Feeds

back to article Flashback trojan targeting OS X shuns virtual machines

Underscoring the growing sophistication of Mac-based malware, a trojan preying on OS X users has adopted several stealth techniques since it was discovered last month. Updates to the Flashback trojan, which gets installed by disguising itself as an Adobe Flash update, now prevent the malware from running on Macs that use VMware …

COMMENTS

This topic is closed for new posts.
WTF?

Non-Admins on Mac Protected?

"...it plants a backdoor inside a more obscure folder associated with the Safari."

So does this still happen when the Mac user is a non-administrator?

0
0
Thumb Up

So you can make your Mac immune to this trojan by installing VMWare Fusion? Cool.

0
0
Bronze badge

Yeah but don'cha think that's a bit of a faff just to prevent one trojan?

0
0
WTF?

Did I miss something?

"Flashback developers have also rejiggered their code so that it no longer installs itself in an easy-to-spot subfolder off the OS X ~/Library location. Instead, it plants a backdoor inside a more obscure folder associated with the Safari. Deleting the files prevents the browser from working."

Thanks for telling us what the folder IS!

1
0
FAIL

Re: Did I miss something?

Shame they didn't give the essential info...

This version of the malware installs here:

/Applications/Safari.app/Contents/Resources/UnHackMeBuild

If it's there, you will need to delete the reference to it in

/Applications/Safari.app/Contents/Info.plist

otherwise Safari won't run.

0
0
Mushroom

Adobe Flash is becoming a menace and this article shows why.

Currently it seems every other day there is a update to an Adobe product.

It's encourage users to adopt a "Oh yeah, Adobe update again, click, click, click..." behaviour to the point where it's just so easy for someone to sneak something malicious onto your computer using Adobe as a disguise.

Adobe needs to stop these constant updates, it's really unhelpful and is becoming a menace to computer security.

14
8
Bronze badge

i have absolutely no idea why you've been downvoted for that. Nothing more than the bare truth, in my view...

2
3
Facepalm

so u voice ur concern but fail to upvote...

So I downvote u on principle and give the upvote to the one u raised about...

there...

balance restored... can we have a yin/yang symbol please...hehe..

0
3
Facepalm

ADOBE employees!!

1
2
Trollface

Restoration of balance

Balance can only be restored when your Y and O keys work properly.

0
0
Anonymous Coward

Didn't downvote you

...but your post comes across to me as a bit of a hater post.

Flash is one of the most ubiquitous and commonly targeted pieces of software for exploit, and over the years has been the entrypoint for all sorts of exploits.

<sarcasm>

How dare they constantly patch their seemingly never-ending series of security holes! *shakes fist in air*

</sarcasm>

I don't necessarily like the way they update with the popups, but less frequent updates (given the rate of exploits found) would not be a good thing IMHO.

0
0

Anti-FUD?

"i have absolutely no idea why you've been downvoted for that. Nothing more than the bare truth, in my view..."

It's likely an anti-FUD maneuver by Adobe employees tired of being bashed for distributing such shoddy products.

0
0
Pirate

The beachhead....

On at least my mac, if I try to execute anything of unknown provenance - for example from a download, attachment, ... or unarchived from such- it pops up a little nag window at me.

That doesn't put it to bed, since if you opened something who's handler had a peek inside and ran say a shell script, there is nothing you can do. I believe this is the vector of Office malware, for example. But, you install Office and the like, you take your chances. Does Adobe's software do something like this?

Are the Fine Researches suggesting that this thing is able to spoof the provenance, thus run without warning? If so, that is quite something; if not its like blaming your car because you ignored the oil light.

This was the real trick in the endless array of stupid windows tricks in the past. There were so many ways to get it to quietly execute blobs that the poor user didn't stand a chance.

1
0
Anonymous Coward

Easy

Installed VMware Fusion (check)

Uninstall Adobe Flash (check)

Add Adobe Flash to mental shit list (check)

3
4
Silver badge

Learn to read

This issue is not being caused by poor security in Flash, it's being caused by poor security in and stupid users of OS X.

3
0

It's arguably being caused by poor security in Flash in the sense that updates are released very frequently and in an extremely unstructured manner, making it both a habit to install adobe updates all the time and also rather difficult to tell whether something is genuine or not (for example, if you go to a flash-heavy site like youtube with an old version of flash installed then you'll be prompted within the flash components on that site to install an update just by "clicking here". How does that possibly help end users learn about good security habits?

0
0
Gimp

Title Optional

What about parallels? or is fusion considered the only VM for mac

0
0
Alert

Running *in* VMware

Note, the check is to see if the malware is running *inside* a VMware VM - i.e. a virtual instance of OS X. Merely installing and perhaps running VMware Fusion won't help you.

4
0
Alert

solution

if all malware is known to have included code to not run in a VM (windows & mac) then surely it must be possible to put something in place to make it *look* like you are running a VM , even if you are not, and then malware wont run? Is that over-simplifying it?

Eg: malware checks for a plist or a registry setting and wont run if its there. Then just put it there even though it does nothing.

would that work? should i patent that?

0
0
Boffin

Not a good idea

"Eg: malware checks for a plist or a registry setting and wont run if its there. Then just put it there even though it does nothing.

would that work? should i patent that?"

Not a good idea. Quite a few desktop applications, games in special, will also wont run in such a case. Debuggers and VM´ s look a lot alike (nothing to do with registry etc.., this about low level hooks and interrupts), and some people just don´t like their software dissected for different reasons.

0
0

if you dont like adobe products don't use them.

"becoming a menace to computer security" PICNIC Problem in chair not in computer.

0
1
Boffin

Does removing VMware Tools help?

I don't know how software can detect if it's running on a virtual machine or not. On the PC there are a few choices for virtualization and it'd be a pain to detect them all. Even Windows 7 virtualizes data areas as part of User Account Control.

One piece of trialware for Windows refuses to run on VMware guests: "Coupons.com detects VMware and refuses to install." http://www.benedelman.org/news/031808-1.html and I've always wondered how it detects whether it's running on a virtual machine. Looking for VMware Tools is the obvious solution, but one can run a VM without it.

0
0
This topic is closed for new posts.