Hey folks! 🙂
I updated Adobe Flash player a few days ago (the update popped up - I did not search for it) and I think I may have installed the "Flashback" trojan 'cuz I did the update in a hurry. 😕 Is there any way to find out if the trojan has found it's way in to the computer or is a format and reinstallation of the OS necessary? Thanks!!! 😎
MacBook Pro, Mac OS X (10.6)
You can check here to see if you've installed the current Flash version
http://flashbuilder.eu/flash-player-version.html
If your Software Update was up to date and Apple's XProtect (System Preferences > Security>Safe Downloads List) is on and functioning it would have detected this trojan.
You can check here to see if you've installed the current Flash version
http://flashbuilder.eu/flash-player-version.html
If your Software Update was up to date and Apple's XProtect (System Preferences > Security>Safe Downloads List) is on and functioning it would have detected this trojan.
Thanks ds store! 🙂 I also read in CNET: "While there is no information on how to manually remove Flashback, Intego says the program installs its malicious dynamic library in the /username/Library/Preferences/ folder as the file "Preferences.dyld," so you can go to that location and remove that file to dispose of the code."
So I guess if that file ain't there, the Trojan has not entered the system right?
Also I would like to know if this comes as an update or just an installer. 😕
Flashback Trojan installs files in the following locations
- .MacOSX/environment.plist
- Library/LaunchAgents/com.apple.SystemUI.plist
- Library/Preferences/perflib
- Library/Preferences/Preferences.dylib
- Library/Logs/swlog
Use the free Easy Find and search for the files (start with #4 "Preferences.dylib" first, that's the main bugger)
http://download.cnet.com/EasyFind/3000-2248_4-8707.html
#1 is a hidden file (notice the period) so you will need to check on Easy Find's "hidden files" button
You can also download the free ClamXav and run a scan, it has the definition updated for it by now.
woofmatix wrote:
So I guess if that file ain't there, the Trojan has not entered the system right?
Don't assume anything, run a scan using ClamXav and if your Apple Software Update works you can pretty much be rest assured you don't have it.
Also I would like to know if this comes as an update or just an installer. 😕
It's a trojan installer on hostile web sites.
If you look at your Adobe Flash System Preference pane it's got it's own system to check with Adobe and verify the download. The confusion happens because there is a pop-up when one visits a web page and their Flash is outdated.
I always download my Flash here
http://get.adobe.com/flashplayer/
If your still concerned you can peform a
Restoring OS X 10.5 10.6. 10.7 - simple overwrite OS method
https://discussions.apple.com/thread/3358920
That will flush anything out of OS X, but you still need to clean up Applications and Users folders.
Thanks a lot! 🙂
Well, I'll heck and see but since I really don't have importnt data on the computer, I might just format the whole thing... Just to be on the safe side... 😝
Anyway, thanks a lot for all the help! Really Appreciate it! 🙂
Make a hold option bootable clone on a external drive, this way if you suspect if you have been had, you can hold c boot off the 10.6 installer disk, wipe the internal drive and reverse clone.
I maintain 2 1/2 clones, one is auto-updated daily to a internal bootable partition on the second half of my boot drive (provides only software protection), another whenever I connect the external drive it runs (hardware and software protection), and then I have one set back a month or two back.
I never download the update from the websites. I just download if the Adobe updater (or whatever they call it) pops up. So what I wanted to know was does the Trojan pop like this as well or just like another installer.
Yikes! 😐 I clicked the wrong "Correct Answer"! 😐
woofmatix wrote:
I never download the update from the websites. I just download if the Adobe updater (or whatever they call it) pops up. So what I wanted to know was does the Trojan pop like this as well or just like another installer.
A trojan is designed to fool, so it would be wise for maximum effect to look like the real thing.
So it doesn't matter if it looks like the real thing or not, one needs to act like anything that pops up is a trojan and download from a site you know is for real.
woofmatix wrote:
Yikes! 😐 I clicked the wrong "Correct Answer"! 😐
Yep, I'm gone now, thanks for all the fish. 😀
woofmatix wrote:
I never download the update from the websites. I just download if the Adobe updater (or whatever they call it) pops up. So what I wanted to know was does the Trojan pop like this as well or just like another installer.
The first version of the web page looked like this Flashback Trojan Spreading; Mac Users Should Be Wary of Flash Installers.
The installer itself looked like this INTEGO SECURITY MEMO: Mac Flashback Trojan Horse Masquerades as Flash Player Installer Package.
I haven't seen anything about the recent versions being any different.
I know I did a Flash update this week. How can I tell if it was legit or a trojan. One posting I saw was going into preferences and if my ip address was grey and not black then I have it. Do you know if this is accurate?
candicefromct wrote:
I know I did a Flash update this week. How can I tell if it was legit or a trojan.
The Flashback Trojan has not been associated with a Flash upgrade for several months now.
One posting I saw was going into preferences and if my ip address was grey and not black then I have it. Do you know if this is accurate?
If it's the one I'm thinking of that test is associated with a totally different malware infection.
If you are experiencing symptoms of infection, either join a thread with that problem or start a new thread. This one is dead.
How deal with FLASHBACK trojan?
