Flashback Trojan Using Multi-Pronged Attack

A Mac Trojan which seems to build on lessons learned, is now attacking users in three ways. The Flashback.G Trojan targets two holed in Java, self installing if the latest version of Java is not installed. If neither of the holes is available, it tries a fake signed by “Apple, Inc.” certificate to install. The Trojan puts a number of files in /Users/Shared with the file extension .so. If you find these files on your machine, it is likely that your machine is infected.

You can check on this by starting the Terminal program and doing the following commands:

  • cd /Users/Shared
  • ls -al

Look for any dot (.) file that has an extension of .so.  The file also will put a .plist file at:

~/.MACOSX/environment.plist

And log files from the malware are stored at:

~/Library/Logs/vmLog

To delete the Trojan, go to ~/Library/Caches and search for a Java Applet.

  • ls -al *.jar
  • (also ls -al *.class)
  • rm (name_of_file).(.jar or .class)

The Trojan is not only able to perform the system checks but it also can self update, and seems to be targeting Mac OS 10.6 primarily which would be more likely to have the Java holes necessary for automatic installation.

One interesting aspect of the Trojan is that it will not install on machines that have any of the major Anti-Virus applications installed. This is in an attempt to keep the Trojan from being detected.

You can read more about this particular Trojan on the Integro Blog at:
http://blog.intego.com/flashback-mac-trojan-horse-infections-increasing-with-new-variant/

About the Author