Skip navigation

Flashback Trojan

3869 Views 15 Replies Latest reply: Oct 25, 2011 2:45 PM by Med.amine RSS
1 2 Previous Next
TheSmokeMonster Level 4 Level 4 (3,240 points)
Currently Being Moderated
Oct 20, 2011 3:48 PM

This New Trojan Disables Your Mac’s Auto-Updates

The original iteration of the Flashback Trojan was a nasty little bugger, quietly shipping your Mac's details off to a remote server. This newly discovered variant is even worse.

The new version, dubbed Flashback.C, also disables the your Apple's security definition update service by wiping files necessary to run future updates. Both Snow Leopard and Lion are vulnerable, though the Trojan seems to delete itself on any system running Little Snitch. The Trojan itself comes disguised as a Flash package installer.

F-Secure offers removal instructions here, Little Snitch is available here.

This information take from http://gizmodo.com/5851532/this-new-trojan-disables-your-macs-auto+updates

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Oct 20, 2011 4:00 PM (in response to TheSmokeMonster)

    Simple, only update Flash from this site, regardless what pops up in your face.

     

    http://get.adobe.com/flashplayer/

     

    Bookmark it and it's always there.

     

     

    If you need to check your version clcik here

     

    http://flashbuilder.eu/flash-player-version.html

     

    or here

     

    https://www.mozilla.org/en-US/plugincheck/

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Oct 20, 2011 5:43 PM (in response to TheSmokeMonster)

    Apple doesn't like LittleSnitch, not only that, it's payware thus the tip is advertising, they are touchy about that.

     

    They don't like drawing attention to vulnerabilites (MacDefender a exception as it was so widespread and thus needed removal).

     

    Apple has Xprotect already updated to combat this threat, and many other trojans, and Apple doesn't like Flash neither.

     

     

    Did I mention Apple doesn't like Gizmodo niether? Something about them buying a lost iPhone prototype....

  • fossilblue Level 1 Level 1 (0 points)
    Currently Being Moderated
    Oct 20, 2011 10:05 PM (in response to TheSmokeMonster)

    Hi

     

    Do apple have an update for this trojan virus?

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Oct 21, 2011 3:12 PM (in response to fossilblue)

    fossilblue wrote:

     

    Do apple have an update for this trojan virus?

    Apple updated it's XProtect database last week and I believe that it will warn you should you try to install this latest FlashBack threat. If, for whatever reason, you install it then the XProtect system will be permanently disabled and the only way to repair it is to restore from backup. None of the AV software available nor the instructions provided above can repair XProtect. Intego has more on this.

  • Med.amine Calculating status...
    Currently Being Moderated
    Oct 24, 2011 9:03 AM (in response to MadMacs0)

    Hi,

    i haven't Xprotectupdater in my activity monitor ? i'm infected ?

    what should i do to see if i'm infected and how can i fix this ?

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Oct 24, 2011 9:28 AM (in response to Med.amine)

    Med.amine wrote:

     

    i haven't Xprotectupdater in my activity monitor ?

    XProtectUpdater only runs once every twenty-four hours for a fraction of a second, so your chances of seeing it in Activity Monitor are pretty much zero.

    what should i do to see if i'm infected and how can i fix this ?

    If I understand what F-Security's analysis revealed, you can check to see if XProtect was disabled by looking at either of the following two files:

     

    /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

    /usr/libexec/XProtectUpdater

     

    If they are blank, then you have been infected.

     

    The only way to repair is to replace those two files from backup.

  • Med.amine Level 1 Level 1 (0 points)
    Currently Being Moderated
    Oct 24, 2011 9:37 AM (in response to TheSmokeMonster)

    i have :

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

              <key>StartInterval</key>

              <integer>86400</integer>

              <key>Label</key>

              <string>com.apple.xprotectupdater</string>

              <key>ProgramArguments</key>

              <array>

                        <string>/usr/libexec/XProtectUpdater</string>

              </array>

              <key>RunAtLoad</key>

              <true/>

    </dict>

    </plist>

     

    in System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

     

    So Doctor , what have my macbook pro ?

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Oct 24, 2011 12:53 PM (in response to Med.amine)

    Med.amine wrote:

     

    So Doctor , what have my macbook pro ?

    Not sure why you are asking TheSmokeMonster this question.

     

    What you posted does not look blank to me so it wasn't infected.

     

    Why do you think your MacBook Pro has something? You haven't given us any symptoms.

  • Med.amine Level 1 Level 1 (0 points)
    Currently Being Moderated
    Oct 24, 2011 1:13 PM (in response to MadMacs0)

    i mean is my macbook pro infected , now that you have reply me , i know that it's safe , thank you.

    sorry i have'nt see you message , thank you for explain me how xprotect work.

  • thomas_r. Level 7 Level 7 (26,960 points)
    Currently Being Moderated
    Oct 24, 2011 1:32 PM (in response to TheSmokeMonster)

    You don't need to go to the gizmodo link or download little snitch I was just trying to be thorough and wasn't thinking about apple politics when I posted it as store points out.

     

    Don't let ds store bully you.  I don't know how he thinks he knows what Apple likes and doesn't like, but mentioning Little Snitch here is not a problem.  Where he got the idea that Apple doesn't like Little Snitch I don't know.  I've mentioned it myself on a number of occasions, and the moderators have never had a problem with that.

     

    Used correctly, Little Snitch can be an invaluable tool for detecting malicious attempts to "phone home"...  though, note that it is of limited use, since anything that has infected your computer can simply disable it, as at least one variant of Flashback does.

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Oct 24, 2011 11:34 PM (in response to TheSmokeMonster)

    Here's another idea, that I had forgotten about, to see if XProtect is still working. Open your Terminal app (in the Utilities folder) then copy and paste the following into a new window after the "$" prompt:

     

    sudo launchctl list

     

    hit return and when prompted, enter your admin password (you won't see any typing) and hit return again.

     

    The list should include "com.apple.xprotectupdater.plist" if it's working.

1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.