1 2 Previous Next 15 Replies Latest reply: Oct 25, 2011 2:45 PM by Med.amine
TheSmokeMonster Level 4 Level 4 (3,240 points)

This New Trojan Disables Your Mac’s Auto-Updates

The original iteration of the Flashback Trojan was a nasty little bugger, quietly shipping your Mac's details off to a remote server. This newly discovered variant is even worse.

The new version, dubbed Flashback.C, also disables the your Apple's security definition update service by wiping files necessary to run future updates. Both Snow Leopard and Lion are vulnerable, though the Trojan seems to delete itself on any system running Little Snitch. The Trojan itself comes disguised as a Flash package installer.

F-Secure offers removal instructions here, Little Snitch is available here.

This information take from http://gizmodo.com/5851532/this-new-trojan-disables-your-macs-auto+updates

  • 1. Re: Flashback Trojan
    ds store Level 7 Level 7 (30,305 points)

    Simple, only update Flash from this site, regardless what pops up in your face.

     

    http://get.adobe.com/flashplayer/

     

    Bookmark it and it's always there.

     

     

    If you need to check your version clcik here

     

    http://flashbuilder.eu/flash-player-version.html

     

    or here

     

    https://www.mozilla.org/en-US/plugincheck/

  • 2. Re: Flashback Trojan
    TheSmokeMonster Level 4 Level 4 (3,240 points)

    How do I make this a tip?

  • 3. Re: Flashback Trojan
    ds store Level 7 Level 7 (30,305 points)

    Apple doesn't like LittleSnitch, not only that, it's payware thus the tip is advertising, they are touchy about that.

     

    They don't like drawing attention to vulnerabilites (MacDefender a exception as it was so widespread and thus needed removal).

     

    Apple has Xprotect already updated to combat this threat, and many other trojans, and Apple doesn't like Flash neither.

     

     

    Did I mention Apple doesn't like Gizmodo niether? Something about them buying a lost iPhone prototype....

  • 4. Re: Flashback Trojan
    TheSmokeMonster Level 4 Level 4 (3,240 points)

    I'm was just tyring to point out the trojan, but it's good to know that this is fixed(?)

  • 5. Re: Flashback Trojan
    fossilblue Level 1 Level 1 (0 points)

    Hi

     

    Do apple have an update for this trojan virus?

  • 6. Re: Flashback Trojan
    TheSmokeMonster Level 4 Level 4 (3,240 points)

    Fossil. The information I provided shows you what the virus is and how to uninstall it if it is there. Ds_store gives some information I'm sure a google search or he could elaborate on as I only heard about this today. You don't need to go to the gizmodo link or download little snitch I was just trying to be thorough and wasn't thinking about apple politics when I posted it as store points out.

     

    Having said that I apologize if I did something wrong and I hope I can be forgiven if so.

  • 7. Re: Flashback Trojan
    MadMacs0 Level 4 Level 4 (3,735 points)

    fossilblue wrote:

     

    Do apple have an update for this trojan virus?

    Apple updated it's XProtect database last week and I believe that it will warn you should you try to install this latest FlashBack threat. If, for whatever reason, you install it then the XProtect system will be permanently disabled and the only way to repair it is to restore from backup. None of the AV software available nor the instructions provided above can repair XProtect. Intego has more on this.

  • 8. Re: Flashback Trojan
    Med.amine Level 1 Level 1 (0 points)

    Hi,

    i haven't Xprotectupdater in my activity monitor ? i'm infected ?

    what should i do to see if i'm infected and how can i fix this ?

  • 9. Re: Flashback Trojan
    MadMacs0 Level 4 Level 4 (3,735 points)

    Med.amine wrote:

     

    i haven't Xprotectupdater in my activity monitor ?

    XProtectUpdater only runs once every twenty-four hours for a fraction of a second, so your chances of seeing it in Activity Monitor are pretty much zero.

    what should i do to see if i'm infected and how can i fix this ?

    If I understand what F-Security's analysis revealed, you can check to see if XProtect was disabled by looking at either of the following two files:

     

    /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

    /usr/libexec/XProtectUpdater

     

    If they are blank, then you have been infected.

     

    The only way to repair is to replace those two files from backup.

  • 10. Re: Flashback Trojan
    Med.amine Level 1 Level 1 (0 points)

    i have :

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

              <key>StartInterval</key>

              <integer>86400</integer>

              <key>Label</key>

              <string>com.apple.xprotectupdater</string>

              <key>ProgramArguments</key>

              <array>

                        <string>/usr/libexec/XProtectUpdater</string>

              </array>

              <key>RunAtLoad</key>

              <true/>

    </dict>

    </plist>

     

    in System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

     

    So Doctor , what have my macbook pro ?

  • 11. Re: Flashback Trojan
    MadMacs0 Level 4 Level 4 (3,735 points)

    Med.amine wrote:

     

    So Doctor , what have my macbook pro ?

    Not sure why you are asking TheSmokeMonster this question.

     

    What you posted does not look blank to me so it wasn't infected.

     

    Why do you think your MacBook Pro has something? You haven't given us any symptoms.

  • 12. Re: Flashback Trojan
    Med.amine Level 1 Level 1 (0 points)

    i mean is my macbook pro infected , now that you have reply me , i know that it's safe , thank you.

    sorry i have'nt see you message , thank you for explain me how xprotect work.

  • 13. Re: Flashback Trojan
    thomas_r. Level 7 Level 7 (27,945 points)

    You don't need to go to the gizmodo link or download little snitch I was just trying to be thorough and wasn't thinking about apple politics when I posted it as store points out.

     

    Don't let ds store bully you.  I don't know how he thinks he knows what Apple likes and doesn't like, but mentioning Little Snitch here is not a problem.  Where he got the idea that Apple doesn't like Little Snitch I don't know.  I've mentioned it myself on a number of occasions, and the moderators have never had a problem with that.

     

    Used correctly, Little Snitch can be an invaluable tool for detecting malicious attempts to "phone home"...  though, note that it is of limited use, since anything that has infected your computer can simply disable it, as at least one variant of Flashback does.

  • 14. Re: Flashback Trojan
    MadMacs0 Level 4 Level 4 (3,735 points)

    Here's another idea, that I had forgotten about, to see if XProtect is still working. Open your Terminal app (in the Utilities folder) then copy and paste the following into a new window after the "$" prompt:

     

    sudo launchctl list

     

    hit return and when prompted, enter your admin password (you won't see any typing) and hit return again.

     

    The list should include "com.apple.xprotectupdater.plist" if it's working.

1 2 Previous Next