{"id":3400,"date":"2011-10-13T16:42:03","date_gmt":"2011-10-13T23:42:03","guid":{"rendered":"http:\/\/blog.intego.com\/?p=3400"},"modified":"2016-02-12T10:08:31","modified_gmt":"2016-02-12T18:08:31","slug":"new-variant-of-flashback-trojan-horse-gets-sneakier","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/","title":{"rendered":"New Variant of Flashback Trojan Horse Gets Sneakier"},"content":{"rendered":"<p>We&#8217;ve seen several variants of the Flashback Trojan horse, since <a href=\"https:\/\/www.intego.com\/mac-security-blog\/intego-security-memo-september-26-2011-mac-flashback-trojan-horse-masquerades-as-flash-player-installer-package\/\">Intego first discovered this malware on September 26<\/a>. The latest version, Flashback.D, has gotten a bit sneakier.<\/p>\n<p>First, it checks to see if the user is running Mac OS X in VMware Fusion. If so, it does not execute. It does this because many malware researchers test malware in virtual machines, rather than infect full installations, as it is easier to delete them and start over with clean copies. This means that security researchers analyzing and looking for this malware need to be running regular Macs.<\/p>\n<p>Next, the installer for the malware downloads the payload when running the postinstall script. <\/p>\n<p><center><br \/>\n<img loading=\"lazy\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2011\/10\/flashback-postinstall-2.png\" alt=\"\" title=\"flashback-postinstall-2\" width=\"451\" height=\"195\" class=\"aligncenter size-full wp-image-3410\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2011\/10\/flashback-postinstall-2.png 451w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2011\/10\/flashback-postinstall-2-300x129.png 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2011\/10\/flashback-postinstall-2-100x43.png 100w\" sizes=\"(max-width: 451px) 100vw, 451px\" \/><br \/>\n<\/center><\/p>\n<p>Finally, it no longer installs the easy-to-spot ~\/Library\/Preferences\/Preferences.dylib. Instead, it installs the backdoor inside Safari, and does so in two ways. It adds information to Safari&#8217;s info.plist file, with the location of the backdoor, and it adds the actual backdoor module at \/Applications\/Safari.app\/Contents\/Resources\/UnHackMeBuild.<\/p>\n<p><center><br \/>\n<img loading=\"lazy\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2011\/10\/unhackme-p-2.png\" alt=\"\" title=\"unhackme-p-2\" width=\"533\" height=\"357\" class=\"aligncenter size-full wp-image-3406\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2011\/10\/unhackme-p-2.png 533w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2011\/10\/unhackme-p-2-300x200.png 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2011\/10\/unhackme-p-2-100x66.png 100w\" sizes=\"(max-width: 533px) 100vw, 533px\" \/><br \/>\n<\/center><\/p>\n<p>Even if a user removes the above file (UnHackMeBuild), they need to edit Safari&#8217;s info.plist file; if not, Safari will look for the backdoor on launch, and, if it is not found, Safari will quit. <\/p>\n<p>These changes show that the malware authors are sophisticated, and that they&#8217;re altering their code to ensure that the malware is not detected. Naturally, Intego&#8217;s security researchers have spotted all these changes, and <a href=\"https:\/\/www.intego.com\/virusbarrier\/\">Intego VirusBarrier X6 continues to protect users from the Flashback Trojan horse<\/a>. <\/p>\n<div class=\"blog-download\">\n<p class=\"button\"><a href=\"https:\/\/www.intego.com\/demo?blog2\">Download 30-day free trial<\/a><\/p>\n<h4><a href=\"https:\/\/www.intego.com\/demo?blog2\">Protect your Mac from malware<\/a><\/h4>\n<p><a href=\"https:\/\/www.intego.com\/demo?blog2\">Download a free 30-day trial version of VirusBarrier X6 and save $5<\/a><\/p>\n<div class=\"clear\"><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>The latest version of the Flashback Trojan horse installs a backdoor module in the Safari web browser.<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190],"tags":[30,153,86,132],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v17.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<meta name=\"description\" content=\"The latest version of the Flashback Trojan horse installs a backdoor module in the Safari web browser.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New Variant of Flashback Trojan Horse Gets Sneakier - The Mac Security Blog\" \/>\n<meta property=\"og:description\" content=\"The latest version of the Flashback Trojan horse installs a backdoor module in the Safari web browser.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/\" \/>\n<meta property=\"og:site_name\" content=\"The Mac Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2011-10-13T23:42:03+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2016-02-12T18:08:31+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2011\/10\/flashback-postinstall-2.png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Peter James\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\",\"name\":\"Intego\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"sameAs\":[],\"logo\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"width\":875,\"height\":875,\"caption\":\"Intego\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"name\":\"The Mac Security Blog\",\"description\":\"Keep Macs safe from the dangers of the Internet\",\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2011\/10\/flashback-postinstall-2.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2011\/10\/flashback-postinstall-2.png\",\"width\":\"451\",\"height\":\"195\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/#webpage\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/\",\"name\":\"New Variant of Flashback Trojan Horse Gets Sneakier - The Mac Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/#primaryimage\"},\"datePublished\":\"2011-10-13T23:42:03+00:00\",\"dateModified\":\"2016-02-12T18:08:31+00:00\",\"description\":\"The latest version of the Flashback Trojan horse installs a backdoor module in the Safari web browser.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.intego.com\/mac-security-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"New Variant of Flashback Trojan Horse Gets Sneakier\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/#webpage\"},\"author\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/d0c16bd0a4dd8f82d91204f400c8d116\"},\"headline\":\"New Variant of Flashback Trojan Horse Gets Sneakier\",\"datePublished\":\"2011-10-13T23:42:03+00:00\",\"dateModified\":\"2016-02-12T18:08:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/#webpage\"},\"wordCount\":271,\"commentCount\":5,\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2011\/10\/flashback-postinstall-2.png\",\"keywords\":[\"Backdoor\",\"Flashback\",\"Malware\",\"Trojan Horse\"],\"articleSection\":[\"Malware\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/#respond\"]}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/d0c16bd0a4dd8f82d91204f400c8d116\",\"name\":\"Peter James\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0626bfb4ada576ba5aa775322329ad47?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0626bfb4ada576ba5aa775322329ad47?s=96&d=mm&r=g\",\"caption\":\"Peter James\"},\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/author\/peter\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"description":"The latest version of the Flashback Trojan horse installs a backdoor module in the Safari web browser.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/","og_locale":"en_US","og_type":"article","og_title":"New Variant of Flashback Trojan Horse Gets Sneakier - The Mac Security Blog","og_description":"The latest version of the Flashback Trojan horse installs a backdoor module in the Safari web browser.","og_url":"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/","og_site_name":"The Mac Security Blog","article_published_time":"2011-10-13T23:42:03+00:00","article_modified_time":"2016-02-12T18:08:31+00:00","og_image":[{"url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2011\/10\/flashback-postinstall-2.png"}],"twitter_card":"summary_large_image","twitter_misc":{"Written by":"Peter James","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Organization","@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization","name":"Intego","url":"https:\/\/www.intego.com\/mac-security-blog\/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","width":875,"height":875,"caption":"Intego"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo"}},{"@type":"WebSite","@id":"https:\/\/www.intego.com\/mac-security-blog\/#website","url":"https:\/\/www.intego.com\/mac-security-blog\/","name":"The Mac Security Blog","description":"Keep Macs safe from the dangers of the Internet","publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/#primaryimage","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2011\/10\/flashback-postinstall-2.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2011\/10\/flashback-postinstall-2.png","width":"451","height":"195"},{"@type":"WebPage","@id":"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/#webpage","url":"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/","name":"New Variant of Flashback Trojan Horse Gets Sneakier - The Mac Security Blog","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/#primaryimage"},"datePublished":"2011-10-13T23:42:03+00:00","dateModified":"2016-02-12T18:08:31+00:00","description":"The latest version of the Flashback Trojan horse installs a backdoor module in the Safari web browser.","breadcrumb":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.intego.com\/mac-security-blog\/"},{"@type":"ListItem","position":2,"name":"New Variant of Flashback Trojan Horse Gets Sneakier"}]},{"@type":"Article","@id":"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/#article","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/#webpage"},"author":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/d0c16bd0a4dd8f82d91204f400c8d116"},"headline":"New Variant of Flashback Trojan Horse Gets Sneakier","datePublished":"2011-10-13T23:42:03+00:00","dateModified":"2016-02-12T18:08:31+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/#webpage"},"wordCount":271,"commentCount":5,"publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2011\/10\/flashback-postinstall-2.png","keywords":["Backdoor","Flashback","Malware","Trojan Horse"],"articleSection":["Malware"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intego.com\/mac-security-blog\/new-variant-of-flashback-trojan-horse-gets-sneakier\/#respond"]}]},{"@type":"Person","@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/d0c16bd0a4dd8f82d91204f400c8d116","name":"Peter James","image":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/0626bfb4ada576ba5aa775322329ad47?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0626bfb4ada576ba5aa775322329ad47?s=96&d=mm&r=g","caption":"Peter James"},"url":"https:\/\/www.intego.com\/mac-security-blog\/author\/peter\/"}]}},"jetpack_featured_media_url":"","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4VAYd-SQ","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/3400"}],"collection":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/comments?post=3400"}],"version-history":[{"count":2,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/3400\/revisions"}],"predecessor-version":[{"id":50158,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/3400\/revisions\/50158"}],"wp:attachment":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media?parent=3400"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/categories?post=3400"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/tags?post=3400"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}