new malware disguised as flash installer

10.6 & later

http://support.apple.com/kb/HT3662

Snow Leopard defines an expanded list of applications for which it "quarantines" downloaded files (marking that they've been downloaded from the Internet). So if you download a file via your Web browser (including Safari, Internet Explorer, Firefox, OmniWeb, Opera, Mozilla, Camino, and more) or an e-mail client (Mail, Entourage, or Thunderbird) or you receive a file via iChat, then it will be checked for malware when you open it.

Apparently, according to this, the original quarantining (xattr>com.apple.quarantine) works for downloads in Snow using browsers other than Safari.

But will files downloaded with browsers other than Safari be quarantined according to XProtect definitions, as well?

I've got the Install Manager folder. At first I was somewhat concerned about it but I figured that it probably was created when correctly updated my flash. The creation date and the modification date were identical and said that it was created around the time that I downloaded the update. There also was no source website for this folder.

I think I may have fallen for the installer trick, maybe a few weeks ago. I have looked for all the files folks suggest finding in this thread, and have none. I also have downloaded the VirusBarrierX6 and am currently doing a full scan (so far nothing). Also, I've looked in Activity Monitor and not found any of the processes folks are complaining about.

That said, I'm quite worried about two things I've been seeing:

1. When I login, there is an extra quick blue flash on the screen. I should video it, but basically it looks like one quick flash. Happens at startup or login to any user account.

2. fake PC servers mounted in my network. Clicking them does nothing, yet they seem to be running from my machine. See attached image below.

Any thoughts? I'd like to make a quick clean break in any way possible, and am willing to go through any install recommendation or etc.

I tried going to this link (It is supposed to have the trojan on it, but I got this message when I went there.

http://adobe softwareupdate.com/flashplugin/7f/

Here's the message

FYI, it doesn't work to click on the link. It also won't work to copy and paste the link because I have put a space inbetween adobe and software just to let you know.

andyBall_uk wrote:

10.6 & later

http://support.apple.com/kb/HT3662

The quarantine system actually came to being in 10.5 and was enhanced for 10.6.

The XProtect system wasn't introduced until a security update to 10.6.7 in the MacDefender era. There was speculation at the time that it was a Lion feature that was rushed into use. The 10.6.8 update fixed some bugs in the update process.

WZZZ wrote:

Apparently the original quarantining (xattr>com.apple.quarantine) works for downloads in Snow using browsers other than Safari.

But will files downloaded with browsers other than Safari be quarantined according to XProtect definitions, as well?

My understanding was that all quarantined files are supposed to be checked.

The colleague that I mentioned yesterday who purposely downloaded the Trojan used Safari and was not notified.

mtuiuc wrote:

I think I may have fallen for the installer trick, maybe a few weeks ago. I have looked for all the files folks suggest finding in this thread, and have none. I also have downloaded the VirusBarrierX6 and am currently doing a full scan (so far nothing). Also, I've looked in Activity Monitor and not found any of the processes folks are complaining abou

Then you did not install it.

That said, I'm quite worried about two things I've been seeing:

1. When I login, there is an extra quick blue flash on the screen. I should video it, but basically it looks like one quick flash. Happens at startup or login to any user account.

2. fake PC servers mounted in my network. Clicking them does nothing, yet they seem to be running from my machine. See attached image below.

None of the infected users have reported anything like this. Perhaps you should start a new thread.

chrisfromhopewell wrote:

I tried going to this link (It is supposed to have the trojan on it, but I got this message when I went there.http://adobe

That means that the site is shut down, for some reason. It could be temporary, it could have been moved or they may have accomplished whatever they set out to do. Let's hope it was because the police came and confiscated their equipment when they were all arrested.

Linc,

Or anybody else with info...do we know the IP of where the Trojan phoned home to? Was it the same as the one that was serving up the installer?

The name "adobe software update" site has been removed from DNS so it no longer has an IP address. Using the old IP reveals that the server appears to have a bare apache server but nothing else. A port scan reveals the usual commonly open ports.

I'm just wondering if folks who don't know they are infected yet are still checking with the mother ship for updates, etc.?

There is no such site as adobesoftwareupdate.com

Just go to Adobe's main page here:

http://www.adobe.com/

Towards the lower right under the Download heading, click on Adobe Flash Player.

Kurt Lang wrote:

There is no such site as adobesoftwareupdate.com

Just go to Adobe's main page

I know that Kurt. This thread is about the FlashBack Trojan, not the real FlashPlayer.

Kurt Lang wrote:

There is no such site as adobesoftwareupdate.com

Sorry, I should have responded to this, as well. There was such a site for a couple of days this week. It's still in WhoIs but has been removed from DNS either because it was a known malware distributor or the bad guys were finished with it.

There was such a site for a couple of days this week.

Yes, that's all I really meant. Anyone trying to find Flash at that site name wouldn't have been able to find it, so I was just pointing to Adobe's site.

Big surprise that it was very likely a malware site.