Another OS X Trojan imitates Adobe Flash installer

A few months ago security company F-Secure uncovered a Mac Trojan horse that posed as an installer application for Adobe Flash, taking advantage of the popularity of the plug-in to trick users into installing it. After installation, the Trojan would alter the system's hosts file to redirect Google sites to fraudulent servers. Now Intego has discovered a new Trojan for OS X that does pretty much the same thing: masquerades as a Flash Player installer to trick people into installing the program.

Unlike the previous Flash Trojan (called Bash/QHost.WB), which changed one file on the system, this new Trojan is a bit more complex and first deactivates network security features, then installs a dyld library that will run and inject code into applications that the user is running. The Trojan will also try to send personal information and machine-specific information to remote servers.

Intego calls the Trojan OSX/flashback.A, and is not too specific about how this Trojan runs, but it will undoubtedly compromise your system if you run it. The Trojan appears to use Apple's basic installer package system and includes Flash player logos so it looks like a legitimate software package.

While people may be concerned about this Trojan and other recent Mac malware, the risk of being infected is exceptionally low. If you need Adobe Flash on your system, just go to Adobe's Web site and get it or go to a trusted source like CNET's Download.com. Doing this will ensure that you get the file directly as the developer intended, as opposed to using either an outdated version, a modified version, or a rogue application disguised as a Flash installer.

In addition to being easy to avoid, the Flashback Trojan does not self-replicate so it will not affect other systems. In essence, as with all Trojan attacks this is an attempt to disguise malicious software in hopes of stealing information from unsuspecting people.

Intego claims its VirusBarrier X6 anti-malware utility can detect and remove this latest Trojan if it is installed, but other scanners should soon also be updated to detect this threat. While there is no information on how to manually remove Flashback, Intego says the program installs its malicious dynamic library in the /username/Library/Preferences/ folder as the file "Preferences.dyld," so you can go to that location and remove that file to dispose of the code.

Besides getting your download updates and installers from trusted sources, you can do some additional things to protect your system from these and other threats:

1. Turn off Safari's auto-open command
   In Safari, go to the General section of the preferences and uncheck the option to "Open safe files after downloading." While this will not open applications, if checked it will open documents and media that may contain executable code, and turning it off is recommended.

2. Install a malware scanner
   Install a scanner like Sophos, VirusBarrier, ClamXav, Kaspersky, or iAntiVirus, and set it up to scan your e-mail and your download folders. While doing this will help ensure your downloads are safe, the rarity of malware threats on OS X makes it optional. Nevertheless, this has steadily become more of a recommendation of mine.

3. Never trust a program
   If something asks you to install an item on your system, shut it down and confirm the source of the item. Only install programs on your system if you know exactly where they came from.

For more information on protecting your system, see our article on protecting your system from recent malware. Also see our article on the Apple Security Center malware scare that discusses how to spot malware scams.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.