Jump to content


The os x Flashback Trojan, how bad is it?


  • Please log in to reply
16 replies to this topic

#1 Ichigo27

Ichigo27

    NSFW o_O

  • Members
  • PipPipPipPipPipPip
  • 2223 posts
  • Location:pingas

Posted 06 April 2012 - 12:10 AM

Whos heard of this? I've looked at brief headlines that 600,000 macs were effected, I have also heard java and flash player issues, not 100% sure if it effects installing Flash Player 11.2 that pops up on the dock. However I did check system updates and updated java.

Would like to know what you guys think of this.
What is a man?

#2 Hansi

Hansi

    Master Blaster

  • Members
  • PipPipPipPipPipPip
  • 1754 posts
  • Steam ID:hansroberth
  • Location:London, UK

Posted 06 April 2012 - 04:00 AM

It's just a sleeper dynlib. It's only in there if you've used a fake Flash Player installer that most likely would have originated from a porn site etc according to the news.

Here are instructions for checking on it and removing it: http://www.f-secure....46cf8b0dd0b6707

#3 the Battle Cat

the Battle Cat

    Carnage Served Raw

  • Admin
  • 15860 posts
  • Location:Citadel City, Lh'owon
  • Pro Member:Yes

Posted 06 April 2012 - 08:41 AM

Apparently the creepy little arse is suicidal too.  This from the linked website:

Quote

On execution, the malware checks if the following path exists in the system:

/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app

If any of these are found, the malware will skip the rest of its routine and proceed to delete itself.

Gary Simmons
the Battle Cat

#4 Ichigo27

Ichigo27

    NSFW o_O

  • Members
  • PipPipPipPipPipPip
  • 2223 posts
  • Location:pingas

Posted 06 April 2012 - 02:47 PM

View PostHansi, on 06 April 2012 - 04:00 AM, said:

It's just a sleeper dynlib. It's only in there if you've used a fake Flash Player installer that most likely would have originated from a porn site etc according to the news.

Do think I downloaded the flash player from adobes website on my new imac. After shut down, did boot it up  and didn't get a reminder for the update.

So this would be the right one? Just to make sure.

http://helpx.adobe.c...ash-player.html
What is a man?

#5 Hansi

Hansi

    Master Blaster

  • Members
  • PipPipPipPipPipPip
  • 1754 posts
  • Steam ID:hansroberth
  • Location:London, UK

Posted 06 April 2012 - 03:50 PM

Yes this one would show up in a pop up from a web site according to the articles I read. You should not need to worry.

But you can run the commands listed in the link above if you want to be 100% sure.

#6 HeadWes

HeadWes

    Legendary

  • Members
  • PipPipPipPipPip
  • 651 posts
  • Location:Portland, OR

Posted 13 April 2012 - 08:00 PM

Malware and a DOJ lawsuit... Apple is the new Microsoft.
"I only ask to be free. The butterflies are free."

#7 doh123

doh123

    Wineskin

  • Developer
  • PipPipPip
  • 164 posts

Posted 13 April 2012 - 08:04 PM

Actually the last version of Flashback.. the one that got to 600,000 installs was a drive-by... it installed itself using a security flaw in Java.  It did it in the background with no prompt, no passwords nothing... you didn't have any indication you were affected.  There is no patch for OSX 10.5 and older... but the patches for 10.6+ of Java fix the security hole and version 3 of the update actually removes the malware if you have it.

#8 Sargiel

Sargiel

    Legendary

  • Members
  • PipPipPipPipPip
  • 908 posts
  • Location:West Sussex, England

Posted 14 April 2012 - 12:09 AM

Looks like I'll have to look to RISC OS for security through obscurity from now on ;)

#9 doh123

doh123

    Wineskin

  • Developer
  • PipPipPip
  • 164 posts

Posted 14 April 2012 - 06:45 AM

Amiga OS is still going strong!  :-)

#10 Matt Diamond

Matt Diamond

    Master Blaster

  • IMG Writers
  • 2020 posts
  • Location:Holland, PA; US
  • Pro Member:Yes

Posted 14 April 2012 - 08:39 PM

I believe the 600,000 figure is an estimate from a single vendor of anti-virus software. They did explain their methodology for their estimate, which is based on a sample of machines they observed. But last I heard noone else had given any other estimate or concurred with the original estimate.

Grain of salt is all I'm saying. It does appear to have attacked Macs in the wild though, which is more than we can say for previous Mac virus announcements from little-known virus companies.
Matt Diamond - www.mindthecube.com
Measure twice, cut once, curse three or four times.

#11 HeadWes

HeadWes

    Legendary

  • Members
  • PipPipPipPipPip
  • 651 posts
  • Location:Portland, OR

Posted 16 April 2012 - 11:26 AM

Clearly the future lies with Haiku (Zombie BeOS).
"I only ask to be free. The butterflies are free."

#12 the Battle Cat

the Battle Cat

    Carnage Served Raw

  • Admin
  • 15860 posts
  • Location:Citadel City, Lh'owon
  • Pro Member:Yes

Posted 16 April 2012 - 12:32 PM

Apple released a Java update today that specifically addresses the Flashback issue.
Gary Simmons
the Battle Cat

#13 Diablofett

Diablofett

    Heroic

  • Members
  • PipPipPipPip
  • 278 posts
  • Location:Hyrule

Posted 17 April 2012 - 08:57 PM

View PostHansi, on 06 April 2012 - 03:50 PM, said:

Yes this one would show up in a pop up from a web site according to the articles I read. You should not need to worry.

But you can run the commands listed in the link above if you want to be 100% sure.

I saw estimates ranging from over 600,000 macs to 2/3 of all macs have been infected. Either way that is a lot of porn!

#14 Hansi

Hansi

    Master Blaster

  • Members
  • PipPipPipPipPipPip
  • 1754 posts
  • Steam ID:hansroberth
  • Location:London, UK

Posted 18 April 2012 - 01:30 AM

That 600k number is from a single source and is extrapolated from a sample of something like 50 Macs.

#15 Janichsan

Janichsan

    Jugger Bugger

  • Forum Moderators
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 7246 posts
  • Steam Name:Janichsan
  • Location:over there

Posted 18 April 2012 - 01:46 AM

The Flashback problem is hardly fixed and already the next Mac malware warning is making its round. It also uses a Java exploit but appears to be more of an idiot's trojan: you infect your Mac with it, you actively have to open a Word file coming from a random spam mail (so no "drive-by" infection). And you can easily disable it by simply deleting two openly visible plist files from your Preferences folders.

"We do what we must, because we can."
"Gaming on a Mac is like women on the internet." — "Highly common and totally awesome?"


#16 doh123

doh123

    Wineskin

  • Developer
  • PipPipPip
  • 164 posts

Posted 18 April 2012 - 04:23 AM

The word one uses a Word bug that was fixed years ago... you have to be running a totally unpatched Word 2004 or Word 2008...

#17 Matt Diamond

Matt Diamond

    Master Blaster

  • IMG Writers
  • 2020 posts
  • Location:Holland, PA; US
  • Pro Member:Yes

Posted 22 April 2012 - 08:04 AM

600,000 Macs is approximately 1%, I'm told. That's a very bad outbreak if the 600K estimate is even true, but is hardly 2/3rds.

The new estimate since Apple released patches is already down to 50K.

The Word macro thing is old news.

Maybe Apple will jump on the next vulnerability a bit quicker- they were warned about this one months ago. So hopefully this was a decent wake up call for them and for Mac users too (though who trusts browser popups that want to install video playback or anti-virus software?) But the sky isn't falling, no matter how much the trolls and the virus companies seem to want it to. Stay frosty, people.
Matt Diamond - www.mindthecube.com
Measure twice, cut once, curse three or four times.