Q: new malware disguised as flash installer

Sorry I meant does Apple have the software built remotely so we don't have to download it.

That's very vague. Unless you write and compile the software yourself, all software is built remotely and needs to either be purchased on disk or downloaded. What software are you referring to?

Shirley Drabble1 wrote:

 

I tried spotlight for that .dylib file but the results were inconclusive. I am guessing SPotlight doesn't look in libraries

What if anything should I do now?

Go to the Applications/Utilities folder, and near the bottom is an application Terminal.app  Double click on it, and when the terminal window appears, copy/paste the following command into the terminal window:

ls -ld ~/Library/Preferences/P*

ls -l ~/Library/LaunchAgents/

Nothing on my system looks remotely similar to ~/Library/Preferences/Preferences.dylib or ~/Library/LaunchAgents/com.apple.SystemUI.plist, so I hope that means I'm ok...

Woops! I hope I haven't been caught. In my Download Folder, dated 6 August, is

"flashplayer11_b2_install_mac_080811.dmg".

When the .dmg is opened it shows a file "Install Adobe Flash Player", and has an icon:

Is that safe? (No trouble yet.)

That is the Trojan. Do not install it.

>>That is the Trojan...

there was apparently a genuine file with the same name, so that isn't certain.

a number of sites showe it, availble from http://labs.adobe.com/downloads/flashplayer11.html

@Steve - check in Finder - Get Info - where from... if it says "download.macromedia.com/pub/labs/flashplatformruntimes/"... it was from adobe.

Please don't post it here, instead, go tohttp://mailinator.com/, create a mailbox, post it there and return here with the name you gave the mailbox.

You don't create mailboxes in Mailinator. Just send mail to a Mailinator address, and the account is created automatically. The messages are deleted after a few hours.

Oh dear! I downloaded it and ran it about a week or so ago. However, I do not have the file mentioned in the MacFixit site mentioned above, shown below:

‘Intego says the program installs its malicious dynamic library in the/username/Library/Preferences/ folder as the file "Preferences.dyld,"so you can go to that location and remove that file to dispose of the code.’

I have searched for a file called “"Preferences.dyld"and it is not there. But I have lots of files starting with “dyld” (no dot). They are all in my external backup HD which is a clone of my system disc, done by Carbon Copy Cloner. They are either in a top level folder called _CCC Archives, or in a top level folder called Developer which I am fairly sure is part of Apple’s Xcode which I down loaded a few days ago.

One good thing is that whenever I give my credit card details over the Internet, the documents involved (screen grabs of the transaction) are stored in an encrypted disc image, and my bank account details have never appeared in my computer.

Have I escaped? If not, what to do? Get Intego pronto?

I have searched for a file called “"Preferences.dyld"and it is not there.

The name of the file is "Preferences.dylib". Spotlight won't find it even if you use the right name.

thanks for the heads up. this install flash thing had popped open earlier today, but never got around to installing it.

Sorry. I meant is this part of Apple Firewall set up and is it controlled remotely rather than from my own system. OH and this is what happened when I typed into terminal

Last login: Tue Sep 13 19:43:53 on console

**************:~ *********$ ls -ld ~/Library/Preferences/P*

drwxr-xr-x  2 *********  staff  68 20 Dec  2009 /Users/*************/Library/Preferences/PiratePoppers

-rw-r--r--@ 1 *******  staff  86  1 Dec  2009 /Users/*************/Library/Preferences/Pref Kunvert 1.0.2***********-MacBook-Pro:~ ***********$

*****************MacBook-Pro:~ ************$ ls -l ~/Library/LaunchAgents/

total 88

-rw-r--r--  1 ***********  staff  589  5 Oct  2010 com.adobe.ARM.925793fb327152fd34795896fa1fb9ffa268b2a852256fe56609efa3.plist

-rw-r--r--  1 *************  staff  543 23 Oct  2010 com.akamai.client.plist

-rw-r--r--  1 *************  staff  463 15 Oct  2010 com.apple.FTMonitor.plist

-rw-r--r--  1 *************  staff  425 28 Jul 22:45 com.apple.FolderActions.enabled.plist

-rw-r--r--  1 ************* staff  589 13 Sep 19:44 com.apple.FolderActions.folders.plist

-rw-r--r--  1 ************* staff  581 20 Mar  2010 com.apple.MobileMeSyncClientAgent.plist

-rw-r--r--  1 ************* staff  817 20 Mar  2010 com.apple.SafariBookmarksSyncer.plist

-rw-r--r--  1 ************* staff  552 20 Oct  2010 com.apple.apsd-ft.plist

-rw-r--r--  1 *************  staff  411 13 Oct  2010 com.apple.imagent.plist

-rw-r--r--  1 *************  staff  447 13 Oct  2010 com.apple.marcoagent.plist

-rw-r--r--  1 *************  staff  561 10 Jul 23:26 com.zeobit.MacKeeper.Helper

*************-MacBook-Pro:~ *************$

*************-MacBook-Pro:~ *************$

This looks OK to me, is it the sort of response I should expect if I don;t have anything nasty.:-)

This is getting a bit confusing.

Oh and I run CLAMXAV as antivirus would that pick it up at all. I am always aware that I could pass on a nasty thourhg emails or whatever to my non- MAc user friends.

Thnks

****** to hide my system name

Hmmm. I have now used Finder to list "~Library/Preferences" in a standard Finder window and there is no sign of "Preferences.dylib". Does that mean it is not there?

And, do you know why Spotlight would not find it?

Thanks

Hi Andy,

It would certainly help if Adobe would stick with one name. I just downloaded the Flash player from their site, and the file has this name:

install_flash_player_osx_intel.dmg

Though the name would be different for Windows, Linux or a PowerPC Mac.

More important is to watch what comes up when you launch the installer. The Trojan looks like this:

The real Adobe installer displays this:

The image above I incorrectly flagged was the icon that displays when you open the Adobe .dmg file:

Upon opening that, the installer package should look like this:

Be very wary of anything else you may download.

I have now used Finder to list "~Library/Preferences" in a standard Finder window and there is no sign of "Preferences.dylib". Does that mean it is not there?

Not necessarily. The file could be hidden in the Finder. You could have a variant of the trojan that doesn't install that file, or the information you're relying on could be inaccurate. Trying to detect trojans by poking around with the Finder, without really knowing what you're looking for, is not much use.

And, do you know why Spotlight would not find it?

It doesn't show that type of file. If you want comprehensive file searches by name, you either have to use a shell command, which is unsuitable for non-technical users, or a third-party tool such as EasyFind.

>>It would certainly help if Adobe would stick with one name.

they do, mostly - at least for the one at  http://get.adobe.com/flashplayer/ rather than the developer previews. The filename mentioned above was a beta of v 11 -

the current release candidate is flashplayer11_rc1_install_mac_090611.dmg, for example.

I have now used EasyFind to search for Files and Folders called "Preferences.dylib" and it has not found it.

Am I safe?