Flashback trojan targeting OS X shuns virtual machines Underscoring the growing sophistication of Mac-based malware, a trojan preying on OS X users has adopted several stealth techniques since it was discovered last month. Updates to the Flashback trojan, which gets installed by disguising itself as an Adobe Flash update, now prevent the malware from running on Macs that use VMware …
"Flashback developers have also rejiggered their code so that it no longer installs itself in an easy-to-spot subfolder off the OS X ~/Library location. Instead, it plants a backdoor inside a more obscure folder associated with the Safari. Deleting the files prevents the browser from working."
Thanks for telling us what the folder IS!
Shame they didn't give the essential info...
This version of the malware installs here:
/Applications/Safari.app/Contents/Resources/UnHackMeBuild
If it's there, you will need to delete the reference to it in
/Applications/Safari.app/Contents/Info.plist
otherwise Safari won't run.
Currently it seems every other day there is a update to an Adobe product.
It's encourage users to adopt a "Oh yeah, Adobe update again, click, click, click..." behaviour to the point where it's just so easy for someone to sneak something malicious onto your computer using Adobe as a disguise.
Adobe needs to stop these constant updates, it's really unhelpful and is becoming a menace to computer security.
...but your post comes across to me as a bit of a hater post.
Flash is one of the most ubiquitous and commonly targeted pieces of software for exploit, and over the years has been the entrypoint for all sorts of exploits.
<sarcasm>
How dare they constantly patch their seemingly never-ending series of security holes! *shakes fist in air*
</sarcasm>
I don't necessarily like the way they update with the popups, but less frequent updates (given the rate of exploits found) would not be a good thing IMHO.
On at least my mac, if I try to execute anything of unknown provenance - for example from a download, attachment, ... or unarchived from such- it pops up a little nag window at me.
That doesn't put it to bed, since if you opened something who's handler had a peek inside and ran say a shell script, there is nothing you can do. I believe this is the vector of Office malware, for example. But, you install Office and the like, you take your chances. Does Adobe's software do something like this?
Are the Fine Researches suggesting that this thing is able to spoof the provenance, thus run without warning? If so, that is quite something; if not its like blaming your car because you ignored the oil light.
This was the real trick in the endless array of stupid windows tricks in the past. There were so many ways to get it to quietly execute blobs that the poor user didn't stand a chance.
It's arguably being caused by poor security in Flash in the sense that updates are released very frequently and in an extremely unstructured manner, making it both a habit to install adobe updates all the time and also rather difficult to tell whether something is genuine or not (for example, if you go to a flash-heavy site like youtube with an old version of flash installed then you'll be prompted within the flash components on that site to install an update just by "clicking here". How does that possibly help end users learn about good security habits?
if all malware is known to have included code to not run in a VM (windows & mac) then surely it must be possible to put something in place to make it *look* like you are running a VM , even if you are not, and then malware wont run? Is that over-simplifying it?
Eg: malware checks for a plist or a registry setting and wont run if its there. Then just put it there even though it does nothing.
would that work? should i patent that?
"Eg: malware checks for a plist or a registry setting and wont run if its there. Then just put it there even though it does nothing.
would that work? should i patent that?"
Not a good idea. Quite a few desktop applications, games in special, will also wont run in such a case. Debuggers and VM´ s look a lot alike (nothing to do with registry etc.., this about low level hooks and interrupts), and some people just don´t like their software dissected for different reasons.
I don't know how software can detect if it's running on a virtual machine or not. On the PC there are a few choices for virtualization and it'd be a pain to detect them all. Even Windows 7 virtualizes data areas as part of User Account Control.
One piece of trialware for Windows refuses to run on VMware guests: "Coupons.com detects VMware and refuses to install." http://www.benedelman.org/news/031808-1.html and I've always wondered how it detects whether it's running on a virtual machine. Looking for VMware Tools is the obvious solution, but one can run a VM without it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
