Q: new malware disguised as flash installer

Sam Beaver wrote:

 

thanks for the heads up. this install flash thing had popped open earlier today, but never got around to installing it.

Any luck on a URL for this thing?  We really need to get this thing to the right folks.  It should still be in your browser history.  Send the URL in a message to <makeupanyname>@mailinator.com and let us know what "makeupanyname" is.

If you installed a trojan, as you say you did, and you haven't removed it, then no, you're not safe. I don't know what you installed, nor do I know whether the information being promulgated about one particular trojan (not necessarily the same one) is accurate.

What I would do in your place is to back up my data, erase the startup volume, reinstall the OS, run Software Update, then carefully restore my user files, including only what I recognized as legitimate. I'd also reinstall all my third-party software from fresh downloads or original media.

>>If you installed a trojan, as you say you did...

Steve didn't say that - just that he had what may be the dmg of a genuine beta of Flash. If finder doesn't say where its from, or it's not from adobe/macromedia - then Steve should worry.

Thanks. Will do.

Final question: Do youknow what the risks are? Eg., keyboard logging (which must be the most dangerous), corrupting system files, email or internet snooping, etc. etc.

SteveKir wrote:

 

Thanks. Will do.

 

Final question: Do youknow what the risks are? Eg., keyboard logging (which must be the most dangerous), corrupting system files, email or internet snooping, etc. etc.

I don't think anyone knows just yet. It's only just now being analyzed. Intego seems to be one of the first to the game. Maybe Intego will give an update.

There hasn't been an XProtect update since the 24th, which was for the OSX Revir.A Trojan. So I don't think Apple has included this yet.

andyBall_uk wrote:

 

If finder doesn't say where its from..

So how can I use Finder to discover where it is from? GetInfo does not show that. It often includes a copyright reference, although a producer of malware could do that.

Hi Ralph,

The easiest way to get rid of it is to restore the last full system backup that was made before the "oops" moment.  Had you been using Time Machine?  If not, what other recent backups do you have? 

> What I would do in your place is to

> back up my data,

> erase the startup volume,

In Disk Utility? Erase the drive ABOVE where it says Macintosh HD?

> reinstall the OS,

How does one do that with a 2011 MacBook Air? Information I found about Lion Recovery

http://support.apple.com/kb/HT4718

requires a wifi connection as does loading it remotely from a DVD in my mac mini. Doesn't the trojan require wifi to access an infected computer? (I don't have a DVD or thumb drive with Lion on it since I bought it from the Mac App Store.)

> run Software Update, then carefully restore my user files, including only what I recognized as legitimate. I'd also > reinstall all my third-party software from fresh downloads or original media.

This is the easy part...

Thanks for any help anyone can provide.

SteveKir wrote:

 

andyBall_uk wrote:

 

If finder doesn't say where its from..

 

So how can I use Finder to discover where it is from? GetInfo does not show that. It often includes a copyright reference, although a producer of malware could do that.

Get EasyFind.

http://www.devon-technologies.com/download/index.html

the OS should record 'where from' & display it in get-info.

If you can't verify it by checking your browser history - then without checking the dmg, you might have a problem.

It looks as if Apple just added this trojan to its malware-detection quarantine feature, which should help protect against future infection.

I just looked at

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

with a property list editor, and found

The file was last modified today.

Thanks. I booted up early this morning and it hadn't yet been distributed. That's good to know that Apple appears to be staying on top of all the latest emerging malware. I was kind of skeptical at first, thinking it was mainly a PR response to the MacDefender episode.

(Off topic, but I replied to you here about preventing Flash Cookies.)

SteveKir wrote:

 

Do youknow what the risks are? Eg., keyboard logging (which must be the most dangerous), corrupting system files, email or internet snooping, etc. etc.

All we think we know is in the Intego announcement Mac Flashback Trojan Horse Masquerades as Flash Player Installer Package where they say "Intego’s security researchers are analyzing the injected code and we will issue more information as soon as possible."

Steve, I wouldn't be in a mad rush to erase and reinstall. Wait until there's a full analysis and then run one of the AVs. Maybe MadMacs0 will let us know as soon as ClamX has cataloged it.

Actually, Intego just posted an update More About the Flashback Trojan Horse in which they reveal how sophisticated the code is, but nothing more about what it installs where nor how to remove it.  Currently it appears that all it does is upload information about your hardware ID, whether intel or PPC and what version of Mac OS X you are running.  It is capable of updating itself and download additional software, but is currently not doing this.