woofmatix

Q: How deal with FLASHBACK trojan?

Hey folks!

 

I updated Adobe Flash player a few days ago (the update popped up - I did not search for it) and I think I may have installed the "Flashback" trojan 'cuz I did the update in a hurry. Is there any way to find out if the trojan has found it's way in to the computer or is a format and reinstallation of the OS necessary? Thanks!!!

MacBook Pro, Mac OS X (10.6)

Posted on Oct 23, 2011 11:04 PM

Close

Q: How deal with FLASHBACK trojan?

  • All replies
  • Helpful answers

  • by ds store,Helpful

    ds store ds store Oct 23, 2011 11:41 PM in response to woofmatix
    Level 7 (30,400 points)
    Oct 23, 2011 11:41 PM in response to woofmatix

    You can check here to see if you've installed the current Flash version

     

    http://flashbuilder.eu/flash-player-version.html

     

     

    If your Software Update was up to date and Apple's XProtect (System Preferences > Security>Safe Downloads List) is on and functioning it would have detected this trojan.

  • by woofmatix,

    woofmatix woofmatix Oct 23, 2011 11:44 PM in response to ds store
    Level 1 (12 points)
    iPhone
    Oct 23, 2011 11:44 PM in response to ds store

    Thanks ds store! I also read in CNET: "While there is no information on how to manually remove Flashback, Intego says the program installs its malicious dynamic library in the /username/Library/Preferences/ folder as the file "Preferences.dyld," so you can go to that location and remove that file to dispose of the code."

    http://reviews.cnet.com/8301-13727_7-20111639-263/another-os-x-trojan-imitates-a dobe-flash-installer/

     

    So I guess if that file ain't there, the Trojan has not entered the system right?

     

    Also I would like to know if this comes as an update or just an installer.

  • by ds store,Helpful

    ds store ds store Oct 23, 2011 11:45 PM in response to woofmatix
    Level 7 (30,400 points)
    Oct 23, 2011 11:45 PM in response to woofmatix

    Flashback Trojan installs files in the following locations

     

    1. .MacOSX/environment.plist
    2. Library/LaunchAgents/com.apple.SystemUI.plist
    3. Library/Preferences/perflib
    4. Library/Preferences/Preferences.dylib
    5. Library/Logs/swlog

     

    Use the free Easy Find and search for the files  (start with #4 "Preferences.dylib" first, that's the main bugger)

     

    http://download.cnet.com/EasyFind/3000-2248_4-8707.html

     

    #1 is a hidden file (notice the period) so you will need to check on Easy Find's "hidden files" button

     

     

    You can also download the free ClamXav and run a scan, it has the definition updated for it by now.

  • by ds store,

    ds store ds store Oct 23, 2011 11:56 PM in response to woofmatix
    Level 7 (30,400 points)
    Oct 23, 2011 11:56 PM in response to woofmatix

    woofmatix wrote:

     

    So I guess if that file ain't there, the Trojan has not entered the system right?

     

    Don't assume anything, run a scan using ClamXav and if your Apple Software Update works you can pretty much be rest assured you don't have it.

     

     

    Also I would like to know if this comes as an update or just an installer.

     

    It's a trojan installer on hostile web sites.

     

    If you look at your Adobe Flash System Preference pane it's got it's own system to check with Adobe and verify the download. The confusion happens because there is a pop-up when one visits a web page and their Flash is outdated.

     

    I always download my Flash here

     

    http://get.adobe.com/flashplayer/

     

     

     

    If your still concerned you can peform a

     

    Restoring OS X 10.5 10.6. 10.7 - simple overwrite OS method

     

    https://discussions.apple.com/message/16276201#16276201

     

     

    That will flush anything out of OS X, but you still need to clean up Applications and Users folders.

  • by woofmatix,

    woofmatix woofmatix Oct 24, 2011 12:08 AM in response to ds store
    Level 1 (12 points)
    iPhone
    Oct 24, 2011 12:08 AM in response to ds store

    Thanks a lot!

     

    Well, I'll heck and see but since I really don't have importnt data on the computer, I might just format the whole thing... Just to be on the safe side...

     

    Anyway, thanks a lot for all the help! Really Appreciate it!

  • by ds store,Solvedanswer

    ds store ds store Oct 24, 2011 12:23 AM in response to woofmatix
    Level 7 (30,400 points)
    Oct 24, 2011 12:23 AM in response to woofmatix

    Make a hold option bootable clone on a external drive, this way if you suspect if you have been had, you can hold c boot off the 10.6 installer disk, wipe the internal drive and reverse clone.

     

    I maintain 2 1/2 clones, one is auto-updated daily to a internal bootable partition on the second half of my boot drive (provides only software protection), another whenever I connect the external drive it runs (hardware and software protection), and then I have one set back a month or two back.

  • by woofmatix,

    woofmatix woofmatix Oct 24, 2011 12:26 AM in response to ds store
    Level 1 (12 points)
    iPhone
    Oct 24, 2011 12:26 AM in response to ds store

    I never download the update from the websites. I just download if the Adobe updater (or whatever they call it) pops up. So what I wanted to know was does the Trojan pop like this as well or just like another installer.

     

    /___sbsstatic___/migration-images/165/16505908-1.jpg

  • by woofmatix,

    woofmatix woofmatix Oct 24, 2011 1:06 AM in response to woofmatix
    Level 1 (12 points)
    iPhone
    Oct 24, 2011 1:06 AM in response to woofmatix

    Yikes! I clicked the wrong "Correct Answer"!

  • by ds store,

    ds store ds store Oct 24, 2011 1:23 AM in response to woofmatix
    Level 7 (30,400 points)
    Oct 24, 2011 1:23 AM in response to woofmatix

    woofmatix wrote:

     

    I never download the update from the websites. I just download if the Adobe updater (or whatever they call it) pops up. So what I wanted to know was does the Trojan pop like this as well or just like another installer.

     

    A trojan is designed to fool, so it would be wise for maximum effect to look like the real thing.

     

    So it doesn't matter if it looks like the real thing or not, one needs to act like anything that pops up is a trojan and download from a site you know is for real.

  • by ds store,

    ds store ds store Oct 24, 2011 1:23 AM in response to woofmatix
    Level 7 (30,400 points)
    Oct 24, 2011 1:23 AM in response to woofmatix

    woofmatix wrote:

     

    Yikes! I clicked the wrong "Correct Answer"!

     

     

    Yep, I'm gone now, thanks for all the fish.

  • by MadMacs0,

    MadMacs0 MadMacs0 Oct 24, 2011 11:49 PM in response to woofmatix
    Level 5 (4,801 points)
    Oct 24, 2011 11:49 PM in response to woofmatix

    woofmatix wrote:

     

    I never download the update from the websites. I just download if the Adobe updater (or whatever they call it) pops up. So what I wanted to know was does the Trojan pop like this as well or just like another installer.

    The first version of the web page looked like this Flashback Trojan Spreading; Mac Users Should Be Wary of Flash Installers.

     

    The installer itself looked like this INTEGO SECURITY MEMO: Mac Flashback Trojan Horse Masquerades as Flash Player Installer Package.

     

    I haven't seen anything about the recent versions being any different.

  • by candicefromct,

    candicefromct candicefromct Apr 5, 2012 7:53 PM in response to woofmatix
    Level 1 (0 points)
    Apr 5, 2012 7:53 PM in response to woofmatix

    I know I did a Flash update this week. How can I tell if it was legit or a trojan. One posting I saw was going into preferences and if my ip address was grey and not black then I have it. Do you know if this is accurate?

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 5, 2012 8:04 PM in response to candicefromct
    Level 5 (4,801 points)
    Apr 5, 2012 8:04 PM in response to candicefromct

    candicefromct wrote:

     

    I know I did a Flash update this week. How can I tell if it was legit or a trojan.

    The Flashback Trojan has not been associated with a Flash upgrade for several months now.

    One posting I saw was going into preferences and if my ip address was grey and not black then I have it. Do you know if this is accurate?

    If it's the one I'm thinking of that test is associated with a totally different malware infection.

     

    If you are experiencing symptoms of infection, either join a thread with that problem or start a new thread. This one is dead.