You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Flashback.C Trojan-Downloader

ars technica recently published a story about Flashback.C and a link to F-Secure to fix it.

Now I'm, panicking, as I did update Flash recently, but can't remember the look of the update screen.

It's such a common practice that Flash needs updating frequently that it didn't seem unusual. I'm really careful about this sort of thing and I only updated after ignoring a few previous notices.


The instructions on F-Secure tell you what files are created and to delete them. But the problem I had when checking is that it's not conclusive.

Example:

  • The following line is inserted into "/Applications/Safari.app/Contents/Info.plist":

    <key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
    <string>/Applications/Safari.app/Contents/Resources/%payload_filename%</string>< /dict>


  • The following line is inserted to "/Applications/Firefox.app/Contents/Info.plist":

    <key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
    <string>/Applications/Firefox.app/Contents/Resources/%payload_filename%</string> </dict>


The installer then restarts running instances of Safari and Firefox in order to take the payload into effect.The installer also disables the built-in anti-malware feature in Mac OS X. It unloads the XProtectUpdater daemon, and then wipes out the following files:

  • /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist
  • /usr/libexec/XProtectUpdater


I don't have that entry line in my plist files, but I also don't have the file /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

How can I check that the Flash update I did wasn't this trojan?

I checked the version of Flash I'm running and it is the latest (11.0.1.152), so it looks like it has been updated recently.

iMac, Mac OS X (10.6.8)

Posted on Oct 20, 2011 2:46 AM

Reply
Question marked as Top-ranking reply

Posted on Oct 20, 2011 3:06 AM

How can I check that the Flash update I did wasn't this trojan?

I checked the version of Flash I'm running and it is the latest (11.0.1.152), so it looks like it has been updated recently.


If that's the version you installed then you are probably ok. Where did you download the installer from (adobe and macupdate are reliable)? Also look in your /Library/Internet Plug-Ins for the Flash Player.plugin and flashplayer.xpt. You should also have a prefPane called Flash Player.

11 replies
Question marked as Top-ranking reply

Oct 20, 2011 3:06 AM in response to orienteer

How can I check that the Flash update I did wasn't this trojan?

I checked the version of Flash I'm running and it is the latest (11.0.1.152), so it looks like it has been updated recently.


If that's the version you installed then you are probably ok. Where did you download the installer from (adobe and macupdate are reliable)? Also look in your /Library/Internet Plug-Ins for the Flash Player.plugin and flashplayer.xpt. You should also have a prefPane called Flash Player.

Oct 20, 2011 3:14 AM in response to orienteer

Here is a complete list of the (Flashback trojan) files installed:


  1. .MacOSX/environment.plist
  2. Library/LaunchAgents/com.apple.SystemUI.plist
  3. Library/Preferences/perflib
  4. Library/Preferences/Preferences.dylib
  5. Library/Logs/swlog


Use the free Easy Find and search for the files (start with #4 "Preferences.dylib" first)


http://download.cnet.com/EasyFind/3000-2248_4-8707.html



Delete all those (may need to turn on hidden files with TinkerTool to get the .MacOSX folder to show, then turn it off) and reboot


more info here, follow Linc Davis posts,


https://discussions.apple.com/thread/3349492?start=60&tstart=0



Best thing to do is backup files and Wipe and install


https://discussions.apple.com/thread/3358920

Oct 20, 2011 5:08 AM in response to ds store

Thanks for the responses.

I don't have any of those files, but I also don't have the file: /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

should I?


I have the /Library/Internet Plug-Ins for the Flash Player.plugin and flashplayer.xpt and I have a prefPane called Flash Player.

The date of the Flash Player.plugin is the same as the Adobe Flash Player Install Manager.app in my Utilities folder, but the xpt file is a month older.


I did try and search for this using "flashback.C" as the search term and only got 2 matches and not the 3349492 you linked to.

Oct 20, 2011 6:04 AM in response to orienteer

I believe the files on that "complete list" only apply to the earlier versions of the Flashback Trojan.


From a recent Intego Security blog posting:

-------

We’ve seen several variants of the Flashback Trojan horse, since Intego first discovered this malware on September 26. The latest version, Flashback.D, has gotten a bit sneakier.

.

.

Finally, it no longer installs the easy-to-spot ~/Library/Preferences/Preferences.dylib. Instead, it installs the backdoor inside Safari, and does so in two ways. It adds information to Safari’s info.plist file, with the location of the backdoor, and it adds the actual backdoor module at /Applications/Safari.app/Contents/Resources/UnHackMeBuild.

--------------------------

Oct 20, 2011 7:46 AM in response to jsd2

I just rebooted this morning. I'm seeing the latest XProtect update from Apple appears still as Oct. 14 for .A. So Apple is way behind the curve on .B (if there is a .B) .C & .D.




>orienter: I don't have any of those files, but I also don't have the file: /System/Library


It's here. And you must have /System/Library or your computer wouldn't be working at all.


XProtect.plist location: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist .

Oct 20, 2011 10:16 AM in response to WZZZ

I have got:

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

But the article from F-Secure said it wiped out:

/System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

which is what I said I didn't have, so looked like it might have been removed.


My XProtect.plist is dated 17 Oct and only has OSX.FlashBack.A listed.


jsd2: I don't have:

/Applications/Safari.app/Contents/Resources/UnHackMeBuild

and my /Applications/Safari.app/Contents/info.plist file is dated 16 Sept, so older than the Flash update.


I'm pretty computer literate and cautious clicking links and read a lot of tech sites, and I'm not absolutely positive I'm not infected, so wonder what chance the average user has with stuff like this.

So are the days of malware free Macs ending and is it time to consider installing something like Virus barrier X6 ?

Oct 20, 2011 3:56 PM in response to orienteer

orienteer wrote: My XProtect.plist is dated 17 Oct and only has OSX.FlashBack.A listed.

Hmm, as I said above, my most recent is dated Oct 14. ???



I don't have any of those files, but I also don't have the file: /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

should I?

Badly misread that before. Yes, you should have it. Don't know why it would be AWOL. Check again?

Oct 20, 2011 4:10 PM in response to WZZZ

I apologise, I was looking for:

/Library/LaunchDaemons/com.apple.xprotectupdater.plist

instead of:

/System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

which I do have.


So it looks like I'm OK.

I just can't remember what I did to update Flash, but I will make sure that I'm even more careful next time.


But hopefully others may get something from this thread if searching for info about Flashback.

Oct 21, 2011 1:28 AM in response to WZZZ

WZZZ wrote:


I just rebooted this morning. I'm seeing the latest XProtect update from Apple appears still as Oct. 14 for .A. So Apple is way behind the curve on .B (if there is a .B) .C & .D.

According to Intego they found this version a week ago and call it Flashback.D, so Apple may be OK. Based on the MD5 hash that F-Secure posted, ClamXav matches it with OSX.Flashback-3 which was also made available on Oct 14. I can only guess that Apple must be calling everything .A.

Flashback.C Trojan-Downloader

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.