Trojan variation disables Mac malware protection

Researchers from F-Secure warn that a variant on a trojan discovered in September, which masquerades as an Adobe Flash Player installer, now exists and is capable of disabling OS X's built-in malware protection.

OSX/Flashback.C disables the auto-updater component of XProtect, which means the system's built-in anti-malware application no longer looks for updates to its malware definitions. This essentially holds the door open for future malware to invade the system unimpeded.

F-Secure provides instructions for removing OSX/Flashback.C if your system has already been compromised. For the truly paranoid, you can also bypass the auto-update process and force your Mac to update its malware definitions manually.

Since OS X malware authors seem to be employing fake Flash Player installers as a delivery vector, it's worth mentioning that you should only download Flash Player from trusted sources. Adobe's website is a good place to start. You could also remove the plug-in version of Flash Player altogether, essentially zeroing out your risk of being exposed to the OSX/Flashback trojan variants; the Google Chrome browser includes a bundled Flash Player if you need to view Flash content.

[Hat tip to Ars Technica]

View Tags

Source: http://www.f-secure.com/weblog/archives/00002256.html

Categories

Security Mac

Researchers from F-Secure warn that a variant on a trojan discovered in September, which masquerades as an Adobe Flash Player...

Featured Comments

MPercentTwentyM

The moral of this story: trying to install Flash Player always leads to bad things, only ONE of which may be Flash Player getting installed on your system.

October 19 2011 at 10:43 PM Permalink rate up rate down

Add a Comment

Sign in »

7 Comments

Filter by:

MPercentTwentyM

The moral of this story: trying to install Flash Player always leads to bad things, only ONE of which may be Flash Player getting installed on your system.

October 19 2011 at 10:43 PM Report abuse Permalink rate up rate down Reply

waldrop01

Is there an easy method to tell whether or not a system has been compromised? I followed the link for F-Secure's removal instructions, but I didn't find any info there for how to determine whether or not a system has been compromised. Thanks for spreading the word about this trojan, and thanks in advance for any additional information on detecting whether or not a system's compromised.

October 19 2011 at 4:37 PM Report abuse Permalink rate up rate down Reply

Dave

I believe I may be a victim of this, as I've been prompted to update Flash twice in a short period. However, I'm having a little trouble with F-Secure's site. First, their online tools apparently don't run on Safari, so I opened it in Firefox 3.0.1. Then, attempting to use Health Check, I was told I need to update to the latest version of Java. Software Update has nothing for me, so I assume I'm all up to date. I opened Java Preferences and put Java SE 6, 64-bit, version 1.6.0_26-b03-384 at the top of the list, closed and restarted Firefox and still got the same message. I should mention I'm using OS X 10.5.8 and don't really plan on updating until it's time to get a new computer altogether. Can anyone help me out?

October 19 2011 at 4:27 PM Report abuse Permalink rate up rate down Reply

Rick S

I'm pretty sure I got this. I keep having to update Flash, but I don't understand the F-Secure instructions on how to "Scan the whole system and take note of the detected files." Do I just search for Flashback.c in spotlight or easyfind?

October 19 2011 at 4:08 PM Report abuse Permalink rate up rate down Reply