Jump to content

Help - infected with Flashback trojan


Recommended Posts

Hi - I would appreciate help.  My mac - El Capitan - seems to be infected with the Flashback trojan.  Malwarebytes Free (with updated definitions) does NOT detect.  But HouseCall does - sort of.  It runs, then seems to stall.  If I click Stop, it then shows me a Click "Fix now" page, with OSX_Flashbck_A listed multiple times.  But if I click the Fix now button, nothing happens.

I believe I am truly infected - I stupidly allowed a Flash updater that I thought was validly from Adobe. It popped up when I was on some web page a week or two ago.  I believe I was using Firefox (up to date), since that is my default browser (although it is slightly possible I was using Safari). Since then, I have scanned several times with Malwarebytes, and thought all was good, until I ran this HouseCall scan.

What evil is this trojan doing to my computer?  And how do I get rid of it?  Also, my latest Time Machine and Carbon Copy Cloner backups must also be infected - what do I do about that?

My OSX was up to date  till yesterday; now there is an update I haven't installed yet.

Thank you!

Link to post
Share on other sites

  • Replies 68
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

  • Staff

Can you provide a screenshot that shows exactly what file(s) HouseCall is detecting? We would need to see both the full path to the file, without any parts of that path being cut off, as well as the name that HouseCall is calling it.

I suspect that this may be a false detection. Trend Micro does not have a strong record for good Mac detections, and Flashback is actually quite old and extinct. Flashback was last seen in 2012, and has not been seen since.

Link to post
Share on other sites

HouseCall isn't showing the path.  It is calling it OSX_Flashbck_A .  The click to fix it page lists this same file name over and over.  

I do not think it is a false detection because I have a clear memory of having what seemed to be an Adobe Flash updater pop up, AND I stupidly authorized it to install.  Yes, really stupid.  But I did it.

If I can figure out how, I will take a photo of the mac's housecall page -- I am posting this from my ipad.  But there isn't much to see -- no path is given.

Link to post
Share on other sites

  • Staff

That definitely looks like a false positive. Flashback.A was last seen in 2011, so it's even older than more recent variants of Flashback. No Flashback variants have been seen since 2012. There's no way this is a current infection.

Further, the File column shown there is blank, which is highly suspicious. I don't know what that might mean, but I'd be very reluctant to let HouseCall "fix" that problem when it can't even tell you what files it might affect. This is an error in HouseCall.

Note that Flashback was not the first or the last thing to use the fake Flash installer trick. There have been countless pieces of malware, adware and junk software that have all used the same trick. If you ran such a fake Flash installer, you may have installed some more recent threat, most likely a piece of adware or junk software. It also might not have installed anything at all... these installers tend to be fairly quick to stop working as soon as security companies find them.

If you still have that installer, submit it on our Newest Mac Threats forum here:

https://forums.malwarebytes.com/forum/193-newest-mac-threats/

Link to post
Share on other sites

Ok, thanks.  I doubt I have the installer - will check when I get home again.

I would like to be quite sure I am free of all infections, as I am doing my taxes on that computer.  

Should I run anything else?  I think I have some tools on the computer, maybe a program called something like super anti spyware (I am not home now to check) -- should I update them and check?

I am also concerned because some of the system files that TrendMicro says (on their website) that OSX_Flashbck deletes seem to be missing.  But the system may have changed since that was posted.  I will post more details about this when I am back home.  This is the page that discusses the trojan and the files it deletes: https://www.trendmicro.com/vinfo/au/threat-encyclopedia/malware/osx_flashbck.a

(I'm not sure if this forum allows links...)

Thank you very much!

Link to post
Share on other sites

  • Staff

The two files that document refers to Flashback deleting no longer exist in those locations on modern Mac systems. Further, the locations where those files are found cannot be modified by anything other than macOS itself, even with the highest level of permissions.

I would not recommend running anything else. If you had any kind of malware or other threats on your Mac, Malwarebytes for Mac should detect them. Trend Micro can't be relied on to do that, and depending on what it thinks it's detecting, it could actually break your system.

Link to post
Share on other sites

Thank you for the clarification about the "missing" files.

I won't try to use HouseCall to fix this (possibly non-existent) problem.  (I actually did click the Fix button earlier, before you posted not to do that, but the app seemed frozen and I don't think it did anything.)

I would completely put this out of my mind, except that I did have that Flash installer pop up on some webpage when I clicked a pdf file (maybe a week ago).  (I do not still have the installer file, by the way.)  So I am really anxious about doing my taxes on this computer.  

I acknowledge your point that Flashback Trojan disappeared years ago -- but is it possible that the same delivery method is now delivering some other trojan?  And that HouseCall is therefor detecting it and labeling it Flashback Trojan, when in reality it is something new?

I generally rely very much on MalwareBytes, but in this case, given that I actually saw the Flash installer...  Is there nothing else I can run that would give me peace of mind?

Thanks so much!

PS -- For the heck of it, I deleted HouseCall, downloaded it again, and got the same result -- but this time, a log file popped up (and apparently was sent to Apple, as well).  If you are interested, I can post it.  I think maybe it is more concerned with the fact that the HouseCall app quit unexpectedly than about the threat it may have detected. (It froze at 1 min, 37 sec, and then I clicked "Stop" -- and altho it says 0 threats detected before I click stop, clicking stop opens that page I posted in a screenshot earlier, the one that shows OSX_Flashbck_A listed multiple times.)

Link to post
Share on other sites

Hi, again -- I decided to look in my app folder for recently installed apps.

In my Utilities folder, there is an app that is called Adobe Flash Player Install Manager.app  -- date modified is Mar 13, 2018, about when I think I encountered the rogue installer.  Would you want me to submit it in some way?

(I also have an Adobe folder within Applications, and within the Adobe folder, there is a Flash folder.)

I have to leave for a few hrs, now.  Will check back later this evening.  Thank you!

Link to post
Share on other sites

It's normal to have the Adobe Flash Player Install Manager.app in your Utilities folder, as long as you have Flash Player installed, and that's the same date as I have for version 29.0.0.113 of that app.

Checking Systems Information (hold the <Option or Alt> key down while selecting "System Information..." from the Apple menu) for Software->Installations, then click on the Install Date header twice to put it in date order, I see that I last installed my Flash Player at that same date/time.

Link to post
Share on other sites

Single-click on a text file in Finder and select "Get Info" from the File menu.

In the "Open with:" section you should see a popup menu. If not click the disclosure triangle so it's pointed downward.

Click on the Popup menu and select "TextEdit".

Click on the "Change All..." button below the menu and confirm that you are sure you want to do that.

Link to post
Share on other sites

Thanks very much - that did the trick!  But I still can't understand how this could have happened -- makes me feel l must be infected.  I have DreamWeaver in my Applications folder, but haven't used it for yrs.  It's not on my Dock, so I couldn't have clicked it by accident, or anything like that.

Link to post
Share on other sites

It happens to everybody sooner or later. Usually the result of some sort of corruption to the launchservices database. Not nearly as bad as it was in the early days of OS X, but still occurs. Sometimes it's been bad enough that I had to take action to manually rebuild it, but that's not something the average user should need to do.

Edited by alvarnell
Link to post
Share on other sites

McAfee Labs Threats Report, March 2018, says, "Two common forms of Mac malware this quarter were Flashback, which grabs passwords and other data through browsers, and Longage,

which can give a hacker control of a system."   I fear I have the former.  Can someone please tell me how to check and get rid of it.

Link to post
Share on other sites

7 minutes ago, Distressed said:

McAfee Labs Threats Report, March 2018, says, "Two common forms of Mac malware this quarter were Flashback, which grabs passwords and other data through browsers, and Longage,

which can give a hacker control of a system."   I fear I have the former.  Can someone please tell me how to check and get rid of it.

Here's a link to help you with this.

https://www.macworld.com/article/1166254/what_you_need_to_know_about_the_flashback_trojan.html

It gives instructions on how to find out, and what to do...

Link to post
Share on other sites

Hi, and thank you.  But the article is from 2012, so it's hard to know what parts of it are still relevant.  The article below the first one (also from 2012) says that Java updates will remove the Flashback infection, and my Java is up-to-date at this point.

I talked to Apple today, and I asked about removing Java, but the person I was speaking to recommended keeping it. She said Safari uses it.  Well, I don't generally use Safari, and I have Java settings such that it is not to be used in a browser (without actively changing that setting).  I still think it might be better to get rid of it altogether.

Link to post
Share on other sites

1 hour ago, Distressed said:

McAfee Labs Threats Report, March 2018, says, "Two common forms of Mac malware this quarter were Flashback, which grabs passwords and other data through browsers, and Longage,

which can give a hacker control of a system."   I fear I have the former.  Can someone please tell me how to check and get rid of it.

Sounds totally false. There have been zero reports of Flashback coming back and the folks here at Malwarebytes would have been all over it if it had. The command and control system was taken over by the FBI and as far as I know the perpetrators are still in jail.

And with regard to Java, only the Java Plugin was involved back in 2012, the vulnerability was patched immediately and macOS won't allow you to use any old Java plug-in that has vulnerabilities. Java coded apps are widely and safely in use today and I'm not aware of any serious vulnerability in them with respect to macOS in all of it's history.

I personally have not used the Java plug-in since 2012 and have never run into any situation where I absolutely needed it.

Link to post
Share on other sites

I just downloaded and ran HouseCall for myself. It identified hundreds of occurrences of OSX.FLASHBCK.A (and only that infection) without listing a single file name. I can see in my network monitor that Housecall is in constant contact with HouseCall with housecall4mac100-en.fbs10.trendmicro.com, presumably reporting these detections, so it's no surprise that their monthly report is showing it as a common infection.

It's a bit immodest of me to say this, but I'm somewhat of an expert on Flashback, having worked with several other malware specialists and anti-virus software vendors to figure out exactly what was going on back in the Spring of 2012 with the one Java version of Flashback (there were at least eight versions, probably more). I can tell you without a doubt that my computer is not infected by any version of Flashback today. I have more than half a dozen anti-malware apps on my computer for testing purposes and not one of them has ever identified any Flashback associated file on it.

Those reports are all FALSE POSITIVES and cannot be believed. 

Link to post
Share on other sites

Very cool! Thanks for running that experiment.  What an interesting result!

So even though I remember seeing some sort of Flash installer about 1-2 wks ago - which I authorized to install, but then decided there was something fishy about - I shouldn't worry?

I was worried that it could be a different Trojan that triggers the identification of Flashback because of the similar delivery method.  But if you get the same HouseCall result, and you are sure your system is clean, then that is very reassuring.

Link to post
Share on other sites

One other untoward thing happened lately -- when again, I clicked on something that I shouldn't have.  I got an email from my lawyer, with some sort of Citrix ShareFile thingie with a Download button.  Stupidly, even though I wasn't really expecting anything from him, I clicked the Download button.  Nothing happened.  So I emailed him, and he said it was a hack - or really, as his IT guy had told him, a harmless spoof.  I ran MalwareBytes, and nothing was found.  So again - nothing to worry about?  (Except that I'd better get a lot more careful about clicking things without verifying first!) 

(I later got the same email from someone else, but was clever enough to avoid falling for the same trick twice.)

Link to post
Share on other sites

Thank you and Thomas both for your expert assessment of my situation!  I really appreciate it.  I think I now feel confident about doing my taxes on this machine.  (Too bad you can’t help with that!)

Just for future reference, you said you have various anti-malware apps — are there any programs, in addition to MalwareBytes, that a novice like me can run on a Mac without fear of messing things up?  

Also, for staying safe online — I would love some guidance on Firefox security and privacy add-ons.  (Perhaps this question belongs in a different forum?)

For many years, I used NoScript (despite some inconvenience and occasional confusion), as well as Adblock Plus, and also Ghostery and Disconnect (all simultaneously, I think, although I don’t remember for sure).  Then, awhile back, Firefox changed significantly, and many add-ons were (at least temporarily) incompatible.  At that point, I tried using uMatrix, but was having trouble getting the hang of it, and pages weren’t displaying correctly, so I stopped using it and was just using Adaware Ad Block (which is what I was using when I encountered the Flash installer).  Right now, I have switched again and am using uBlock Origin (with the default filters, I believe).

I see that NoScript seems to be available again - should I go back to that?  Or is uBlock Origin enough?  Or should I be using something else? (Keeping in mind that I am not a high-level user… UMatrix seemed great, but I wasn’t able to master it.)

Also, for many years, I used the WOT Firefox add-on to mark my search results with indicators of page safety.  Then there was a kerfuffle about WOT selling/leaking customer data, and Firefox temporarily banned it.  Now it is back, but I believe it is still not maintaining user privacy (although it is now disclosing what it is doing).  I feel that WOT is a major factor in helping me stay safe online (though I know Firefox will throw up a shield if you land on a known bad page).  But I’m not super happy with the lack of privacy, and it only works with DuckDuckGo, and I prefer StartPage as my search engine. Are there any alternatives to WOT?

Thank you very much!

Link to post
Share on other sites

  • Staff

Thanks, Al, for running that test! I was just about to do that myself when I ran across your response. HouseCall is pretty darn unreliable on the Mac... it suffers from a fair number of false positives, and doesn't do a particularly good job of detecting Mac threats.

Regarding the e-mail link, your Mac cannot currently get infected just by clicking a link. That would have either been a phishing link, to try to get you to enter credentials on a phishing page, or would have downloaded malware that you would have had to open manually.

Regarding add-ons to Firefox, I'd say I don't entirely trust WOT anymore either, and it's not all that reliable anyway. Some good sites get marked as bad, and it misses lots of bad sites.

Malwarebytes does have a Firefox extension in development right now, which will provide web protection, so keep an eye out for that.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.