OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Flashback.A seen in action!

Published September 28th, 2011 at 7:59 AM EDT , modified October 11th, 2011 at 9:43 AM EDT

I got a link to what looks like a malicious Flash Player installer this morning.  The web site address is disturbingly convincing, containing Adobe’s name.  The URL will not immediately trigger suspicion for most people.  Once the site loads, you will see a fairly convincing-looking screenshot of the Adobe update notification window while an installer named FlashPlayer-11-macos.pkg downloads in the background.

The resulting file is very small, only 141K.  I don’t know whether this contains the entire trojan or if it will, once installed, download the trojan itself from another server.  I also cannot be 100% sure that this is the recent OSX/flashback.A malware, as it is not detected by ClamXav.  Further, I was able to open the installer package without any warning from the OS, despite the fact that I had forced the XProtect definitions to update before opening it.

If you ever see a Flash Player update notice, just close it.  It’s legit most of the time, but given how convincing this trick is, it’s better to be safe than sorry.  Then go straight to www.adobe.com and check for updates there.  This particular scam was not particularly convincing.  There were a number of inconsistencies, such as the inability to close the updater window (because it wasn’t really a window) and the fact that the file downloaded before I clicked anything.  However, it’s certainly possible to make this sort of thing more convincing, so play it safe and get the updater straight from the official source.

The link was sent to me by a colleague, who in turn had it sent to him, so I have no idea how one would end up on this page.  If anyone has seen this page, or a similar one, please let me know how you ended up on that page!  I’ll post updates as I learn more.

Update: Linc Davis has posted a description on the Apple Support Communities of what gets put where by this trojan.  You can find this information at Re: new malware disguised as flash installer.

Tags: , , , , ,

2 Comments

  • Hall Wongun says:

    Does Sophos now protect against it?
    Thanks

    • Thomas says:

      I have no idea, as I don’t use Sophos. I tried to check it this morning with VirusTotal.com, but that site was not working. Note that there have been multiple variants documented, though… although they all look and work the same, some may be identified by a particular anti-virus (AV) program while others are not. You would be wise not to count on AV software to protect you.

This post is more than 90 days old and has been locked. No further comments are allowed.