New MacBook Pros are here! Get the lowest prices anywhere: Apple Price Guides updated Sept 17th (exclusive coupons)
 


Tuesday, September 27, 2011, 07:59 am PT (10:59 am ET)

New Mac OS X Trojan disguises itself as Adobe Flash installer

A new Mac OS X Trojan Horse called "Flashback" attempts to trick users into installing it by appearing as Adobe's Flash Player installer package.

The Trojan Horse, discovered by security firm Intego, has been found on malicious web sites that invite users to install the phony Flash Player, telling them it is required to access certain content. Since Mac OS X Lion doesn’t come with Flash preinstalled, users must manually install it. Intego categorized the threat from Flashback as "low."

The new malware is said to specifically target Lion, and replicates the look and feel of the real Flash installer. It includes design elements and logos that could convince some users it is the actual official software from Adobe.

Once the Trojan is installed on the system, it will delete the installer package and deactivate some network security software. The code used by Flashback can be injected in certain applications run on the computer and the Trojan can connect to remote servers in order to send specific information about the infected computer — including its MAC address, which is a unique identifier for every machine.

Lion users can protect themselves by downloading the official Flash Player installation player from Adobe. Users should also check the origin of any file claiming to be a Flash Player installer.

Users should also uncheck the "Open 'safe' files after downloading" option in Apple's Safari browser under General Preferences. This will help ensure that the Flashback installer is not automatically run if downloaded.

Flashback


Users can also manually check to see whether they were infected by looking for the file "~/Library/Preferences/Preferences.dylib" on their Mac.

Apple has already distributed a malware definition update to block another Trojan horse, “Trojan-Dropper:OSX/Revir.A,” described late last week as a malicious program posing as a PDF download.