New Flashback Trojan Horse Variant Hits the Mac

| News

There’s a new version of the Flashback trojan horse for the Mac in the wild, and the new variation tries to install itself by taking advantage of a vulnerability in older versions of Java.

The new variant, dubbed Flashback.G by Intego, tries to auto-install by exploiting two Java vulnerabilities. If that fails, it presents users with a bogus digital certificate that appears to come from Apple. When users click Continue, the trojan installs.

The Flachback.G fake digital certificateThe Flachback.G fake digital certificate

Since the digital certificate appears legit on first glance, the trojan has a higher likelihood of snagging trusting Mac users.

If the trojan detects virus protection software, it aborts the installation process.

Flashback first surfaced last fall masquerading as an installer for Adobe’s Flash Player. Since Flash isn’t included as part of the standard OS X installation, it was easy for attackers to get the trojan in front of potential victims visiting malicious websites.

The easiest way to avoid malicious applications like Flashback is to avoid websites you don’t trust, and if you install Flash Player on your Mac, be sure to download it only from the Adobe website.

Comments

Joe

or.. I don’t know, PAY ATTENTION to the warning shown to you?

webjprgm

If the trojan detects virus protection software, it aborts the installation process.

That’s better than on Windows. On WInXP it would instead proceed to disable and lock out the anti-virus software.

Of course, it’s also brings up once again the fact that most Mac users don’t install anti-virus software.

geoduck

OK I’ve hesitated to bring this up till now but, when you include a picture in a story, especially when it’s a graphic like this with text, how about making it clickable to a larger version? There have been a number of articles about financial and technical topics where the article includes a graphic or chart or screen shot that’s too small to see clearly. Even when I zoom in (which I can do on the Mac but not on the work PC) the text is fuzzy. A week or two ago there was an article where there were a couple of pie charts that looked pretty but I couldn’t read the legend so I couldn’t tell which wedge was Apple, and which was Google, and which was other. Joe said above about paying attention to the warning. Well, I can’t read what the warning is in the example.

My 2c

webjprgm

or.. I don?t know, PAY ATTENTION to the warning shown to you?

True, but I wonder if I’d miss something similar since it says it’s from a company that I generally trust.  Suspicion level rises on new, untrusted web sites, then curiosity would rise when an “Apple, Inc.” cert is not recognized on an Apple OS.  So I’d check it out and distrust it.  But what if it said Adobe instead? Then I might assume it wasn’t trusted because Apple and Adobe dislike each other.

Although the best solution is teach everyone to be careful, I wonder if there’s a way of indicating that the alleged certificate is not from Apple?  Maybe just writing “alleged” in the warning instead of stating matter-of-factly that the content was signed by “Apple, Inc.”.  The quotes can imply that it’s alleged, but they don’t necessarily mean that.

webjprgm

how about making it clickable to a larger version?

I agree.

Well, I can?t read what the warning is in the example.

I guess my eyes aren’t too bad yet.  It says:
——————-
Do you want content signed by “Apple Inc.” to have access to your computer?

The digital signature of this certificate could not be verified. Do not trust this certificate if you do not know who issued it.
————
Check box says:  Always trust “Apple Inc.”

Cert info below says:
—————
Apple Inc.
Self-signed root certificate
Expires: dimanche 6 mai 2012 20:02:02 HEC
This root certificate is not trusted.
——————-

ilikeimac

I wonder if I?d miss something similar since it says it?s from a company that I generally trust.

I agree. Although savvy users would be suspicious of this for several reasons, the dialog needs to make it clear that the name on the certificate (“Apple Inc.”) is part of (indeed, the gist of) the unverifiable information, rather than an independent fact.

Funny story (details here): Apple’s correct name is “Apple Inc.” not “Apple, Inc.”

Intruder

Interesting that the text is in english and the date is in french.  a bit of a clue there.

wab95

Interesting that the text is in english and the date is in french.? a bit of a clue there.

Mais, bien s?r. 

While I agree with webjprgm that most Mac users do not use antivirus software, one of the two reasons I do is for just those occasions where my attention is on other things (like my work) and something slips passed me from a presumed trusted source. I would think it arrogant to assume that I could never be duped, particularly when my attention is divided, hence the software as second line defence.

Log-in to comment