MAC Users beware: Flashback Mac Trojan Horse Infection

Post details here of scams you have discovered or hassles you have experienced.
10+ posts are required to post in this section.

Moderators: DJKeefy, 4u Network

User avatar
Bullet Magnet
Royal V.I.P
Royal V.I.P
Posts: 2530
Joined: Sat Nov 21, 2009 10:38 am
Location: Le Manège Enchanté
Has thanked: 9029 times
Been thanked: 2303 times

MAC Users beware: Flashback Mac Trojan Horse Infection

Post by Bullet Magnet »

I know a few people on this forum use Mac's.
Great security most of the time, However, do not get complacent, we had an issue with one of the designers MacBook pro today, with browser crashes.
It turns out that this has been infected with a new variant of the Flashback trojan, "Flashback G".

The trojan is trying to harvest personal details and passwords.



We found an article published today during investigations. please read it if you have a Mac, there are several links describing the symptoms with specific applications.
note that this trojan does not attempt to install itself if you have some form of protection / security on your MAC, as it was trying to hide itself and go undetected for as long as possible.

the full article is here. It sounds a bit "techy", but just read it all the way through, carefully.

http://blog.intego.com/flashback-mac-tr ... w-variant/




If this link wont work, ( probably the slashdot effect ) here's some of the article.



We recently reported about a new variant of the Flashback Trojan horse which is using novel techniques to infect Macs. Since then, we have discovered a number of samples of this latest variant, Flashback.G, and have seen evidence that many Mac users have been infected by this malware.

How this malware infects Macs

This new variant of the Flashback Trojan horse uses three methods to infect Macs. The malware first tries to install itself using one of two Java vulnerabilities. If this is successful, users will be infected with no intervention. If these vulnerabilities are not available – if the Macs have Java up to date – then it attempts a third method of installation, trying to fool users through a social engineering trick. The applet displays a self-signed certificate, claiming to be issued by Apple. Most users won’t understand what this means, and click on Continue to allow the installation to continue.


It is worth noting that Flashback.G will not install if VirusBarrier X6 is present, or if a number of other security programs are installed on the Mac in question. It does this to avoid detection. It seems that the malware writers feel it is best to avoid Macs where the malware might be detected, and focus on the many that aren’t protected.

Flashback.G injects code into web browsers and other applications that access a network, and in many cases causes them to crash. It installs itself in an invisible file in the /Users/Shared folder, and this file can bear many names, but with a .so extension. Here are some examples of users posting logs on forums about certain applications crashing. In each case, a file in /Users/Shared is present:

http://community.skype.com/t5/Mac/cant- ... d-p/506175

/Users/Shared/.PCImageEditor.so

https://discussions.apple.com/thread/37 ... 0&tstart=0

/Users/Shared/.AllXilisoftVideo.so

https://discussions.apple.com/thread/37 ... 0&tstart=0

/Users/Shared/.memalloc.so

http://community.skype.com/t5/Mac/Skype ... d-p/508077

/Users/Shared/.DocumentConverterdocPrint.so

http://community.skype.com/t5/Mac/Skype ... m-p/492045

https://discussions.apple.com/thread/37 ... 0&tstart=0

/Users/Shared/.InternetHistoryKiller.so

There is also a file created at:

/Users/Shared/.svcdmp

and a plist file, used to patch applications, at:

~/.MACOSX/environment.plist

And logs are stored at:

~/Library/Logs/vmLog

What this malware does

This malware patches web browsers and network applications essentially to search for user names and passwords. It looks for a number of domains – websites such as Google, Yahoo!, CNN; bank websites; PayPal; and many others. Presumably, the people behind this malware are looking for both user names and passwords that they can immediately exploit – such as for a bank website – as well as others that may be reused on different sites. (Hint: don’t use the same password for all websites!)

One of the clues that a Mac is infected is that certain applications will crash. This is notably the case for web browsers, such as Safari, or other network programs, such as Skype. This is because the injected code interferes with the program making it unstable.

This malware also has an automatic update module that checks a number of websites for new versions.

Means of protection

Most of the cases of infection we are seeing are on Macs running OS X 10.6 Snow Leopard. As we reported in our previous post, OS X Lion does not come with Java pre-installed, but Snow Leopard does. It is therefore essential that anyone running OS X 10.6 update Java immediately. To do this, run Software Update, from the Apple menu; if you do not have the latest version of Java, an update will be available.

Nevertheless, many Macs are getting infected by the social engineering trick of the bogus certificate purporting to be signed by Apple, as shown in our screenshot above. If you see this, don’t trust it, and cancel the process.

Intego VirusBarrier X6 detects Flashback.G and all other variants of this Trojan horse. In this case, the mere presence of VirusBarrier X6 causes the malware’s installer to abort, so even if users do not have VirusBarrier X6′s real-time scanner active, the Trojan will look elsewhere.

This malware is particularly insidious, as users don’t download anything or double-click any file to launch an installer. Be careful if you see the screenshot above, and check to see if you need to update Java.

If you are infected by this malware, look for a Java applet in ~/Library/Caches and send it to sample@virusbarrier.com before deleting it. We’d like to see as many samples as possible.





So, if you are not infected ( yet ) maybe consider installing a security package, such as the ones mentioned above.. :cool:


There's a time for everyone, if they only learn
That the twisting kaleidoscope moves us all in turn.
User avatar
Who2
Egyptian God
Egyptian God
Posts: 7935
Joined: Fri Jul 16, 2010 12:04 pm
Location: Laandaan
Has thanked: 2044 times
Been thanked: 6077 times
Gender:
United Kingdom

Re: MAC Users beware: Flashback Mac Trojan Horse Infection

Post by Who2 »

Thanks for that I'll try to digest it tomorrow...
"The Salvation of Mankind lies in making everything the responsibility of All"
Sophocles.
User avatar
jj
Junior Member
Junior Member
Posts: 14
Joined: Sun Apr 30, 2006 4:53 pm
Location: UK
Been thanked: 4 times

Re: MAC Users beware: Flashback Mac Trojan Horse Infection

Post by jj »

Yes cheers I've now gone cross eyed !!!!

Feeling like a technophobe have relayed this info to my tame Mac man, also known as the " Other Arf " to make relevant enquiries.

His contract has just finished so he's at a loose end anyway, if he's left to his own devices for too long he'll start thinking about all those road trips he could make on his motorbike :lol:
JJ
User avatar
Winged Isis
Egyptian Pharaoh
Egyptian Pharaoh
Posts: 3867
Joined: Thu Jul 05, 2007 2:38 pm
Location: Australia
Has thanked: 1568 times
Been thanked: 1028 times
Gender:
Australia

Re: MAC Users beware: Flashback Mac Trojan Horse Infection

Post by Winged Isis »

Ping! That was the sound of my non-techno brain going warp-speed into distress! It may as well all be in Swahili as far as I am concerned. I have a new Macbook Pro Mac OS X Lion 10.7.3. So what does this all mean for me, please?! Should I be worried? Which of the above should I click on to see the "certificate"?

Thanks, BM! (I think!) :mrgreen:
Carpe diem! :le:
User avatar
Bullet Magnet
Royal V.I.P
Royal V.I.P
Posts: 2530
Joined: Sat Nov 21, 2009 10:38 am
Location: Le Manège Enchanté
Has thanked: 9029 times
Been thanked: 2303 times

Re: MAC Users beware: Flashback Mac Trojan Horse Infection

Post by Bullet Magnet »

Winged Isis wrote:Ping! That was the sound of my non-techno brain going warp-speed into distress! It may as well all be in Swahili as far as I am concerned. I have a new Macbook Pro Mac OS X Lion 10.7.3. So what does this all mean for me, please?! Should I be worried? Which of the above should I click on to see the "certificate"?

Thanks, BM! (I think!) :mrgreen:
You should be safe W.I. :)

Your O/S doe snot have Java pre-installed, and if Java has been installed ( sometimes an application will request this) then you will have installed a version that is not vulnerable.

If anyone is running OS X 10.6 Snow Leopard. you NEED to update Java immediately.
Run the Software Update from the Apple menu if the Java is up to date, then no update will be available and you are safe.


I run UBUNTU, it's more or less the same platform that Apple uses, It's all free, but Apple modify it for their OS ( Operating System ).
It's virtually unheard of to get a virus running these operating systems. The problem comes form the third party software, such as your browser, in my case Firefox, and Safari for MAC users.


If I were to write a trojan, I would certainly write it for a MAC :) they're all loaded those MAC user's, so I should be able to extort a reasonable sum from their savings... :cool:
There's a time for everyone, if they only learn
That the twisting kaleidoscope moves us all in turn.
User avatar
Winged Isis
Egyptian Pharaoh
Egyptian Pharaoh
Posts: 3867
Joined: Thu Jul 05, 2007 2:38 pm
Location: Australia
Has thanked: 1568 times
Been thanked: 1028 times
Gender:
Australia

Re: MAC Users beware: Flashback Mac Trojan Horse Infection

Post by Winged Isis »

:Phew: :tu: BM!!! :lv
Carpe diem! :le:
Revolution
Junior Member
Junior Member
Posts: 52
Joined: Wed Jan 11, 2012 8:29 pm
Location: LUXOR

Re: MAC Users beware: Flashback Mac Trojan Horse Infection

Post by Revolution »

Another Trojan horse, sent in email on windows 7

“Royal mail cannot deliver a parcel down load the receipt, “
When you do this it takes over your computer.

Let me know if you get it there is a way of taking it of
User avatar
Bullet Magnet
Royal V.I.P
Royal V.I.P
Posts: 2530
Joined: Sat Nov 21, 2009 10:38 am
Location: Le Manège Enchanté
Has thanked: 9029 times
Been thanked: 2303 times

Re: MAC Users beware: Flashback Mac Trojan Horse Infection

Post by Bullet Magnet »

Here you go Rev'

This is for free.
http://download.cnet.com/Malwarebytes-A ... tag=button

Hit the download button.

I keep this installed on my Win 7 PC, and keep it updated. I run it if I suspect Malware, or once a week out of curiosity.
It really works a treat. I would recommend upgrading and paying for the full version to support the project if you find it useful.
There's a time for everyone, if they only learn
That the twisting kaleidoscope moves us all in turn.
Revolution
Junior Member
Junior Member
Posts: 52
Joined: Wed Jan 11, 2012 8:29 pm
Location: LUXOR

Re: MAC Users beware: Flashback Mac Trojan Horse Infection

Post by Revolution »

Bullet Magnet wrote:Here you go Rev'

This is for free.
http://download.cnet.com/Malwarebytes-A ... tag=button

Hit the download button.

I keep this installed on my Win 7 PC, and keep it updated. I run it if I suspect Malware, or once a week out of curiosity.
It really works a treat. I would recommend upgrading and paying for the full version to support the project if you find it useful.

Thanks Bullet . i have Bull Guard on my Lap top , it got it very fast , and it is high security , but it still managed to embedd deep in the comp first

thanks any way great link
User avatar
Brian Yare
Royal V.I.P
Royal V.I.P
Posts: 2566
Joined: Mon Dec 01, 2008 4:11 pm
Location: Worcester, UK
Has thanked: 1185 times
Been thanked: 1279 times
Gender:
United Kingdom

Re: MAC Users beware: Flashback Mac Trojan Horse Infection

Post by Brian Yare »

Its raining outside, but I think I'll use an umbrella rather than a mac.
Subversion
Member
Member
Posts: 111
Joined: Mon Jan 30, 2012 10:18 pm
Location: UK
Has thanked: 81 times
Been thanked: 168 times
Gender:
United Kingdom

Re: MAC Users beware: Flashback Mac Trojan Horse Infection

Post by Subversion »

HI BM

I'm wading through back archives on the board - ironically last night came accross your post on this! Just shows it is worth reading everything.

You were of course totally right and way ahead! Today on BBC News....

http://www.bbc.co.uk/news/science-environment-17623422

right its off to do some system updating - this could take some time

S x
User avatar
Bullet Magnet
Royal V.I.P
Royal V.I.P
Posts: 2530
Joined: Sat Nov 21, 2009 10:38 am
Location: Le Manège Enchanté
Has thanked: 9029 times
Been thanked: 2303 times

Re: MAC Users beware: Flashback Mac Trojan Horse Infection

Post by Bullet Magnet »

Subversion wrote:HI BM

I'm wading through back archives on the board - ironically last night came accross your post on this! Just shows it is worth reading everything.

You were of course totally right and way ahead! Today on BBC News....

http://www.bbc.co.uk/news/science-environment-17623422

right its off to do some system updating - this could take some time

S x

It's not often that I am wrong Sub' :cg
.

.

.
However, when I am wrong, I do get it wrong on an EPIC scale of almost Biblical proportions. . . :up
I don't do things half arsed, Nothing ventured, nothing gained... :cool:
There's a time for everyone, if they only learn
That the twisting kaleidoscope moves us all in turn.
  • Similar Topics
    Replies
    Views
    Last post
  • Carriage horse collapses
    by BENNU » » in News and Sport
    10 Replies
    1052 Views
    Last post by newcastle
  • Australian Light Horse - 100 Years.
    by Hafiz » » in Know Egypt
    11 Replies
    1408 Views
    Last post by Hafiz
  • Beware the Titanic
    by hatusu » » in Warnings!!!
    5 Replies
    398 Views
    Last post by Jayway
  • Yorkshire bob beware
    by Lynne claire » » in Visiting Luxor
    9 Replies
    293 Views
    Last post by Dusak
  • Scorpions - beware
    by crewmeal » » in Know Egypt
    1 Replies
    457 Views
    Last post by newcastle