updated 06:35 pm EDT, Wed October 12, 2011
Users should be wary of any Flash update
Another malware installer for OS X has appeared, this time a variation on one spotted several weeks ago that masquerades as an installer for Adobe Flash, with the ultimate goal of stealing personal information from browsers and sending it to remote servers. While the latest version has several dead giveaways for savvy users, non-technical Mac users should be wary of any Adobe Flash "updater" they did not personally download from Adobe's own servers.
CNet reports that the new threat behaves like a standard Mac OS X installer package and offers to install Adobe Flash, but in fact Adobe's actual Flash installers do not use the standard Mac OS X installer. Users have to give their administrative password to install the malware, and this is where users should pause and verify that this update was downloaded deliberately by them, and came from a reputable Mac download site or Adobe's own website.
If the latest version of the Trojan (called OSX/Flashback.B by security company F-Secure) is successfully installed, it contacts a remote server and tries to inject code into either Safari or Firefox. By necessity, the program will have to quit and then re-launch the browser(s) when doing this, providing another clue to alert users that something is amiss. It is believed that the purpose of the injected code and remote server connection is to monitor and send personal information (such as login information or banking data) to the remote server.
Users who are comfortable in Terminal can easily detect the presence of the Trojan, though by their nature they would be unlikely to have installed it in the first place. A pair of simple commands (see illustration below) to read the contents of the Safari or Firefox application packages and detect the presence of a files called LSEnvironment quickly reveals if the browser has been compromised. A "does not exist" error will be returned if the browser is unaffected. Removal of the payload is a simple matter of uninstalling and re-downloading fresh copies of either browser.
Users who have installed the outgoing firewall Little Snitch on their machines will never see the threat, as the malware detects the presence of the program and quits and deletes itself if found. The action is presumably an attempt to prevent programs like Little Snitch from alerting users to the malware's presence and also to keep it from revealing the location of the remote server where the personal data would have been sent.
The threat of this latest Trojan is still considered minimal, as users would need to deliberately download it and install it giving their administrative passwords. However, users who are prone to install software without understanding what they are installing should be warned that Adobe Flash software should only be downloaded or installed if it has been deliberately obtained from the Adobe website or a reputable Mac download site.
Intego says it has already adjusted its own anti-malware software to account for the new variation, and Apple will likely updated its own definitions with another "silent" update in the near future to prevent the Trojan from even getting started. [via CNet]
The genuine Adobe Flash installer:
Terminal commands that show no presence of the Trojan: