Hacker News new | past | comments | ask | show | jobs | submit login
Questions about MacOSX Malware "Flashback"
1 point by ralfd on April 6, 2012 | hide | past | favorite
I find it pretty difficult to find reliable information about this Flashback trojan. The 1600 comments in reddit/r/technology are just a large flamewar festivity. The 100 comments on hn are also not that deep. The apparent questions: How wide spread is it? How harmful/harmless? What does it do?

But also I wonder about this screenshot: http://www.f-secure.com/virus-info/v-pics/trojan-downloader_osx_flashback_i_passwordprompt.jpg

F-secure description: "The icon indicated by the red box in the screenshot is the PNG content returned by the remote host. This is dropped to the location '/tmp/.i.png' on the system. Since this image is controlled by the remote host, it can be changed any time the author deems necessary."

How was the image in the red box drawn in the window? Is this a Java-based installer? Also I am curious about the installation without admin password: Is this the Java exploit? Or is this Cancel-Button just a trick? Obviously the window doesn't have a red close circle, so my guess is one would only avoid infection if the process was killed in activity monitor? That said: what application name does the installation window show in the top menu bar? (I guess "Java"?)

There is from F-secure a detailed explanation how the function CFReadStreamRead and CFWriteStreamWrite is hijacked from a dynamic library (the malware payload) trough an environment variable in DYLD_INSERT_LIBRARIES: http://www.f-secure.com/weblog/archives/00002336.html

But I also did find this (somewhat snarky) explanation, that Flashback (at least its variants A and B) are to stupid to effectively work and f-secure is concealing this little fact. Because "/usr/bin/env" is ignoring entries in the environment.plist beginning with "DYLD", so DYLD_INSERT_LIBRARIES is simply not working. http://translate.google.com/translate?hl=en&sl=de&tl=en&u=http%3A%2F%2Fwww.macmark.de%2Fblog%2Fosx_blog_2011-10-d.php

I am confused. Any thoughts about that?




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: