X

Latest Adobe Flash Trojan for OS X gets revised

The criminal malware developers who released a fake Flash installer Trojan for OS X a few weeks ago have revised the program, but oddly this revision is a little easier to detect than the previous one.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
4 min read

A few weeks ago Intego discovered a new Trojan horse for OS X that poses as an installer for Adobe Flash. The Trojan attempts a somewhat complex attack that involves disabling security features and inserting into existing applications code that attempts to send personal information to remote servers.

This Trojan, called OSX/flashback.A, is one of a few new malware attempts on the Mac platform that have surfaced in the past few months (others being a PDF-based malware attack and another fake Flash installer).

As with any malware attempt, we expect there will be future revisions as the criminals developing the software try to refine their code, meaning new variants are likely to crop up. We have been seeing this for a couple of these packages, and today security companies have found that the latest fake Flash Installer Trojan has undergone another revision.

Fake Flash installer
The malware's installer looks legitimate, but this is not what Adobe's official installer looks like. Intego
Adobe's official Flash installer
Adobe's official Flash installer will look like this when run.

According to F-Secure, the new Trojan variant (called OSX/Flashback.B) now tries to inject code into areas of the system that require administrative access, such as within Application packages like Safari and Firefox. When it is run, the new version of the installer will ask for a password so it will have access to these components of the system, which in fact makes it slightly easier for an alert user to detect.

Oddly, in addition the installer also appears to check for the presence of the outgoing firewall Little Snitch, which prevents undesired communication by local programs with remote servers. If the installer detects the presence of Little Snitch, it will quit and delete itself from the system instead of attempting to continue the installation. This might have been done in an attempt to keep the malware from being detected, but regardless it's nice to see that tools like Little Snitch appear to block the only avenues for attack that OS X Trojan developers are taking advantage of, to the point where they've engineered the malware to just give up.

If the system does not have Little Snitch installed, then the installation will continue and the program will connect to a remote host from which it will download a payload that is installed in either Firefox or Safari. The programs are then set to activate the code when launched, and to make this happen the installer will quit and relaunch these browsers if they are running. The injected code will then attempt to communicate with remote servers and send personal information to the servers.

Being that the code targets browsers, it may be that the malware's purpose is to grab Web site and log-in information, such as for online banking.

Detecting malware with the Terminal
Running these commands in the Terminal will show whether the malware is present. If you see the output above from either of the commands, then your system has not been infected (click for larger view). Topher Kessler

This description of the malware variant may sound a bit worrying, but as with the initial form of this malware, the threat is limited as it requires you to purposefully download and install the program. In addition, the program is also not widespread and does not self-propagate (as worms and viruses do), so you would have to run across it, download it, and install it for the infection to take place.

The Trojan horse is disguised as Flash Player, which also makes it easy to avoid by simply going to Adobe's official site to download Flash if you need it. Updates to Flash Player should also not be a concern, because they are issued through Adobe's official services and not via standalone Web sites.

Because the Trojan appends launch instructions to property lists within the Safari and Firefox programs, if you would like to check to see if a system has been infected with this Trojan, you can open the Terminal and run the following commands:

defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment

defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment

On an uninfected system these commands should produce an error message stating the specified domain/default pair does not exist. However, if these commands give an output that includes the text "DYLD_INSERT_LIBRARIES" followed by a path to a file, then the Trojan installer has been run and has infected the system. If this is the case, you can remove the infection either by editing Safari or Firefox to prevent the payload from running, or by simply deleting the browsers and downloading them again. Doing the latter should completely remove the payload from your system.

Again, while this Trojan variant is news and we are describing its features here, the threat level from it is minuscule, as to install the malware you would have to purposefully download it and run it. If you want to install Flash on your system then you would be wise to only download it from a reputable Web site such as Adobe's main downloads page or CNET's Download.com site.



Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.