Re: Flashback.C Trojan-Downloader
    jsd2 Level 5 Level 5 (6,200 points)

    I believe the files on that "complete list" only apply to the earlier versions of the Flashback Trojan.

     

    From a recent Intego Security blog posting:

    -------

    We’ve seen several variants of the Flashback Trojan horse, since Intego first discovered this malware on September 26. The latest version, Flashback.D, has gotten a bit sneakier.

    .

    .

    Finally, it no longer installs the easy-to-spot ~/Library/Preferences/Preferences.dylib. Instead, it installs the backdoor inside Safari, and does so in two ways. It adds information to Safari’s info.plist file, with the location of the backdoor, and it adds the actual backdoor module at /Applications/Safari.app/Contents/Resources/UnHackMeBuild.

    --------------------------

  • 5. Re: Flashback.C Trojan-Downloader
    WZZZ Level 6 Level 6 (12,205 points)

    I just rebooted this morning. I'm seeing the latest XProtect update from Apple appears still as Oct. 14 for .A. So Apple is way behind the curve on .B (if there is a .B) .C & .D.

     

     

     

    >orienter: I don't have any of those files, but I also don't have the file: /System/Library

     

    It's here. And you must have /System/Library or your computer wouldn't be working at all.

     

    XProtect.plist location: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist .

  • 6. Re: Flashback.C Trojan-Downloader
    NoHoQB Level 1 Level 1 (0 points)

    WZZZ, I found the XProtect.plist but how do I find out what version it is?

    Thanks!

  • 7. Re: Flashback.C Trojan-Downloader
    orienteer Level 1 Level 1 (0 points)

    I have got:

    /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

    But the article from F-Secure said it wiped out:

    /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

    which is what I said I didn't have, so looked like it might have been removed.

     

    My XProtect.plist is dated 17 Oct and only has OSX.FlashBack.A listed.

     

    jsd2: I don't have:

    /Applications/Safari.app/Contents/Resources/UnHackMeBuild

    and my /Applications/Safari.app/Contents/info.plist file is dated 16 Sept, so older than the Flash update.

     

    I'm pretty computer literate and cautious clicking links and read a lot of tech sites, and I'm not absolutely positive I'm not infected, so wonder what chance the average user has with stuff like this.

    So are the days of malware free Macs ending and is it time to consider installing something like Virus barrier X6 ?

  • 8. Re: Flashback.C Trojan-Downloader
    jsd2 Level 5 Level 5 (6,200 points)

    I think you are fine. One precaution for the future is never to click on a link in a popup notice that says that you need to download a Flash update (or anything else!). Instead, dismiss the popup and go directly to Adobe's download site via your browser.

  • 9. Re: Flashback.C Trojan-Downloader
    WZZZ Level 6 Level 6 (12,205 points)
    orienteer wrote: My XProtect.plist is dated 17 Oct and only has OSX.FlashBack.A listed.

    Hmm, as I said above, my most recent is dated Oct 14. ???

     

     

    I don't have any of those files, but I also don't have the file: /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

    should I?

    Badly misread that before. Yes, you should have it. Don't know why it would be AWOL. Check again?

  • 10. Re: Flashback.C Trojan-Downloader
    orienteer Level 1 Level 1 (0 points)

    I apologise, I was looking for:

    /Library/LaunchDaemons/com.apple.xprotectupdater.plist

    instead of:

    /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

    which I do have.

     

    So it looks like I'm OK.

    I just can't remember what I did to update Flash, but I will make sure that I'm even more careful next time.

     

    But hopefully others may get something from this thread if searching for info about Flashback.

  • 11. Re: Flashback.C Trojan-Downloader
    MadMacs0 Level 4 Level 4 (3,720 points)

    WZZZ wrote:

     

    I just rebooted this morning. I'm seeing the latest XProtect update from Apple appears still as Oct. 14 for .A. So Apple is way behind the curve on .B (if there is a .B) .C & .D.

    According to Intego they found this version a week ago and call it Flashback.D, so Apple may be OK. Based on the MD5 hash that F-Secure posted, ClamXav matches it with OSX.Flashback-3 which was also made available on Oct 14. I can only guess that Apple must be calling everything .A.