back to article Flashback trojan targeting OS X shuns virtual machines

Underscoring the growing sophistication of Mac-based malware, a trojan preying on OS X users has adopted several stealth techniques since it was discovered last month. Updates to the Flashback trojan, which gets installed by disguising itself as an Adobe Flash update, now prevent the malware from running on Macs that use VMware …


This topic is closed for new posts.
  1. Gordon Fecyk

    Non-Admins on Mac Protected?

    " plants a backdoor inside a more obscure folder associated with the Safari."

    So does this still happen when the Mac user is a non-administrator?

  2. PassiveSmoking
    Thumb Up

    So you can make your Mac immune to this trojan by installing VMWare Fusion? Cool.

    1. Lord Elpuss Silver badge

      Yeah but don'cha think that's a bit of a faff just to prevent one trojan?

  3. maclovinz

    Did I miss something?

    "Flashback developers have also rejiggered their code so that it no longer installs itself in an easy-to-spot subfolder off the OS X ~/Library location. Instead, it plants a backdoor inside a more obscure folder associated with the Safari. Deleting the files prevents the browser from working."

    Thanks for telling us what the folder IS!

    1. clanger9

      Re: Did I miss something?

      Shame they didn't give the essential info...

      This version of the malware installs here:


      If it's there, you will need to delete the reference to it in


      otherwise Safari won't run.

  4. SmallYellowFuzzyDuck, how pweety!

    Adobe Flash is becoming a menace and this article shows why.

    Currently it seems every other day there is a update to an Adobe product.

    It's encourage users to adopt a "Oh yeah, Adobe update again, click, click, click..." behaviour to the point where it's just so easy for someone to sneak something malicious onto your computer using Adobe as a disguise.

    Adobe needs to stop these constant updates, it's really unhelpful and is becoming a menace to computer security.

    1. Lord Elpuss Silver badge

      i have absolutely no idea why you've been downvoted for that. Nothing more than the bare truth, in my view...

      1. Onid

        so u voice ur concern but fail to upvote...

        So I downvote u on principle and give the upvote to the one u raised about...


        balance restored... can we have a yin/yang symbol please...hehe..

        1. Rusty 1

          Restoration of balance

          Balance can only be restored when your Y and O keys work properly.

      2. BasevaInc

        ADOBE employees!!

        1. Anonymous Coward
          Anonymous Coward

          Didn't downvote you

          ...but your post comes across to me as a bit of a hater post.

          Flash is one of the most ubiquitous and commonly targeted pieces of software for exploit, and over the years has been the entrypoint for all sorts of exploits.


          How dare they constantly patch their seemingly never-ending series of security holes! *shakes fist in air*


          I don't necessarily like the way they update with the popups, but less frequent updates (given the rate of exploits found) would not be a good thing IMHO.

      3. Nun of Thee Above


        "i have absolutely no idea why you've been downvoted for that. Nothing more than the bare truth, in my view..."

        It's likely an anti-FUD maneuver by Adobe employees tired of being bashed for distributing such shoddy products.

  5. Steve McPolin

    The beachhead....

    On at least my mac, if I try to execute anything of unknown provenance - for example from a download, attachment, ... or unarchived from such- it pops up a little nag window at me.

    That doesn't put it to bed, since if you opened something who's handler had a peek inside and ran say a shell script, there is nothing you can do. I believe this is the vector of Office malware, for example. But, you install Office and the like, you take your chances. Does Adobe's software do something like this?

    Are the Fine Researches suggesting that this thing is able to spoof the provenance, thus run without warning? If so, that is quite something; if not its like blaming your car because you ignored the oil light.

    This was the real trick in the endless array of stupid windows tricks in the past. There were so many ways to get it to quietly execute blobs that the poor user didn't stand a chance.

  6. Anonymous Coward
    Anonymous Coward


    Installed VMware Fusion (check)

    Uninstall Adobe Flash (check)

    Add Adobe Flash to mental shit list (check)

    1. Dave Murray

      Learn to read

      This issue is not being caused by poor security in Flash, it's being caused by poor security in and stupid users of OS X.

      1. Rob Moir

        It's arguably being caused by poor security in Flash in the sense that updates are released very frequently and in an extremely unstructured manner, making it both a habit to install adobe updates all the time and also rather difficult to tell whether something is genuine or not (for example, if you go to a flash-heavy site like youtube with an old version of flash installed then you'll be prompted within the flash components on that site to install an update just by "clicking here". How does that possibly help end users learn about good security habits?

  7. Tony Batt

    Title Optional

    What about parallels? or is fusion considered the only VM for mac

  8. Adrian Bool

    Running *in* VMware

    Note, the check is to see if the malware is running *inside* a VMware VM - i.e. a virtual instance of OS X. Merely installing and perhaps running VMware Fusion won't help you.

  9. Seanie Ryan


    if all malware is known to have included code to not run in a VM (windows & mac) then surely it must be possible to put something in place to make it *look* like you are running a VM , even if you are not, and then malware wont run? Is that over-simplifying it?

    Eg: malware checks for a plist or a registry setting and wont run if its there. Then just put it there even though it does nothing.

    would that work? should i patent that?

    1. Syren Baran

      Not a good idea

      "Eg: malware checks for a plist or a registry setting and wont run if its there. Then just put it there even though it does nothing.

      would that work? should i patent that?"

      Not a good idea. Quite a few desktop applications, games in special, will also wont run in such a case. Debuggers and VM´ s look a lot alike (nothing to do with registry etc.., this about low level hooks and interrupts), and some people just don´t like their software dissected for different reasons.

  10. cduance

    if you dont like adobe products don't use them.

    "becoming a menace to computer security" PICNIC Problem in chair not in computer.

  11. Gordon Fecyk

    Does removing VMware Tools help?

    I don't know how software can detect if it's running on a virtual machine or not. On the PC there are a few choices for virtualization and it'd be a pain to detect them all. Even Windows 7 virtualizes data areas as part of User Account Control.

    One piece of trialware for Windows refuses to run on VMware guests: " detects VMware and refuses to install." and I've always wondered how it detects whether it's running on a virtual machine. Looking for VMware Tools is the obvious solution, but one can run a VM without it.

This topic is closed for new posts.

Other stories you might like