Beware of false Flash Player Installers – a new Mac Trojan rises

At the recent Blackhat conference, the Mac world was warned that APT’s (Advanced Persistent Threats) were going to become more commonplace. This new Mac Trojan is making the rounds disguised as the installer for Flash Player!

If you are asked to update your version of Flash, be careful about where you are downloading the installer from. In fact if you are at all unsure, you might be best downloading directly from Adobe themselves. Otherwise you might be at risk. The new trojan is has been named Bash/QHost.WB by F-Secure and once it infects your Mac, it will edit the computers hosts file to redirect any visit to one of Google’s sites to an IP address in the Netherlands. The result is that every time you try to visit a Google site you are redirected to a fraudulent site that looks exactly the same.

Here’s what the redirected site looks like in a browser:

The trojan is set up to continually display annoying pop-up ads once it the page has been visited, it seems to be currently dormant however.

Google warning users of malware infection

Google has started to issue warnings to users that they have been infected with malware. During routine maintenance of a data Center they noticed a particular repeating pattern of traffic that warranted further investigation. From the post on the Google blog, the traffic is being generated by scareware, fake AV software Which aims to funnel search requests through intermediate sites that promote fake security programs and other scams.

As a result of this activity Google is able to detect those users that are infected and will now post the following message at the top of the search results.

Along with the warning there is a link pointing to the Google Help Center offering advice on how to get rid on the infection. The question is, with so many messages in headers that we routinely ignore every day, will anyone take any notice of this message.

MacDefender leaps onto Facebook

In a desperate attempt to capture more victims before the latest Apple update kills MacDefender and MacGuard dead once and for all (for now anyway) the Mac malware has made the leap to Facebook and is now spreading virally, claiming to be a video of IMF boss Dominique Strauss-Kahn.

The malware is using a technique called clickjacking to spread. A message appears in your timeline apparently posted by one of your friends, in this case referring to the news story of IMF chief Dominique Strauss-Kahn who is facing charges in New York over charges of rape. You are then invited to click a link to view a story or in this case a video. Instead of opening anything however the malware download is triggered. Finally the message you received is now posted on your timeline to catch the next unwary viewer.
Read more of this post