Variant of Mac Flashback Malware Making the Rounds

Unless you have been living under a nondigital rock recently, you have probably heard of the Flashback Trojan, which attacks Macs. Around April 4 we saw reports of more than 500,000 infections by this malware. Further, McAfee Labs has recently come across a new variant making the rounds. This is no surprise: Whenever a piece of malware or attack is successful, we are bound to encounter copies and variations.

A key thing to remember is that this is a Trojan. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the guise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels often include email, malicious web pages, Internet Relay Chat (IRC), peer-to-peer networks, and other means. As of this writing, this Trojan is targeted at vulnerable Java plug-ins related to the CVE-2012-0507 vulnerability. When a user visits a compromised page, it often uses an iframe tag that redirects the user to another malicious page, where the actual exploit is triggered by the malicious Java applet.

OSX/Flashfake (the official detection name) is dropped by malicious Java applets that exploit CVE-2012-0507. On execution, the malware prompts the unsuspecting victim for the administrator password. Regardless whether the user inputs the password, the malware attempts to infect the system; entering the password only changes the method of infection.

The Trojan may arrive as the PKG file comadobefp.pkg and comes disguised as a Flash player installer:

It prompts the user for administrative rights:

Once the malware package is successfully installed, it tries to make contact with its remote sites to download any necessary configuration files:

Another characteristic of this malware is that it checks whether a firewall is installed on the target system. If one is found, it will remove the installation. (Other versions of Flashback are delivered via the sinkhole exploit.)

Infected users unwittingly download a variety of fake-AV packages. To avoid that fate, make sure you are running the latest security software on an up-to-date system, use a browser plug-in to block the execution of scripts and iframes, and use safe-browsing add-ons that help you avoid unwanted or suspicious websites.

My thanks go out to colleagues David Beveridge, Abhishek Karnik, and Kevin Beets for letting me pass along their analysis!