Mac Trojan malware masquerades as flash player update

A new Trojan malware is targeting computers running Apple Inc.’s Mac OS X, masquerading as an update to Adobe’s Flash software and fooling users into installing it. Mac security firm Intego said the malware, which it identified as OSX/flashback.A, exploits default settings on OS X’s built-in browser Safari to automatically download and install. “Users visiting certain malicious websites may see a link or an icon to download and install Flash Player. Since Mac OS X Lion does not include Flash Player, some users may be fooled and think this is a real installation link. When they click the link, an installation package downloads, and, if the user is using Safari as their web browser, the Mac OS X Installer will launch," it said in a blog post. It noted the Safari browser considers installer packages, with .pkg or .mpkg extensions, to be “safe" files and will by default launch them after download. Once launched, the installer will deactivate some network security software – specifically “Little Snitch" - but Intego said it has no effect on its “Intego VirusBarrier X6" product. The Trojan will then delete the installation package itself, and install a dyld (dynamic loader) library and auto-launch code, allowing it to inject code into applications the user launches. “This code, installed in a file at ~/Library/Preferences/Preferences.dylib, connects to a remote server, and sends information about the infected Mac to this server: this includes the computer’s MAC address, a unique identifier. This will allow the malware to detect if a Mac is infected," Intego said. Intego advised Mac users not to download a Flash Player installer from any site other than adobe.com. Mac OS X Lion does not include Flash Player, but users who wish to install this software should visit Adobe’s website: http://www.adobe.com/products/flashplayer/, it said. Also, it advised Mac users who use Safari as their web browser, to uncheck Open “safe" files after downloading in the program’s General preferences. This will prevent installer packages—whether real or malicious—from launching automatically, it said. “Finally, if an installer claiming to be a Flash Player installer appears, users should be very careful to ensure that they did, indeed, download it from Adobe’s web site. If not, they should quit the installer," it said. Another security firm, Sophos, said its free anti-virus for Mac home users detects the Flashback malware as OSX/FlshPlyr-A. Sophos also warned it is easy to imagine how cybercriminals could trick Mac users into infecting their computers with this malware. “For instance, it would be child’s play to create a website which pretends to show something salacious ... and then when you try to view it, you’re prompted to install an update to Adobe Flash. Of course, rather than the genuine Flash you would be installing the Trojan horse," it said. — LBG, GMA News