New Insidious Malware

I’ve been hearing from folks who report that their browser (it happens in more than one browser) suddenly has a different home page and uses a different search engine, apparently always Google. Attempting to switch these setting back to normal doesn’t stick.

The fascinating thing is how this malware gets you. Other than the above changes, users’ browsers work just fine. Nothing else untoward seems to be happening.

So what folks tend to do is to Google how to get rid of a virus that changes your search engine. This is where the bad guys did something brilliant. Suddenly, as of a few days ago, a bunch of new Web sites appeared offering instructions on how to remove this “virus”. But all of those Web sites come from previously unknown entities…and they all recommend downloading very questionable software (often commercial software, to add insult to injury), to clean the infection. It’s that software, that users have downloaded entirely volitionally, that I suspect is the real danger. Brilliant how they get users to download it.

I suspect that this new “virus” (actually a Trojan Horse) is being disseminated like so many others for the Macintosh: via a fake Adobe Flash installer.

So, as always, NEVER install or update Flash any way other than:

  1. Via the Flash Player pane (under the Updates tab) in System Preferences on your Mac
    or
  2. Directly from Adobe:
    http://get.adobe.com/flashplayer/

NEVER, EVER update Flash by clicking on something in a pop-up window, or from a notice on a Web site, or from a Flash installer that a Web site automatically downloads to your hard drive, or from a Flash installer that you find in your Downloads folder that you didn’t expect to be there or that you didn’t just download from Adobe’s Web site.

1 Like

Alternately, never, ever install Flash at all and if you have, use Adobe’s Flash uninstaller to remove it.

If you must use Flash content on a site, visit it using the Chrome browser, which has it built-in and will take care of updating Flash automatically.

2 Likes

All good suggestions, but that uninstaller will do absolutely nothing to counteract what Randy is talking about. This new Trojan approach does not use or have anything to do with the legitimate Flash Player, so the popup telling you to update Flash Player must be ignored and if you didn’t do that, then you almost certainly were infected.

Flash Player is almost history. It will receive zero support with respect to security updates (feature updates and regular bugs haven’t been done for some time now) at the end of this year. As almost everybody here has said multiple times, if you don’t need Flash Player for some essential work, uninstall it and ignore any and all notices to install or update it. If you must have it contact the developer who requires it and tell him to update to a different solution ASAP or if their software has been abandoned, find a different one.

1 Like

Alternately, never, ever install Flash at all

Folks have tried advocating that on various discussion lists and in user groups. The thing is, Flash is still common on the Web. Some folks have businesses with portals that require Flash, others have to access government sites that use Flash. Others just want to see content on news sites that still use Flash. I’m not sure that one is doing a service to users by telling them not to install, or to uninstall Flash at this point in time. After uninstalling Flash users are distressed when Web sites won’t work properly for them.

It’s not hard to teach folks to simply avoid installing Flash (or Flash updates) via insecure means. At least for now. Things are likely to change drastically by this time next year.

If you must use Flash content on a site, visit it using the Chrome browser, which has it built-in and will take care of updating Flash automatically.

I’m also not sure that it’s a good idea to recommend that folks switch to a browser from a company whose business plan is to track users and collect, aggregate, and sell their personal information. It might be best to instead recommend that folks switch to a browser based on Chromium, but with all of Google’s spyware stripped out, which also includes added security, such as Brave

And I’ve tried to do the latter. What I’ve found is that, overwhelmingly, everyday Mac users tend to be really wedded to Safari purely because it comes from Apple. Telling them to switch browsers usually falls on deaf ears.

2 Likes

So…how do we know if we got infected and how to get rid of it?

I’ve noticed that I started getting a lot of page redirects later…especially from digg.com…that have the Update Flash thing. I’ve not got it installed at all, and smart enough not to run randomly suggested installers, and don’t visit dodgy sites. I figured that something had been dumped on the sites that digg links to but maybe not.

I had previously uninstalled Malwarebytes since it’s got that pesky menubar icon you can’t get rid of…but reinstalled the latest version and checked and it shows no malware.

In the General section of its Preferences, there is a “Hide application icon” switch that can be set to get rid of the menubar icon.

Tried that and it only hides it in the Dock for me I thought…but will try it again when I’m on the Mac and not the ipad

In general I try to tell all people to ignore any popup telling them to upgrade or download something. If I get a notice about something needing an update I can always navigate to the specific app or service (eg. Java sys pref) and check myself if an update is actually required. If it’s an OS update I can check in the SU sys pref myself too. I’m not aware there’s any situation where you’d need to follow a popup right then and there, and if you don’t you’d actually miss something you can’t fix on your own later.

Kind of similar to URLs in emails. While it’s convenient to click on them, to the untrained eye it’s far more secure to instead punch in the URL in a browser yourself. Only then will you know with certainty where you are going to.

Personally, I get along perfectly well without Flash. I realize some might need it for specific websites. I think in such a case using Chrome is indeed the lesser of two evils. I deleted Chrome from my systems a while ago (because I don’t agree with Google’s behind my back approach to updating, and I certainly don’t trust the company), but if I absolutely needed to get onto a Flash site, I’d probably install Chrome for that specific task. I will never ever again install Flash.

3 Likes

Or use Firefox and configure Flash for “ask to activate” so it will only run on the web sites where you actually need it and nowhere else.

Or do what I do - use Firefox and configure it for “never activate” so it won’t run at all unless I explicitly go and re-enable it, which I rarely need to do. This way flash-optional web sites won’t see the installation and ask me to enable it.

Flash usage is now below 3%, I’d say it’s uncommon (Chrome trends, W3Techs statistics). My guess is the vast majority of people will do just fine without Flash installed.

Firefox is a good browser but it doesn’t automatically include and update the Flash plugin, that was the point of my suggestion to use Chrome for Flash content.

1 Like

Tried again and I must have misread it…menu icon gone now. Still wonder why I’m getting all the Flash update web pages though.

The only way to avoid those is with a good adblocker extension. Almost all such pop ups are caused by JavaScript that has been embedded in an advertisement on the page you visit, not anything on you computer. Even big name sites have experienced such ads at one time or another.

This new Trojan is an exception to what most users experience.

2 Likes

Safari has that same capability.

2 Likes

Thanks for your note. I’ve noticed an increase in fake notices to update Flash and so have some of my staff. I have warned all staff to ignore these warnings and warnings that their Norton Anti-Virus has expired. Of course not everyone in my office reads my emails.

1 Like

With regard to this new Trojan, folks who are infected with it are noticing that they suddenly have a new preferences pane in System Preferences: “Profiles”. Delete any profiles in that new preferences pane, and reportedly the Trojan is gone.

1 Like

Ads are becoming more and more intrusive on the Web. I’ve been suggesting that users might want to switch to this fairly new, awesome Web browser that will block ads without the need for extensions. And it’s FAST!

Brave (free)

Agreed. I personally don’t like Google’s habit of auto-updating everything. But if you want it, the Flash preference panel will let you configure it to auto-update, making it pretty much the same as what Chrome gives you.

Be careful! The Profiles preference pane is a legitimate part of macOS, it’s the user interface for configuration profiles, typically installed by administrators of many Macs (at a school or on work computers). I have seven profiles on my work computer (2 for enterprise WiFi networks, 2 from Jamf Pro aka Casper, 2 from ESET antivirus, and 1 from intrusion detection software), some are merely to pre-approve application kernel extensions so each user doesn’t have to manually approve them.

My personal Mac doesn’t have any configuration profiles installed so it doesn’t show the Profiles preference pane; a home computer is far less likely to have a legitimate configuration profile installed but it’s possible (you can install them yourself). If someone sees a warning about the Profiles they might look in their Preferences and exclaim “I never had a Profiles pane before!” when in fact they did have it before and it was legitimate, they just didn’t notice.

1 Like

I just came across it a few days ago, trying to view an old map of Galway. I’ve often found it still around for files from museums like that.

I’m a Mac consultant. I totally agree with your comment about ignoring any popups.