Intego (http://www.integro.com) says it has discovered a new Trojan horse, Flashback, which masquerades as a Flash Player installer.
This Trojan horse has been found in the wild, and has some disturbing actions, according to Intego. Users visiting certain malicious websites may see a link or an icon to download and install Flash Player. Since Mac OS X 10.7 (“Lion”) doesn’t include Flash Player, some users may be fooled, says Intego.
“If the user proceeds with the installation procedure, the installer for this Trojan horse will deactivate some network security software, and, after installation, will delete the installation package itself,” the security company adds. “The malware installs a dyld (dynamic loader) library and auto-launch code, allowing it to inject code into applications the user launches. This code, installed in a file at ~/Library/Preferences/Preferences.dylib, connects to a remote server, and sends information about the infected Mac to this server: this includes the computer’s MAC address, a unique identifier. This will allow the malware to detect if a Mac is infected.”
Integor says that, for protection:
° Users shouldn’t download a Flash Player installer from any site other than adobe.com.
° Next, it is advisable, for those who use Safari as their web browser, to uncheck Open “safe” files after downloading in the program’s General preferences. This will prevent installer packages — whether real or malicious — from launching automatically.
° Finally, if an installer claiming to be a Flash Player installer appears, users should be very careful to ensure that they did, indeed, download it from Adobe’s web site. If not, they should quit the installer.
Intego says its VirusBarrier X6’s real-time scanner will detect the file when it is downloaded, and its Anti-Spyware protection will block any connections.