Flashback.C trojan infected my system - false alarm

Joined
Oct 13, 2011
Messages
10
Reaction score
0
Points
1
Hello,

the other day, sitting at my Mac, a window popped up asking me to update Adobe Flash Player. I downloaded the file and run the installer, everything was looking like a REAL Flash updater, but.....

Actually it was not a Flash update, it was a trojan horse infecting my Mac. It is called flashback.C and I found good info about it at This Page

1) IMPORTANT Do not update Adobe Flash because of a pop-up window IMPORTANT
2)Does anybody knows a simple disinfection procedure? What is reported in the above page is too technical for me.

Thanks

Fisico60
 
Joined
Dec 11, 2010
Messages
1,808
Reaction score
40
Points
48
Location
Chicago
Your Mac's Specs
late 2012 mini w/SSD
I don't think I could come up with a simpler procedure than what they list. Maybe someone will come up with a corrective script.

What site were you visiting when the popup occurred?
 
OP
F
Joined
Oct 13, 2011
Messages
10
Reaction score
0
Points
1
I don't think I could come up with a simpler procedure than what they list. Maybe someone will come up with a corrective script.

What site were you visiting when the popup occurred?

They are listing a somewhat simpler procedure now, I can try...

It was too late when I realized it, I could not trace it back to the site, sorry.
 
Joined
Nov 28, 2007
Messages
25,564
Reaction score
486
Points
83
Location
Blue Mountains NSW Australia
Your Mac's Specs
Silver M1 iMac 512/16/8/8 macOS 11.6
OP if you are using Safari, have you deselected the 'Open safe files' option in Safari > Preferences > General?
 
OP
F
Joined
Oct 13, 2011
Messages
10
Reaction score
0
Points
1
It's getting complicated. I need to restore /usr/libexec/XProtectUpdater

I have a Time Machine disk, but how can I restore an invisible file ???????
 
Joined
Nov 28, 2007
Messages
25,564
Reaction score
486
Points
83
Location
Blue Mountains NSW Australia
Your Mac's Specs
Silver M1 iMac 512/16/8/8 macOS 11.6
Uncheck that option asap!
 
Joined
Sep 10, 2011
Messages
1,823
Reaction score
51
Points
48
Location
Lancashire
Your Mac's Specs
MacBook Air M1 2020 Ventura 13.4.1 500Gb 8Gb. iPhone12, Watch 5, HomePods.
Hello,

the other day, sitting at my Mac, a window popped up asking me to update Adobe Flash Player. I downloaded the file and run the installer, everything was looking like a REAL Flash updater, but.....

Actually it was not a Flash update, it was a trojan horse infecting my Mac. It is called flashback.C and I found good info about it at This Page

1) IMPORTANT Do not update Adobe Flash because of a pop-up window IMPORTANT
2)Does anybody knows a simple disinfection procedure? What is reported in the above page is too technical for me.

Thanks

Fisico60

Hi, how did you know it was flashback.C ?
 
OP
F
Joined
Oct 13, 2011
Messages
10
Reaction score
0
Points
1
Hi, how did you know it was flashback.C ?

:Oops: Actually, it was not! Because of your question I started thinking about it and:
1) I checked the date and time of the "suspected" installer file against the latest one from adobe.com and they match
2) flashback.C inserts the following line into: "/Applications/Safari.app/Contents/Info.plist":

<key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
<string>/Applications/Safari.app/Contents/Resources/%payload_filename%</string></dict>

So, I tried to remember some unix, opened "terminal" and searched through Info.plist and I did not find any recurrence of "LSE" or "DYLD_INSERT_LIBRARIES"

HAPPILY!
---------------

I am sorry with the community for this false alarm and thankful to pendlewitch for his question.

I just happened to download what now seems a legitimate Flash update, then read the day after about a trojan inserted in a fake Flash update.

Sorry again,

Fisico60
 
Joined
Sep 10, 2011
Messages
1,823
Reaction score
51
Points
48
Location
Lancashire
Your Mac's Specs
MacBook Air M1 2020 Ventura 13.4.1 500Gb 8Gb. iPhone12, Watch 5, HomePods.
:Oops: Actually, it was not! Because of your question I started thinking about it and:
1) I checked the date and time of the "suspected" installer file against the latest one from adobe.com and they match
2) flashback.C inserts the following line into: "/Applications/Safari.app/Contents/Info.plist":

<key>LSEnvironment</key><dict><key>DYLD_INSERT_LIBRARIES</key>
<string>/Applications/Safari.app/Contents/Resources/%payload_filename%</string></dict>

So, I tried to remember some unix, opened "terminal" and searched through Info.plist and I did not find any recurrence of "LSE" or "DYLD_INSERT_LIBRARIES"

HAPPILY!
---------------

I am sorry with the community for this false alarm and thankful to pendlewitch for his question.

I just happened to download what now seems a legitimate Flash update, then read the day after about a trojan inserted in a fake Flash update.

Sorry again,

Fisico60

Not a problem Fisico60, I guess all I wanted was a simple way of finding out as to whether I have it or not, because I too have just done a Flash Player update just like you.
I'm still not sure TBH as to how I can check the preference list because Lion appears to have removed the Library folder from my Home folder and I don't use Terminal.
Perhaps we should only use the Adobe site manually for updates.
 
Joined
Nov 28, 2007
Messages
25,564
Reaction score
486
Points
83
Location
Blue Mountains NSW Australia
Your Mac's Specs
Silver M1 iMac 512/16/8/8 macOS 11.6
To install the genuine Flashback Player update, it is necessary to download the software from Adiobe. The trojan, from published information, just pops up and requests install with no downloads involved. That would be the key.
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top