Flashback Trojan poses as Flash Player installer

Stephen Withers
Wednesday, 28 September 2011 09:00

Business IT - Technology

Are Mac malware writers getting smarter? A recently discovered Trojan deactivates a popular security tool.

Following the discovery of the Revir Trojan, security companies are warning of another new Mac Trojan, this time posing as an Adobe Flash installer. Dubbed Flashback by Intego (apparently the first to report it), the Trojan disables Little Snitch, a security product intended to alert users of any attempt by software to 'phone home'.

It seems Flashback has been seen in the wild, with unspecified malicious web sites providing links to what purports to be Flash Player, but is actually Flashback. When downloaded and launched, the file opens in the normal Mac OS X Installer, whereas the real Flash installer is self-contained.

Flashback deactivates Little Snitch and installs a dynamic loader file (~/Library/Preferences/Preferences.dylib) that sends information to a remote server. Intego officials describe the code as "quite sophisticated".

Information transmitted includes the Mac's UUID and the Mac OS X version number. The code has an auto-update mechanism, and is also able to download additional software.

If you suspect a Mac may be infected with the malware, look for the ~/Library/Preferences/Preferences.dylib file.

Page 2: Getting Flash safely.