OSX_FLASHBCK.A

 Analysis by: Sabrina Lei Sioting

 ALIASES:

OSX/Flshplyr-A (Sophos); OSX.Flashback (Symantec); Trojan-Downloader:OSX/Flashback.C (F-Secure)

 PLATFORM:

Mac OS X 10.5 and later

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This Trojan poses as a Flash Player installer. It requires an administrator password before it continues the installation.

It connects to a link to download additional installation and configuration files. However, as of this writing, site is inaccessible.

It restarts any instances of Safari.

It disables the Xprotect, an antimalware system built in to recent releases of Mac OS X. It unloads the XProtectUpdater daemon then modifies files by deleting their contents.

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

  TECHNICAL DETAILS

File Size:

147,614 bytes

File Type:

Other

Initial Samples Received Date:

20 Oct 2011

Payload:

Downloads files

Arrival Details

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

It may be downloaded from the following remote sites:

  • http://{BLOCKED}pdatemanager.org/FlashPlayer-11-4-macos.zip
  • http://{BLOCKED}pdatemanager.org/flashplugin/4ff

NOTES:

This malware poses as a Flash Player installer:

It requires an administrator password before it continues the installation.

This malware checks if the following file is present on the system:

  • /Library/Little Snitch/lsd

Little Snitch is a firewall software for outgoing internet connections for Mac OS X.

If the said file is present, the malware stops the installation and deletes itself. If not, it proceeds with its installation.

It connects to the following links to download additional installation and configuration files:

  • http://{BLOCKED}.43.31//counter/{hex}
  • http://{BLOCKED}.com/counter/{hex}

However, as of this writing, the said sites are inaccessible.

It restarts any instances of Safari.

This malware disables the Xprotect, an anti-malware system built in to recent releases of Mac OS X. It unloads the XProtectUpdater daemon then modifies the following files by deleting their contents:

  • /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist
  • /usr/libexec/XProtectUpdater

  SOLUTION

Minimum Scan Engine:

9.200

VSAPI OPR PATTERN File:

8.891.00

VSAPI OPR PATTERN Date:

07 Apr 2012

NOTES:

  1. To restore the modified XProtectUpdater files, please re-install the XProtectUpdater.
  2. Restart your machine
  3. Scan your computer with your Trend Micro product to delete files detected as OSX_FLASHBCK.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.