Thursday, April 26, 2012

New Flashback Variant Emerges To Plague Unpatched Macs

Security firm Intego has discovered a new variant of the Flashback malware, called Flashback.S. This new variant continues to make use of the Java vulnerability that Apple patched earlier this month.

What's different about Flashback.S is that it installs without prompting the user for a password (which the earlier version asked for, but didn’t actually require to install). Flashback.S installs files into the following locations:


After installation, the malware then goes on to delete all files and folders in the ~/Library/Caches/Java/cache folder in order to try to avoid detection.

Interestingly, this malware checks to see if Intego VirusBarrier X6, Apple’s Xcode development platform, or Little Snitch are installed on the Mac. If it finds any one of these programs installed it will abort the installation.

All that’s needed to become infected with this malware is for the Mac user to visit a website serving the malicious code (which are believed to be hacked WordPress blogs) using the Safari browser. It’s that simple. there’s nothing to click on and no password prompt.

Flashback infections are falling, but there are obviously enough Mac users out there who have not applied the Java patch to their system to make it worthwhile for the bad guys to develop and release this new variant.

Don’t be one of those people! If you’ve not done so already, you need to patch your system immediately! The easiest way to do this is to fire up Software Update and bring in all the updates your system needs.

If you’ve already patched your system, congratulations. You’re safe. However, there are still a few steps that you might lie to take to give yourself added protections.

First, I recommend that you download and install antivirus software. Sophos Anti-Virus for Mac Home Edition and ClamXav 2 are both excellent products and won’t set you back a dime. If you’d rather go for a paid-for solution then I suggest that you take a look at Intego’s VirusBarrier X6 or Internet Security Barrier X6.

Then, I recommend disabling Java in your Mac’s web browser. If you don’t use Java – and not many people do nowadays, which is why Apple doesn’t include it with OS X 10.7 ‘Lion’ – then I recommend uninstalling it completely so you get rid of a serious source of vulnerabilities.


  1. Now we can look forward to Dave making a post for each variant --despite the fact that anyone who has accepted Apple's automatic security updates is already protected.

    But hey, it helps haters believe that Macs are extra-mega-vulnerable (even though they aren't).

  2. The truth is that Macs are pretty vulnerable. Brett's a pretty defensive guy huh? I guess he can't handle facts. Poor baby.

  3. Dude, if it's a new strain and it's bad, it should be reported on. What if the new strain circumvents the patch that fixed the old strain? Wouldn't it be helpful to know? Stop your whining and take it.

    1. Yes, If the new strain circumvents the patch it would in fact be newsworthy.

      The point is that, according the the article, THIS ONE DOESN'T, and therefore isn't.