Security firm Intego is warning about new variants of an “insidious” Trojan that aims to steal information that can exploit user identity details from Mac users.
How Flashback Mac Trojan infects Macs
Methods of infections depend on the version of the Flashback.
The previous version of malware has several methods of infection, and aims at users who do not have a Flash Player installed, by mimicking a Flash Player installation request. When users click on the link from malicious websites, the Trojan will attempt an installation on user’s computer. A new variant of this Trojan can damage user’s system:
- Flashback first tries to install itself using one of two Java vulnerabilities. If this is successful, users will be infected with no intervention.
- If these vulnerabilities are not available – if the Macs have Java up to date – then it attempts a third method of installation, trying to fool users through a social engineering trick. The applet displays a self-signed certificate, claiming to be issued by Apple. Most users would make assumption it is one of Apple’s updates and click on Continue, allowing the trojan installation to continue.
If Trojan installation is successful, it will deactivate some network security software, and then destroy the installation package itself. The malware then may inject code into applications the user launches.
The latest version no longer poses an installer, but rather self-installs without user intervention, exploiting computers where Java is not up to date. If Java is up to date, user will only see the certificate alert prompting to continue, without asking for a password. In the latest version, with up-to-date Java users do not have to launch any other software to allow the installation to take place, and that makes this version of Flashback much sneakier then before. The initial code gets installed on a Mac and then downloads more code from a remote server. After that it destroys the original.
How this malware affects user’s computer
In a nutshell, Flashback Mac Trojan is an exploit, which installs a downloader, which then downloads a backdoor, which in turn injects code into applications. It then patches web browsers and network applications to search for usernames and passwords. It looks for a certain of domain names such as Google or Yahoo!, financial institutions (bank) websites; e-commerce domains, such as PayPal; and many others that can affect user identity, where usernames and passwords can immediately exploited to benefit the malicious user.
There may be several computer virus symptoms that can alert you to the issue. One of the main symptoms is certain applications crashing, most notably Safari and Skype ( the injected code makes them unstable).
So, what can you do to protect yourself?
First, do not compromise your computer – practice your computer and user identity safety. Make sure your software is up-to day, – in respect to this particular Trojan, pay attention to the Java updates. And always make sure you run your software updates from your computer – not from 3rd party websites that offer downloads – no matter how legitimate-looking they are. For example, to update your Java, run Software Update, do it from the Apple menu. (If update is not available, you have the latest version of Java).
If you need help with your computer network – give us a call. If your business located in New Jersey, we can schedule a visit.