10-24-2011, 12:39 PM

Hello,

the other day, sitting at my Mac, a window popped up asking me to update Adobe Flash Player. I downloaded the file and run the installer, everything was looking like a REAL Flash updater, but.....

Actually it was not a Flash update, it was a trojan horse infecting my Mac. It is called flashback.C and I found good info about it at This Page

1) IMPORTANT Do not update Adobe Flash because of a pop-up window IMPORTANT
2)Does anybody knows a simple disinfection procedure? What is reported in the above page is too technical for me.

Thanks

Fisico60

10-24-2011, 02:32 PM

I don't think I could come up with a simpler procedure than what they list. Maybe someone will come up with a corrective script.

What site were you visiting when the popup occurred?

10-24-2011, 05:03 PM

Quote:

Originally Posted by gsahli

I don't think I could come up with a simpler procedure than what they list. Maybe someone will come up with a corrective script.

What site were you visiting when the popup occurred?

They are listing a somewhat simpler procedure now, I can try...

It was too late when I realized it, I could not trace it back to the site, sorry.

10-24-2011, 05:10 PM

OP if you are using Safari, have you deselected the 'Open safe files' option in Safari > Preferences > General?

10-24-2011, 05:18 PM

Quote:

Originally Posted by harryb2448

OP if you are using Safari, have you deselected the 'Open safe files' option in Safari > Preferences > General?

I do use Safari as web browser AND that option IS checked

10-24-2011, 05:33 PM

It's getting complicated. I need to restore /usr/libexec/XProtectUpdater

I have a Time Machine disk, but how can I restore an invisible file ???????

10-24-2011, 07:17 PM

Uncheck that option asap!

10-25-2011, 07:31 AM

Quote:

Originally Posted by harryb2448

Uncheck that option asap!

Unchecked, now.

10-25-2011, 08:43 AM

Quote:

Originally Posted by Fisico60

Hello,

the other day, sitting at my Mac, a window popped up asking me to update Adobe Flash Player. I downloaded the file and run the installer, everything was looking like a REAL Flash updater, but.....

Actually it was not a Flash update, it was a trojan horse infecting my Mac. It is called flashback.C and I found good info about it at This Page

1) IMPORTANT Do not update Adobe Flash because of a pop-up window IMPORTANT
2)Does anybody knows a simple disinfection procedure? What is reported in the above page is too technical for me.

Thanks

Fisico60

Hi, how did you know it was flashback.C ?

10-27-2011, 06:49 PM

Quote:

Originally Posted by pendlewitch

Hi, how did you know it was flashback.C ?

Actually, it was not! Because of your question I started thinking about it and:
1) I checked the date and time of the "suspected" installer file against the latest one from adobe.com and they match
2) flashback.C inserts the following line into: "/Applications/Safari.app/Contents/Info.plist":

<key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
<string>/Applications/Safari.app/Contents/Resources/%payload_filename%</string></dict>

So, I tried to remember some unix, opened "terminal" and searched through Info.plist and I did not find any recurrence of "LSE" or "DYLD_INSERT_LIBRARIES"

HAPPILY!
---------------

I am sorry with the community for this false alarm and thankful to pendlewitch for his question.

I just happened to download what now seems a legitimate Flash update, then read the day after about a trojan inserted in a fake Flash update.

Sorry again,

Fisico60

10-28-2011, 02:50 AM

Quote:

Originally Posted by Fisico60

Actually, it was not! Because of your question I started thinking about it and:
1) I checked the date and time of the "suspected" installer file against the latest one from adobe.com and they match
2) flashback.C inserts the following line into: "/Applications/Safari.app/Contents/Info.plist":

<key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
<string>/Applications/Safari.app/Contents/Resources/%payload_filename%</string></dict>

So, I tried to remember some unix, opened "terminal" and searched through Info.plist and I did not find any recurrence of "LSE" or "DYLD_INSERT_LIBRARIES"

HAPPILY!
---------------

I am sorry with the community for this false alarm and thankful to pendlewitch for his question.

I just happened to download what now seems a legitimate Flash update, then read the day after about a trojan inserted in a fake Flash update.

Sorry again,

Fisico60

Not a problem Fisico60, I guess all I wanted was a simple way of finding out as to whether I have it or not, because I too have just done a Flash Player update just like you.
I'm still not sure TBH as to how I can check the preference list because Lion appears to have removed the Library folder from my Home folder and I don't use Terminal.
Perhaps we should only use the Adobe site manually for updates.

10-28-2011, 05:12 PM

To install the genuine Flashback Player update, it is necessary to download the software from Adiobe. The trojan, from published information, just pops up and requests install with no downloads involved. That would be the key.