Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Flashback Trojan

This New Trojan Disables Your Mac’s Auto-Updates

The original iteration of the Flashback Trojan was a nasty little bugger, quietly shipping your Mac's details off to a remote server. This newly discovered variant is even worse.

The new version, dubbed Flashback.C, also disables the your Apple's security definition update service by wiping files necessary to run future updates. Both Snow Leopard and Lion are vulnerable, though the Trojan seems to delete itself on any system running Little Snitch. The Trojan itself comes disguised as a Flash package installer.

F-Secure offers removal instructions here, Little Snitch is available here.

This information take from http://gizmodo.com/5851532/this-new-trojan-disables-your-macs-auto+updates

Posted on Oct 20, 2011 3:48 PM

Reply
15 replies

Oct 20, 2011 5:43 PM in response to TheSmokeMonster

Apple doesn't like LittleSnitch, not only that, it's payware thus the tip is advertising, they are touchy about that.


They don't like drawing attention to vulnerabilites (MacDefender a exception as it was so widespread and thus needed removal).


Apple has Xprotect already updated to combat this threat, and many other trojans, and Apple doesn't like Flash neither. 🙂



Did I mention Apple doesn't like Gizmodo niether? Something about them buying a lost iPhone prototype.... 😝

Oct 20, 2011 10:20 PM in response to fossilblue

Fossil. The information I provided shows you what the virus is and how to uninstall it if it is there. Ds_store gives some information I'm sure a google search or he could elaborate on as I only heard about this today. You don't need to go to the gizmodo link or download little snitch I was just trying to be thorough and wasn't thinking about apple politics when I posted it as store points out.


Having said that I apologize if I did something wrong and I hope I can be forgiven if so.

Oct 21, 2011 3:12 PM in response to fossilblue

fossilblue wrote:


Do apple have an update for this trojan virus?

Apple updated it's XProtect database last week and I believe that it will warn you should you try to install this latest FlashBack threat. If, for whatever reason, you install it then the XProtect system will be permanently disabled and the only way to repair it is to restore from backup. None of the AV software available nor the instructions provided above can repair XProtect. Intego has more on this.

Oct 24, 2011 9:28 AM in response to Med.amine

Med.amine wrote:


i haven't Xprotectupdater in my activity monitor ?

XProtectUpdater only runs once every twenty-four hours for a fraction of a second, so your chances of seeing it in Activity Monitor are pretty much zero.

what should i do to see if i'm infected and how can i fix this ?

If I understand what F-Security's analysis revealed, you can check to see if XProtect was disabled by looking at either of the following two files:


/System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

/usr/libexec/XProtectUpdater


If they are blank, then you have been infected.


The only way to repair is to replace those two files from backup.

Oct 24, 2011 9:37 AM in response to TheSmokeMonster

i have :

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>StartInterval</key>

<integer>86400</integer>

<key>Label</key>

<string>com.apple.xprotectupdater</string>

<key>ProgramArguments</key>

<array>

<string>/usr/libexec/XProtectUpdater</string>

</array>

<key>RunAtLoad</key>

<true/>

</dict>

</plist>


in System/Library/LaunchDaemons/com.apple.xprotectupdater.plist


So Doctor , what have my macbook pro ?

Oct 24, 2011 1:32 PM in response to TheSmokeMonster

You don't need to go to the gizmodo link or download little snitch I was just trying to be thorough and wasn't thinking about apple politics when I posted it as store points out.


Don't let ds store bully you. I don't know how he thinks he knows what Apple likes and doesn't like, but mentioning Little Snitch here is not a problem. Where he got the idea that Apple doesn't like Little Snitch I don't know. I've mentioned it myself on a number of occasions, and the moderators have never had a problem with that.


Used correctly, Little Snitch can be an invaluable tool for detecting malicious attempts to "phone home"... though, note that it is of limited use, since anything that has infected your computer can simply disable it, as at least one variant of Flashback does.

Oct 24, 2011 11:34 PM in response to TheSmokeMonster

Here's another idea, that I had forgotten about, to see if XProtect is still working. Open your Terminal app (in the Utilities folder) then copy and paste the following into a new window after the "$" prompt:


sudo launchctl list


hit return and when prompted, enter your admin password (you won't see any typing) and hit return again.


The list should include "com.apple.xprotectupdater.plist" if it's working.

Flashback Trojan

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.