Q: new malware disguised as flash installer

I have auto updates turned on to check but I have final say when I look at the details so every week I get that reminder.

I find that is the best way especially when I had some old software I had not got around to deleting., I have since done that. BUT feel safer doing it this way.

That's what I meant. Get the update notification. Then do the update manually. The option I'm referring to is only to Check for updates automatically. I never update anything automatically.

The problem is that this wicked little piece of malware showed a flaw of that strategy (which, nonetheless, I think is still the best way to go.)  We've got our user's machines locked down pretty tight so that if they try to accept REAL updates they won't get past the step where they need the Administrator's password.  But since this one only infects the user's own personal account, writing to files that the user has access to, a naive user is not protected against it.

The real automatic updates, which fail for non-priv'd users, desensitize them so that they don't come get me when the panel comes up.  And they will always hit "OK" to dismiss any panel -- even if the panel says "Start global thermonuclear now?"

Cathy - can you restrict user access by disallowing access to the installer bundle/folder in coreservices ?

don't know if it works - but seems to.

Linc Davis wrote:

 

@Linc - see the pkg at mailinator, I've sent the url again.

 

Thanks.

Linc,

As you will recall the site would not download the package to me but a colleague was successful in doing so and I just wanted to compare some basic notes.

The file is named "FlashPlayer-11-macos.pkg". The MD5 hash is c2819c3c183bbf7547cf76c6a004ea15 which does not match the ClamXav signature nor either of the ones Apple published in yesterday's XProtect update.

I uploaded it to VirusTotal and none of the 43 AV scanners identified it as anything.  A second person has since uploaded the identical file with the same results.

Checking it in Pacifist was pretty much a waste of time, but everything I was able to inspect seems to match your results. 

One other thing that my colleague passed on as being unusual was that he used Safari to download the file which should have automatically given it the Apple quarantine label.  He manually updated XProtect before attempting to launch it (he was aware of what it was and stopped at the install step) but was never given a red alerted by XProtect (probably because the signatures don't match) nor did he recieve the standard yellow alert that he was attempting to open something downloaded from the internet.

Checking it in Pacifist was pretty much a waste of time, but everything I was able to inspect seems to match your results.

The installer package is obfuscated. As I wrote earlier, the only working part of it is the preinstall script (actually a binary.)

...nor did he recieve the standard yellow alert that he was attempting to open something downloaded from the internet.

I can't think of a good explanation for that. I'm unable to confirm because I disabled those warnings.

Can someone send please the source URL back to flashbacktrojan mailinator?  Thanks!

>>The MD5 hash is c2819c3c183bbf7547cf76c6a004ea15

Same here

>>Checking it in Pacifist was pretty much a waste of time...

easy  to see the environment.plist & DYLD_INSERT_LIBRARIES in preinstall

& yes to safari/xprotect and not picking it up

BradenThomas wrote:

 

Can someone send please the source URL back to flashbacktrojan mailinator?

It's there now.

Everytime I try to scan with my CLAMXAV it crashes.

I have other odd things happening too is this trojan likely to be responsible.

Do I have to buy Intego to get a fix as someone reported they now have a fix for it?

How much is it?

help

I have done lots of my banking online in the last few days.

now really worried.

What can I do to find if I relly have it

I need step by step as not too familiar.

I can use terminal if I know what i have to type.

I need to do some banking tomorrow.

Possibly I can use my cluunky pc laptop for it. but much easier to use my MBP if I know it is clean

thanks

Shirley Drabble1 wrote:

 

Everytime I try to scan with my CLAMXAV it crashes.

Please come to the ClamXav User's Forum and get help with that.

I have other odd things happening too is this trojan likely to be responsible.

No. As far as we know all it currently does is send information about your computer, not you, to a server.  It's easy enough to see if any of the five files listed by Linc Davis earlier have been installed on your computer.  If they aren't then chances are really good that it's not this Trojan.

The Apple XProtect has been updated to v26 and v1007 which ups the number of hash signatures for OSX.FlashBack.A from two to eight! That means they are able to change the signature of the file without changing the way it works. I'm not certain that Apple will be able to keep up with this race the way they did with MacDefender.

To update your definitions, Open System Preferences->Security, uncheck the box next to "Automatically update safe downloads list" and then recheck the box. This is the only method recommended for manual update of the list.

I get this page when I use that link.

http://www.http.com//*******  markallan.co.uk/BB*******   /viewforum.php?f=1

added **** and spaces to break it up and hope it leads to nothing nasty

is that right it just a page of  sponsored lists.

Or was this a test to see if I would click on just any link?

:-(

you got me.

I trust people here. maybe I shouldn't.WE don't know who  might be a mole!

I am on another support email group ( health related) that has a mole and has fed back an email to a named consultant where someone was asking questions about a that person  and the consultant threatened to sue for libel.

Sick people do not need that added stress.

So I hope this was just something that went wrong as I cannot see ClamXav listed on that page at all,

:-(

please re assure me and I am just going to check that other email to see if I can find any of those other files.

This is so worrying when I have other things I need to think about right at this moment.

Hi Shirley

That's just a mangled link - nothing to worry about,

it should be this:

http://markallan.co.uk/BB/viewforum.php?f=1

but somehow got posted with an extra 'http' at the start.

MadMacs0 wrote:

 

To update your definitions, Open System Preferences->Security, uncheck the box next to "Automatically update safe downloads list" and then recheck the box. This is the only method recommended for manual update of the list.

What version of the OS has the "safe downloads list" functionality?