ID: IRCNE2011091263
Date: 2011-09-27
According to “CNet”, a few months ago security company F-Secure uncovered a Mac Trojan horse that posed as an installer application for Adobe Flash to trick users into installing it. After installation, the Trojan would alter the system's hosts file to redirect Google sites to fraudulent servers. Now Intego has discovered a new Trojan for OS X that does pretty much the same thing: masquerades as a Flash Player installer to trick people into installing the program.
Unlike the previous Flash Trojan (called Bash/QHost.WB), which changed one file on the system, this new Trojan is a bit more complex and first deactivates network security features, then installs a dyld library that will run and inject code into applications that the user is running. The Trojan will also try to send personal information and machine-specific information to remote servers.
Intego calls the Trojan OSX/flashback.A, and is not too specific about how this Trojan runs, but it will undoubtedly compromise your system if you run it. The Trojan appears to use Apple's basic installer package system and includes Flash player logos so it looks like a legitimate software package.
While people may be concerned about this Trojan and other recent Mac malware, the risk of being infected is exceptionally low. If you need Adobe Flash on your system, just go to Adobe's Web site and get it or go to a trusted source. Doing this will ensure that you get the file directly as the developer intended, as opposed to using either an outdated version, a modified version, or a rogue application disguised as a Flash installer.
In addition to being easy to avoid, the Flashback Trojan does not self-replicate so it will not affect other systems.
Intego claims its VirusBarrier X6 anti-malware utility can detect and remove this latest Trojan if it is installed, but other scanners should soon also be updated to detect this threat. While there is no information on how to manually remove Flashback, Intego says the program installs its malicious dynamic library in the /username/Library/Preferences/ folder as the file "Preferences.dyld," so you can go to that location and remove that file to dispose of the code.
Related Links:
Fake FlashPlayer for Mac OS X leads to site redirection attacks
New Mac malware poses as PDF doc
- 2