Flashback Trojan horse
Hi,
Does anybody know if Yosemite fixed this security issue with this Flashback Trojan horse malware? If problem still exist, what is the proper way to check if mac is compromised?
Thanks!
It was fixed in April of 2012.
Similar Messages
-
any info about flash back trojan?
Adobe is aware of malware posing as its Flash Player and warns users to ignore any updates that didn't originate on its own servers. "Do not download Flash Player from a site other than adobe.com," said David Lenoe, Adobe's product security program manager, in an entry on Adobe Product Security Incident Response Team's PSIRT blog. "This goes for any piece of software (Reader, Windows Media Player, QuickTime, etc). If you get a notice to update, it's not a bad idea to go directly to the site of the software vendor and download the update directly from the source. If the download is from an unfamiliar URL or an IP address, you should be suspicious."
The ‘Flashback Trojan’:
A version of an existing Trojan Horse posing as a legitimate Flash Player installer (named “Flashback.A” by a security firm) is designed to disable updates to the default Mac OS X anti-malware protection system, potentially leaving the system open to the manual installation of other malware without any system warnings. The latest Macs do not have Plash Player included. In order to prevent a potential infection with “Flashback” Trojans, Mac users should always obtain their copy of Adobe Flash Player directly from Adobe’s official website and to disable the "Open 'safe' files after downloading" option in Apple's Safari browser to avoid automatically running files downloaded from the Internet. Also, do not turn on Java in Safari Preferences/Security. Few websites use Java. Javascript is something entirely different and should be left active.
http://www.appleinsider.com/articles/11/10/19/fake_adobe_flash_malware_seeks_to_ disable_mac_os_x_anti_malware_protection.html
Flashback Trojan - Detection, and how to remove (with caution):
http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml -
The above info re the Flashback removal tool confuses me. I thought this trojan horse affected those who had Java (JRE) up and running i.e.,Safari security Java checkbox enabled. I also believed this Trojan horse also affected those using Snow Leopard. Clarify please.
There are several variants of the trojan. The first ones were released as installers for Adobe Flash and therefore did not require you to have Java on your system. Later variants took advantage of a Java vulnerability and could install themselves by simply visiting a rogue Web site. Therefore, even without Java installed if you had run a rogue updater for Adobe Flash or Reader, then you might have installed the trojan.
The trojan also affects Snow Leopard and prior versions of OS X (so far the code is known to be intel-only, but this is unconfirmed), but Apple has only issued patches for supported versions of the OS (version 10.6 or later).
Apple's removal tools run in OS X 10.6 or later if you instlal the Java update, and the standalone removal tool is for Lion only. Why Apple does not offer options for other operating systems is beyond me, but that's the way of things. Right now there are other tools you can use to check for and remove the malware on versions of OS X that Apple does not support: http://reviews.cnet.com/8301-13727_7-57413811-263/flashback-malware-removal-tool -roundup/ -
I've been a Mac User for more than 5 years and I've never bought an Antivirus, however I've been seeing articles of Mac's getting something called a Trojan Horse now I'm kind of nervous that I will get it. Can anyone recomend a antivirus?
jnjaquez wrote:
I've been seeing articles of Mac's getting something called a Trojan Horse now I'm kind of nervous that I will get it. Can anyone recomend a antivirus?
(1) Debates about the distinction (if any) between Trojan Horses and viruses are, IMHO, best left to the specialists, who have the time to engage in them and the training to understand the arguments. For us, as average users, they don't matter that much. After all, if my bank account password was stolen, I couldn't care less if it was stolen by a virus, a Trojan Horse, or the frumious bandersnatch.
(2) The latest versions of Flashback installed themselves without any user interaction. They were not "invited" in any way; the user did not have to "download and execute something". Whether this means that Flashback is "no longer entirely a trojan", as Thomas A Reed puts in the page linked by shldr2thewheel, or that it's a backdoor (or whatever), leave the fun of arguing over it to others. We can just call it malware and be done with it.
(3) There are two problems with A/V software.
(a) Macs are a very small market compared to Win; moreover, (for whatever reason) Macs have been much less affected by malware. Consequently, it doesn't make business sense for any commercial A/V developer to put his A Team on developing Mac A/V software. And the products on offer show the signs of being developed by the B Team—by and large, they are intrusive, not very well programmed, and not very well tested.
(b) A/V software is only as good as the latest upate, and protects only against known threats. In the past five or six weeks, Flashback evolved constantly and fairly rapidly, while A/V updates in general didn't match the pace.
So, for A/V software, I'd go with BGreg's suggestion of ClamXav (which is not commercial, but a free Mac port of an open-source A/V engine). However, don't assume that, once it is installed, you are fully protected.
(4) A common thread in the last weeks of the Flashback soap opera has been the reverse firewall. Mac OS X has a built-in firewall (one that controls in-coming connections); but it doesn't have a reverse firewall (which controls outgoing connections). Some versions of Flashback self-immolated when they detected Little Snitch, a popular reverse firewall (Hands Off! is another); others were caught and blocked by Little Snitch. I'd say, this day and age, a reverse firewall is essential.
In short, what should you do?
Use your common sense (best and most useful tool).
Keep yourself informed. (The danger posed by Java vulnerabilities was fairly well known.)
Get a reverse firewall (Little Snitch or Hands Off!).
Install ClamXav.
Adopt good working habits, including using a standard (rather than admin) account for most of your work.
Back up, back up, and back up some more (eg, Time Machine). And always have an emergency boot device at hand. -
I have 4 Trojan Horse viruses on my external drive I use for Time Machine. My MacBook Pro hard drive is clean. I have eased the external drive 3 times using Disk Utility and it still has the 4 Trojan Horse viruses. How do I get rid of them. I am using 10.8.3 Wayne
ksu62 wrote:
The infection names are: classload.jar-719ef6a5.zip
classload.jar-5db452le31.zip
ar3.jar-6ce3b2f-45l483f.zip
classload.jar-lef99412-63bsd3fl.zip
Those look alot like file names and not infection names. I don't find any reference to anything like that on Norton or VirusTotal. Since you said these were Trojans, I would expect to see "Trojan" as part of the infection name.
".jar" files are executable Java applets. The random alpha-numerics would seem to indicate a cache file, likely from a browser with Java enabled. And we all know what ".zip" means.
Worst case is that you had Java enabled in a browser and were infected by one of the late variants of the Flashback Trojan over a year ago or one of a couple of other attacks using the same vulnerability but targetted against a small number of political sympathizers. Much more probable is that thes were Windows only Trojans. Hopefully you have a fully up-to-date OS X, including Java, and have disabled Java in all your browsers by now. -
Any discussion on flashback Trojan?
Any suggestions on what communities to ask about the flashback Trojan ?
Adobe is aware of malware posing as its Flash Player and warns users to ignore any updates that didn't originate on its own servers. "Do not download Flash Player from a site other than adobe.com," said David Lenoe, Adobe's product security program manager, in an entry on Adobe Product Security Incident Response Team's PSIRT blog. "This goes for any piece of software (Reader, Windows Media Player, QuickTime, etc). If you get a notice to update, it's not a bad idea to go directly to the site of the software vendor and download the update directly from the source. If the download is from an unfamiliar URL or an IP address, you should be suspicious."
The ‘Flashback Trojan’:
A version of an existing Trojan Horse posing as a legitimate Flash Player installer (named “Flashback.A” by a security firm) is designed to disable updates to the default Mac OS X anti-malware protection system, potentially leaving the system open to the manual installation of other malware without any system warnings. The latest Macs do not have Plash Player included. In order to prevent a potential infection with “Flashback” Trojans, Mac users should always obtain their copy of Adobe Flash Player directly from Adobe’s official website and to disable the "Open 'safe' files after downloading" option in Apple's Safari browser to avoid automatically running files downloaded from the Internet. Also, do not turn on Java in Safari Preferences/Security. Few websites use Java. Javascript is something entirely different and should be left active.
http://www.appleinsider.com/articles/11/10/19/fake_adobe_flash_malware_seeks_to_ disable_mac_os_x_anti_malware_protection.html
Flashback Trojan - Detection, and how to remove (with caution):
http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml
You can also use this to check whether you have been infected (for Intel Macs only)and remove it if required:
http://www.macupdate.com/app/mac/42571/anti-flashback-trojan
Last, but by no means least, use Open DNS, which is the simplest way of preventing infection in the first place. Open DNS also protects against phishing attacks, and speeds up your internet connection:
http://blog.opendns.com/2012/04/09/worried-about-mac-malware-just-set-up-opendns /
How to get it:
https://store.opendns.com/get/home-free -
What about trojan horse virus?
The news today discussed a new trojan horse stealing passwords, etc. Is there any fix or software to prevent damage or loss of data?
If you're running an iMac G5, that's a PPC Mac (you're in the wrong forum, BTW) I don't think you have much to worry about. As far as I know, and I could be wrong, the Flashback Trojan, at least right now, is not interested in PPC Macs. It appears to be written to attack Intel Macs only. In any case, since this could change, disable Java in the browser you use, to be safe.
-
HT5228 How to find out if your Mac has the Flashback Trojan EASY WAY!!!!
http://www.cnn.com/2012/04/06/tech/web/mac-flashback-trojan-check/index.html
Just did it works great and they also have a post on how to remove it as well.Here is an even easier way, it will remove most infections too:
I have created a user tip and malware checker/removal tool: https://discussions.apple.com/docs/DOC-3271 -
My computer has been infected by a Trojan Horse. It has taken over my Mac email account and began sending out malicious emails to everyone in my address book. I cleared out my MAC address book and began using my AOL email account. It took a few days and then my AOL email account was infected and has now been send out malicious email to all my contacts for over a month. It has also infected my iPhone--I am no longer able to send or receive emails on my iPhone. Also, once the Trojan Horse began using my AOL email it completely blocked me from using my MAC account by sending never ending popups asking for my email password to access my MAC email account, but it never accepts my pass word. The TH has also slowed down everything on my computer. It's like I am working on an old PC with dial up connection instead of the high speed digital connection that I have. The little color wheel spins constantly as I wait for sometimes over a minute for a page to pull up. If it pulls up at all. I have tried to use the 2 disks that came with my computer to completely remove everything on my computer and then reinstall all the programs, but I am not allowed to sweep my computer clean. I thought maybe my disks that came with my computer were defective so I called Apple and they sent me 2 new disks. I am not able able to clear my computer with the 2 new disks either. I have done this before successfully so it's not something new to me. I do remember when I believe my computer became infected: I had googled an unusual sewing term, and I was opening what appeared to be legitimate sites, when all of a sudden a pop up appeared that said that my computer had been infected. I immediately shut my computer off, but it was too late. I downloaded a virus program for Mac, and it has never found a virus or problem at all. I think it is part of this Trojan Horse, but I am unable to delete it from my computer. It refuses to uninstall. The Mac Trojan Horse is real and it is terrible. If anyone has any suggestions for me I would be very appreciative,
Beth
vuInstall ClamXav and run a scan with that. It should pick up any trojans.
17" 2.2GHz i7 Quad-Core MacBook Pro 8G RAM 750G HD + OCZ Vertex 3 SSD Boot HD
Got problems with your Apple iDevice-like iPhone, iPad or iPod touch? Try Troubleshooting 101 -
Hey guys, Im expierencing problems with itunes after the latest update yesterday(1/22) and the problem im having is when i plugged my iphone into my PC today a virus detection came up and said a trojan horse was present. I also cant open itunes at all. Im confused and dont know what to do. thanks in advance
Place the device in DFU mode (google it) and restore.
-
HELP! I had a Flashback Trojan/Malware on my Mac, I deleted it in trash, and now my Mac won't start.
At first my Mac Finder showed n81, n82, etc when you right-click it, instead of the commands " open new finder window", "hide" etc. I also noticed that sometimes, when I would go to sites such as facebook, it would redirect to a different site and I'd have to type in the address again to get to the site. Nothing else was wrong with it. Safari was not shutting down. It wasn't slow.
I did some research and found that I probably have the Flashback Trojan/Malware virus (whatever that is?) And so I followed what some people did (which got their mac fixed) .. I downloaded clamvax and tinkertool to find the malware (hidden files) and I deleted it in trash.. my computer seemed fine but when I restarted it, it wont turn on anymore.. the screen remains blue, the mouse could still be moved, but it stays that way..
did I lose all my files? am I being hacked as we speak? Is this virus very dangerous?! I am very paranoid and know nothing about this kind of stuff so please help!
BTW, the malware was from the game Farm Frenzy.. I have no idea how I got this... I never play online games.@Thomas, Thanks for jumping in. I had to take my wife to a Doctor appointment and things went down hill from there.
I note that you are using Mac OS X 10.5.x. It's important to understand that the Java vulnerabilities that allowed this malware to get established on your machine cannot be fixed in 10.5.x. You would need to upgrade to at least 10.6 (Snow Leopard) to be able to get a version of Java with those vulnerabilities fixed. (Correct me if I'm wrong there, Al!)
That's 100% correct. Natalia has the distinction of being the first OS X 10.5 user confirmed to be infected by Flashback as far as I can tell. That operating system is becoming increasingly dangerous as the days go by. The OS has not been updated since Aug 2009 and the last Security and Java updates were in June 2011. There is no XProtect system and more and more third party's have dropped support in updating their Applications.
Natalia_ wrote:
I actually ran disk utility, and it said that the Macintosh HD is fine... I also tried safe mode/safe boot and did the FSCK command.. even that said that my laptop was fine? but somehow it still stays blue when I start up!
And I think it probably is fine, except that something is hanging during the initial loading process. Could be most anything.
As for my files, I appreciate your advice but I am scared I might do something wrong and mess my laptop up even more!
There is almost no chance of that and at this point it should be obvious to you that if the files on your laptop are that important, you should already have a backup.
I will take it to Apple and hopefully they can help me... because it seems that my files aren't wiped out... yet... It still displayed that I had my files in there..
One word of caution, then. I have been told that Apple has instructed their support folks not to attempt to clean up a malware infection. If I were you I wouldn't bring it up unless you have to.
By the way, while the disk was running, it was making very loud noises.. humming/grinding/etc... what could this mean?
Only one thing in my experience, you're hard drive is toast. All the more reason to try and get all the data you can off it immediately.
The only way to test it is to do a surface scan which Disk Utility cannot do. You would need a third party utility to do that. If it tells you there are bad sectors, that is 100% proof that it's going bad, as modern hard drives repair themselves of bad sectors until they run out of reserves to substitute. -
I think I have some Malware/Trojan Horse on MacBook Pro. How to get rid of it?
My MacBook Pro has worked perfect for the last 2 years, but over the last 2 days when I am on Chrome it has started clicking onto random websites when I click other links, and showing certain words as underlined and as hotlinks. I think I recognise that from having a PC as Malware or Trojan Horse? What is the best way to remove this as I have read through a few threads on here and they advise not downloading any anti virus software as it slows down your Mac instead of helping.
<Post Edited By Host>You installed the "VSearch" trojan, perhaps under a different name. Remove it as follows.
Malware is constantly changing to get around the defenses against it. The instructions in this comment are valid as of now, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for more recent discussions or start a new one.
Back up all data before proceeding.
Triple-click anywhere in the line below on this page to select it:
/Library/LaunchAgents/com.vsearch.agent.plist
Right-click or control-click the line and select
Services ▹ Reveal in Finder (or just Reveal)
from the contextual menu.* A folder should open with an item named "com.vsearch.agent.plist" selected. Drag the selected item to the Trash. You may be prompted for your administrator login password.
Repeat with each of these lines:
/Library/LaunchDaemons/com.vsearch.daemon.plist
/Library/LaunchDaemons/com.vsearch.helper.plist
/Library/LaunchDaemons/Jack.plist
Restart the computer and empty the Trash. Then delete the following items in the same way:
/Library/Application Support/VSearch
/Library/PrivilegedHelperTools/Jack
/System/Library/Frameworks/VSearch.framework
~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin
Some of these items may be absent, in which case you'll get a message that the file can't be found. Skip that item and go on to the next one.
From the Safari menu bar, select
Safari ▹ Preferences... ▹ Extensions
Uninstall any extensions you don't know you need, including any that have the word "Spigot," "Trovi," or "Conduit" in the description. If in doubt, uninstall all extensions. Do the equivalent for the Firefox and Chrome browsers, if you use either of those.
Reset the home page and default search engine in all the browsers, if it was changed.
This trojan is distributed on illegal websites that traffic in pirated content. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect much worse to happen in the future.
You may be wondering why you didn't get a warning from Gatekeeper about installing software from an unknown developer, as you should have. The reason is that this Internet criminal has a codesigning certificate issued by Apple, which causes Gatekeeper to give the installer a pass. Apple could revoke the certificate, but as of this writing, has not done so, even though it's aware of the problem. This failure of oversight has compromised both Gatekeeper and the Developer ID program. You can't rely on Gatekeeper alone to protect you from harmful software.
*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return. -
I have received an email from a friend with a link which I clicked. It took me to the google home page. I am now suspicious that my friend's email account has been hijacked and the link contained a virus or a Trojan horse. I would know what to do on my PC but am new to the IPad. Can any form of Trojan horse be planted on IOS 6 or am I worrying unnecessarily? Reassurance would be most welcome as I do use the IPad for checking bank details and web purchases. Thanks for any help.
PC virus won't run on iPad.
-
I have an iMac running OS 10.4.11. How can I check to see if I have the Flashback Trojan (and remove it, if I have it)? IMy Safari is also crashing frequently. Any suggestions?
Hi Barry, is this an Intel iMac, or a PPC iMac?
Disable Java in your Browser settings, not JavaScript.
http://support.apple.com/kb/HT5241?viewlocale=en_US
http://support.google.com/chrome/bin/answer.py?hl=en-GB&answer=142064
http://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets
Flashback - Detect and remove the uprising Mac OS X Trojan...
http://www.mac-and-i.net/2012/04/flashback-detect-and-remove-uprising.html
In order to avoid detection, the installer will first look for the presence of some antivirus tools and other utilities that might be present on a power user's system, which according to F-Secure include the following:
/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app
If these tools are found, then the malware deletes itself in an attempt to prevent detection by those who have the means and capability to do so. Many malware programs use this behavior, as was seen in others such as the Tsunami malware bot.
http://reviews.cnet.com/8301-13727_7-57410096-263/how-to-remove-the-flashback-ma lware-from-os-x/
http://x704.net/bbs/viewtopic.php?f=8&t=5844&p=70660#p70660
The most current flashback removal instructions are F-Secure's Trojan-Downloader:OSX/Flashback.K.
https://www.securelist.com/en/blog/208193454/Flashfake_Removal_Tool_and_online_c hecking_site
More bad news...
https://www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X_Backdoor_Java_Explo its_Targeted_Attacks_and_Possible_APT_link
Removal for 10.5...
http://support.apple.com/kb/DL1534 -
Can't find file for Trojan Horse on my MacBook
Anyone seen this before?
I have the Norton Antivirus Program installed on my MacBook.
I believe an attack occurred while I was looking through the Apple Support Forums for help with a QuickTime problem and accidentally clicked on the following link: http:www.smacktalkpaintball.com/video/
The Norton Warning came up and I hit the delete option and then set Norton to scan manually.
The following came up at the end of the scan:
Virus "bof.jar-51a4bd07-3d4b399d.zip" detected, Today at 7:24 AM. Repair failed.
/Users/Owner/Li...bd07-3d4b399d.zip Trojan Horse infected
I was not able to locate either of these files anywhere on my computer.
I have two external hard drives that I use to back-up data, but neither of them were connected at the time of the attack, and nothing else was connected when I ran the virus scan.
I do not have Windows installed on this MacBook - Mac OS X, Version 10.5.8,Norton was able to detect the Trojan whereas MacScan was not, but Norton was not able to remove it
That sounds an unlikely outcome on both counts. Norton anti-virus is just that: anti-virus, and I would not trust it to deal with trojans.
Are you sure you actually installed a Trojan?
If you allow a Trojan to be installed, the user's DNS records can be modified, redirecting incoming internet traffic through the attacker's servers, where it can be hijacked and injected with malicious websites and pornographic advertisements. The trojan also installs a watchdog process that ensures the victim's (that's you!) DNS records stay modified on a minute-by-minute basis.
You can read more about how, for example, the OSX/DNSChanger Trojan works here:
http://www.f-secure.com/v-descs/trojanosxdnschanger.shtml
SecureMac has introduced a free Trojan Detection Tool for Mac OS X. It's available here:
http://macscan.securemac.com/
The DNSChanger Removal Tool detects and removes spyware targeting Mac OS X and allows users to check to see if the trojan has been installed on their computer; if it has, the software helps to identify and remove the offending file. After a system reboot, the users' DNS records will be repaired.
(Note that a 30 day trial version of MacScan can be downloaded free of charge from:
http://macscan.securemac.com/buy/
and this can perform a complete scan of your entire hard disk. After 30 days free trial the cost is $29.99. The full version permits you to scan selected files and folders only, as well as the entire hard disk. It will detect (and delete if you ask it to) all 'tracker cookies' that switch you to web sites you did not want to go to.)
Maybe you are looking for
-
What best adobe programs to (design) and (create) animated gif or image ?
Hello, first thank you very much for helping me, i am about creating an animated gif like the background you can see in war craft 3 frozen throne for a game, i have to design it first with high quality so i need to know best adobe programs can do tha
-
Need more storage - larger internal drive, or external drive?
Good day...here's a little background before I head into my question. I have a mid-2010 Macbook Pro with a 320 GB hard drive. I have an 2 GB WD External Hard drive...I've partitioned 500 GB that I use for my Time Machine backups and use the remainin
-
I am using Apple mail to send/receive mail from Gmail Account, it was working properly. Yesterday I changed my gmail pasword from website for securiy, and then my Apple mail send a warning. So naturally, I changed my password too in Apple Mail Gmail
-
I have an iPhone 4S, the sound quit working. I have sound in the headset and if I put the phone on speaker, I've reset to original settings, tried several options. Nothing works to resolve the options. Please help.
-
Cutting stock (mill_cut transaction) for vendor consignment
Dears, We encountered a business process: cutting stock vendor consignment (special stock indicator: K) Meaning that 1 had a big batch, and it should be cut into smaller batches. In standard sap, there's a transaction called "mill_cut": cutting stock