6 Replies Latest reply: May 2, 2012 9:50 PM by Gil Dawson RSS

    How can I tell legit upgrade from Trojan?

    Gil Dawson Community Member

      There's a lot of press in the PC world about how Macs are now enduring a malware attack.  It's called the Flashback Trojan, and it apparently masquerades as an application to upgrade the Flash player.  The information I have found on the web tells how to detect if you have it (I don't) and reaassures us that Apple has now fixed the problem. 

       

      What I have not been able to find is what the infection procedure looks like; more specifically, how can I tell the difference between malware and a legitimate Adobe upgrade?

       

      In particular, when an alert box pops up that says...

       

      "Install Adobe Flash Player.app" is an

      application downloaded from the internet. 

      Are you sure you want to open it?

       

      How can I be sure that the product came from Adobe?

       

      --Gil

        • 1. Re: How can I tell legit upgrade from Trojan?
          chris.campbell Employee Hosts

          The latest Flashback trojan actually was Java related.  However, you can always make sure you get the official version of Flash by going to get.adobe.com/flashplayer

          • 2. Re: How can I tell legit upgrade from Trojan?
            Gil Dawson Community Member

            Oh.  Java.  Flashback is about Java, not Flash Player.  How silly of me.  Sorry.

             

            Thank you for clearing that up, Chris.

             

            --Gil

            • 3. Re: How can I tell legit upgrade from Trojan?
              chris.campbell Employee Hosts

              I believe the initial version of Flashback (back in October 11 I think) was a rogue installer that was masquerading as a Flash Player installer.  Another reason to make sure you download from adobe.com

              • 4. Re: How can I tell legit upgrade from Trojan?
                Gil Dawson Community Member

                I guess the problem I was addressing occurs at the time one sees this alert:

                 

                "Install Adobe Flash Player.app" is an

                application downloaded from the internet. 

                Are you sure you want to open it?

                 

                Regardless of where you or I *think* the application may have come from, is there any way to doublecheck that the app on which you just double-clicked is not the imposter? 

                 

                How are the legit installer and the malware different?  Is there, perhaps some small difference in their icons, or does one of them have something spelled differently?  You know -- the stuff they pass around about counterfeit twenties -- How is it different?

                 

                All the web descriptions of the October Flashback say that it "masquerades" as a Flash Player installer, but they do not give details.   Just how good is this "masquerade"?  What does the counterfeit installer do, or look like, that's different from the McCoy?  Does it engender the same alert box, or is it slightly different in any way?    I would like to have a way to doublecheck before I agree to open it.

                 

                --Gil

                 


                • 5. Re: How can I tell legit upgrade from Trojan?
                  chris.campbell Employee Hosts

                  Hi Gil,

                  I believe that this process will get easier in upcoming OS X releases, but in the meantime you should be able to verify that a Flash Player installer is from Adobe by using the digital signature embedded within the binary.  You can do this via the command line in a terminal session.  First, mount the installer .dmg and in a terminal window, type:

                   

                  codesign -v -d -v /Volumes/Flash\ Player/Install\ Adobe\ Flash\ Player.app/

                   

                  You'll get info back, and in particular you should see an Authority entry listing out Adobe Systems Incorporated.

                   

                  Chris

                  • 6. Re: How can I tell legit upgrade from Trojan?
                    Gil Dawson Community Member

                    Well, thanks, Chris.  That is indeed a helpful reply.  I'll give it a try.

                     

                    --Gil