Dupes users with fake Apple certificate

A new variant of the Flashback Trojan is infecting Macs, says security firm Intego. Dubbed Flashback.G, the malware is reported to use three different methods to try and infect a Mac. The first two involve Java vulnerabilities, which are stopped if a computer's Java installation is up to date. If a system has an outdated version of Java however, the Trojan may be able to install itself without a chance to intervene.

If the Java techniques fail the Trojan then pops up an applet, asking users if they want to allow "content signed by 'Apple Inc.'" to have access to their machine. In reality the certificate is self-signed by the Trojan's creators, and clicking "Continue" will install the malware. Intego notes that the Trojan will actually avoid installation if it detects antivirus software, presumably in order to avoid drawing attention to itself.

Once on a Mac the malware is said to infect web browsers and other network applications, like Skype, monitoring for domains such as Google, Yahoo, PayPal, and bank websites. Intego suggests that the code is built to exploit person's usernames and passwords wherever possible. Because Flashback.G actually interferes with an app's code, one sign of its presence is that apps will crash.

Intego also comments that most reported cases are linked to Macs running OS X Snow Leopard, as that operating system has Java pre-installed, while Lion doesn't. Simply using Software Update in Snow Leopard should be enough to make sure a computer is protected. The major threat is people being deceived by the fake certificate, although unlike many Mac Trojans, a person doesn't have to intentionally download a file to put their computer at risk. The malware can be manually removed by deleting a Java applet from OS X 's ~/Library/Caches directory.

by MacNN Staff