Trojan-Downloader:OSX/Flashback.I is a variant of the Trojan-Downloader:OSX/Flashback malware that connects to a remote site to download its payload; on successful infection, the malware modifies targeted webpages displayed in the web browser.
11 April 2012: F-Secure now provides a free removal tool that automates the detection and removal of Flashback variants from an infected machine.
Further information and download of the tool is available in the following Labs Weblog post:
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
Trojan-Downloader:OSX/Flashback.I is dropped by malicious Java applets that exploit the known CVE-2011-3544 vulnerability.
On execution, the malware will prompt the unsuspecting user for the administrator password. Whether or not the user inputs the administrator password, the malware will attempt to infect the system, though entering the password will affect how the infection is done.
If infection is successful, the malware will modify the contents of certain webpages displayed by web browsers; the specific webpages targeted and changes made are determined based on configuration information retrieved by the malware from a remote server.
On execution, the malware checks if the following path exists in the system:
If any of these are found, the malware will skip the rest of its routine and proceed to delete itself.
The malware connects to the following URL to download its payload:
The filename and actual content of the payload depends on reply of the remote host. The reply is compressed and encrypted but the actual content follows this format:
Only after downloading the payload does Flashback.I proceed with infecting the machine. To do so, the malware prompts for the administrator password, as in the following screenshot:
The icon indicated by the red box in the screenshot is the PNG content returned by the remote host. This is dropped to the location '/tmp/.i.png' on the system. Since this image is controlled by the remote host, it can be changed any time the author deems necessary.
Whether or not the user inputs their administrator password at the prompt determines the type of infection the malware subsequently performs:
If the user inputs their administrator password, the malware will create the following files:
The malware then creates a launch point, inserting the following line into "/Applications/Safari.app/Contents/Info.plist":
This in effect will inject binary2 into Safari when the browser is launched.
If the malware was able to infect the system this way, it reports success to the following URL:
If it failed to infect the system, the malware reports to the following URL:
In cases where the user did not input their administrator password, the malware checks if the following path exists in the system:
If any of these are found, the malware again skips the rest of its routine and proceeds to delete itself, presumably to avoid infecting a system that has an incompatible application installed.
If none of the incompatible applications are found, the malware will create the following files:
The malware then creates a launch point by creating "~/.MacOSX/environment.plist", containing the following lines:
This in effect will inject binary2 into every application launched by the infected user.
For this infection type, the malware reports the successful infection to the following URL: