Results 1 to 12 of 12
  1. #1
    Flashback.C trojan infected my system - false alarm

    Member Since
    Oct 13, 2011
    Posts
    10
    Flashback.C trojan infected my system - false alarm
    Hello,

    the other day, sitting at my Mac, a window popped up asking me to update Adobe Flash Player. I downloaded the file and run the installer, everything was looking like a REAL Flash updater, but.....

    Actually it was not a Flash update, it was a trojan horse infecting my Mac. It is called flashback.C and I found good info about it at This Page

    1) IMPORTANT Do not update Adobe Flash because of a pop-up window IMPORTANT
    2)Does anybody knows a simple disinfection procedure? What is reported in the above page is too technical for me.

    Thanks

    Fisico60

  2. #2
    Flashback.C trojan infected my system - false alarm

    Member Since
    Dec 11, 2010
    Posts
    1,350
    I don't think I could come up with a simpler procedure than what they list. Maybe someone will come up with a corrective script.

    What site were you visiting when the popup occurred?

  3. #3
    Flashback.C trojan infected my system - false alarm

    Member Since
    Oct 13, 2011
    Posts
    10
    Quote Originally Posted by gsahli View Post
    I don't think I could come up with a simpler procedure than what they list. Maybe someone will come up with a corrective script.

    What site were you visiting when the popup occurred?
    They are listing a somewhat simpler procedure now, I can try...

    It was too late when I realized it, I could not trace it back to the site, sorry.

  4. #4
    Flashback.C trojan infected my system - false alarm
    harryb2448's Avatar
    Member Since
    Nov 28, 2007
    Location
    Nambucca Heads Australia
    Posts
    20,004
    Specs:
    iMac i5 2.7GHz, 16GB memory, OS 10.10.5
    OP if you are using Safari, have you deselected the 'Open safe files' option in Safari > Preferences > General?
    Hang on to those original install discs like grim death! Using OS X.7 or later make a bootable USB thumb drive before running Installer!

  5. #5
    Flashback.C trojan infected my system - false alarm

    Member Since
    Oct 13, 2011
    Posts
    10
    Quote Originally Posted by harryb2448 View Post
    OP if you are using Safari, have you deselected the 'Open safe files' option in Safari > Preferences > General?
    I do use Safari as web browser AND that option IS checked

  6. #6
    Flashback.C trojan infected my system - false alarm

    Member Since
    Oct 13, 2011
    Posts
    10
    It's getting complicated. I need to restore /usr/libexec/XProtectUpdater

    I have a Time Machine disk, but how can I restore an invisible file ???????

  7. #7
    Flashback.C trojan infected my system - false alarm
    harryb2448's Avatar
    Member Since
    Nov 28, 2007
    Location
    Nambucca Heads Australia
    Posts
    20,004
    Specs:
    iMac i5 2.7GHz, 16GB memory, OS 10.10.5
    Uncheck that option asap!
    Hang on to those original install discs like grim death! Using OS X.7 or later make a bootable USB thumb drive before running Installer!

  8. #8
    Flashback.C trojan infected my system - false alarm

    Member Since
    Oct 13, 2011
    Posts
    10
    Quote Originally Posted by harryb2448 View Post
    Uncheck that option asap!
    Unchecked, now.

  9. #9
    Flashback.C trojan infected my system - false alarm

    Member Since
    Sep 10, 2011
    Location
    Nelson,UK
    Posts
    1,733
    Specs:
    iMac 27" Mid 2010, 3.2GHz Intel Core i3,12GB 1333 MHz DDR3, ATI Radeon HD5670 512MB, Yose 10.10.5
    Quote Originally Posted by Fisico60 View Post
    Hello,

    the other day, sitting at my Mac, a window popped up asking me to update Adobe Flash Player. I downloaded the file and run the installer, everything was looking like a REAL Flash updater, but.....

    Actually it was not a Flash update, it was a trojan horse infecting my Mac. It is called flashback.C and I found good info about it at This Page

    1) IMPORTANT Do not update Adobe Flash because of a pop-up window IMPORTANT
    2)Does anybody knows a simple disinfection procedure? What is reported in the above page is too technical for me.

    Thanks

    Fisico60
    Hi, how did you know it was flashback.C ?
    iMac 27-inch Mid 2010 (wow....that old...eeeks!), WD My Book 1TB Firewire,WD My Passport Air 500GB, Magic Mouse,Magic Trackpad,
    iPhone 5C, iPod Nano 4GB 3rd Gen, ATV2.
    MOTM October 2012. These days normally happy with an occasional grumble.

  10. #10
    Flashback.C trojan infected my system - false alarm

    Member Since
    Oct 13, 2011
    Posts
    10
    Quote Originally Posted by pendlewitch View Post
    Hi, how did you know it was flashback.C ?
    Actually, it was not! Because of your question I started thinking about it and:
    1) I checked the date and time of the "suspected" installer file against the latest one from adobe.com and they match
    2) flashback.C inserts the following line into: "/Applications/Safari.app/Contents/Info.plist":

    <key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
    <string>/Applications/Safari.app/Contents/Resources/%payload_filename%</string></dict>

    So, I tried to remember some unix, opened "terminal" and searched through Info.plist and I did not find any recurrence of "LSE" or "DYLD_INSERT_LIBRARIES"

    HAPPILY!
    ---------------

    I am sorry with the community for this false alarm and thankful to pendlewitch for his question.

    I just happened to download what now seems a legitimate Flash update, then read the day after about a trojan inserted in a fake Flash update.

    Sorry again,

    Fisico60

  11. #11
    Flashback.C trojan infected my system - false alarm

    Member Since
    Sep 10, 2011
    Location
    Nelson,UK
    Posts
    1,733
    Specs:
    iMac 27" Mid 2010, 3.2GHz Intel Core i3,12GB 1333 MHz DDR3, ATI Radeon HD5670 512MB, Yose 10.10.5
    Quote Originally Posted by Fisico60 View Post
    Actually, it was not! Because of your question I started thinking about it and:
    1) I checked the date and time of the "suspected" installer file against the latest one from adobe.com and they match
    2) flashback.C inserts the following line into: "/Applications/Safari.app/Contents/Info.plist":

    <key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
    <string>/Applications/Safari.app/Contents/Resources/%payload_filename%</string></dict>

    So, I tried to remember some unix, opened "terminal" and searched through Info.plist and I did not find any recurrence of "LSE" or "DYLD_INSERT_LIBRARIES"

    HAPPILY!
    ---------------

    I am sorry with the community for this false alarm and thankful to pendlewitch for his question.

    I just happened to download what now seems a legitimate Flash update, then read the day after about a trojan inserted in a fake Flash update.

    Sorry again,

    Fisico60
    Not a problem Fisico60, I guess all I wanted was a simple way of finding out as to whether I have it or not, because I too have just done a Flash Player update just like you.
    I'm still not sure TBH as to how I can check the preference list because Lion appears to have removed the Library folder from my Home folder and I don't use Terminal.
    Perhaps we should only use the Adobe site manually for updates.
    iMac 27-inch Mid 2010 (wow....that old...eeeks!), WD My Book 1TB Firewire,WD My Passport Air 500GB, Magic Mouse,Magic Trackpad,
    iPhone 5C, iPod Nano 4GB 3rd Gen, ATV2.
    MOTM October 2012. These days normally happy with an occasional grumble.

  12. #12
    Flashback.C trojan infected my system - false alarm
    harryb2448's Avatar
    Member Since
    Nov 28, 2007
    Location
    Nambucca Heads Australia
    Posts
    20,004
    Specs:
    iMac i5 2.7GHz, 16GB memory, OS 10.10.5
    To install the genuine Flashback Player update, it is necessary to download the software from Adiobe. The trojan, from published information, just pops up and requests install with no downloads involved. That would be the key.
    Hang on to those original install discs like grim death! Using OS X.7 or later make a bootable USB thumb drive before running Installer!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 6
    Last Post: 08-14-2013, 02:11 PM
  2. New Mac trojan found to exploit same Java weakness as 'Flashback'
    By OneMoreThing... in forum Apple Rumors and Reports
    Replies: 0
    Last Post: 12-03-2012, 07:40 PM
  3. flashback trojan
    By Retake in forum Switcher Hangout
    Replies: 3
    Last Post: 07-18-2012, 08:11 AM
  4. Trojan Virus Infected MacBook Pro....TR/Dldr.Matsnu.B Help
    By CrazyMikesapps in forum OS X - Operating System
    Replies: 12
    Last Post: 05-11-2012, 06:59 PM
  5. Flashback trojan reportedly controls half a million Macs and counting
    By adejesus in forum Apple Rumors and Reports
    Replies: 85
    Last Post: 04-15-2012, 03:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •