Apple Updates Anti-Malware Definitions to Address Fake Flash Player Trojan

flash player trojan
Fake Flash Player trojan installer

While things have been relatively quiet on the malware front for OS X since a raid on Russian payment processing firm ChronoPay appeared to have taken down MacDefender nearly two months ago, one new trojan horse did pop up earlier this month. As detailed by F-Secure, the trojan known as "OSX.QHost.WB.A" masquerades as a Flash Player installer but actually adds entries to a computer's hosts file to redirect users attempting to visit certain Google sites.

Once installed, the trojan adds entries to the hosts file to hijack users visiting various Google sites (e.g., Google.com.tw, Google.com.tl, et cetera) to the IP address 91.224.160.26, which is located in Netherlands.

The server at the IP address displays a fake webpage designed to appear similar to the legitimate Google site.

Search results on the fake Google pages actually lead to pop-up windows that load external content which was broken at the time of discovery but presumably consisted of advertisements of some sort. While the threat as implemented at the time of discovery was relatively mild, inexperienced users falling for the trojan could find themselves unaware of what had happened to their systems and how to fix the hijacked routing added by the malware.

osx qhost wb a
Consequently, Apple earlier this week made its first significant addition to its "XProtect.plist" file since the spate of MacDefender variants surfaced in June. The XProtect.plist file contains malware definitions to enable users' systems to recognize and warn users of malicious downloads, a feature that debuted with Mac OS X Snow Leopard back in 2009.

The original anti-malware system required manual updates to account for new threats, and as such was updated only rarely by Apple as part of larger software updates. But with an Apple software update issued in response to the MacDefender threat earlier this year, Mac OS X systems are now able to make daily checks for updates to that file to ensure up-to-date protection against malware.

Top Rated Comments

KnightWRX Avatar
121 months ago
Let's get this out of the way right now : This is not an OS X virus.
Score: 36 Votes (Like | Disagree)
Stridder44 Avatar
121 months ago
Awesome, I was not aware that it updated daily.

And yes, this is not a virus. This is malware.
Score: 11 Votes (Like | Disagree)
longofest Avatar
121 months ago
No, it's not a "virus". It's a trojan. You think it's good, but its bad. (heh... depending on if you think "flash" is "good").

A question I have though, is under what conditions should ANY software modify the hosts file? Should Apple even allow programs that have been granted administrative rights to alter the hosts file? There is only a very limited benvolent use case for such an action, and that very related to what they did here: some anti-ad or anti-spyware utilities modify a host file to redirect known ad-producing domains to a "safe" domain. I personally think any modification of the host file should be given a warning like this:

The program _____ is trying to update a core Mac OS X system file that is used to provide network connectivity. While online advertisement blocking programs may require legitimate use of this file, most others applications may represent an attempt to install malicious software onto your computer. Are you sure you want to allow program _____ to modify this file?

Score: 9 Votes (Like | Disagree)
BC2009 Avatar
121 months ago
Funny.... I updated Flash yesterday on my kids' Mac mini and I thought that writing a Trojan that masquerades as an update to Flash would be brilliant since Flash is updated so often and getting prompted that you need to update Flash to view a website is very common..... And then today, here it is.
Score: 8 Votes (Like | Disagree)
Sjhonny Avatar
121 months ago

That's why you need to disable flash. :p


This has nothing to do with Flash.
Score: 8 Votes (Like | Disagree)
devilstrider Avatar
121 months ago
Been out of the loop for 10 weeks and MacRumors is getting my up to speed fast. I love this site.
Score: 8 Votes (Like | Disagree)

Top Stories

2020 apple shopping event

Apple Offering Up to $150 Gift Card With Select Products on Black Friday Through Cyber Monday

Monday November 23, 2020 2:53 am PST by
Apple has announced its annual four-day shopping event, offering customers up to a $150 Apple Store gift card with the purchase of select products between Black Friday and Cyber Monday in the United States. The gift card values in the United States are as follows: $150 for 16-inch MacBook Pro $150 for 21.5-inch iMac $50 for 13-inch MacBook Pro $50 for MacBook Air $50 for iPhone SE,...
0 Deals Hero

Black Friday 2020: Best Apple Deals to Plan For

Saturday November 21, 2020 10:00 am PST by
In the lead-up to Black Friday next week, we've been putting a spotlight on the best deals coming from various retailers like Best Buy and Walmart. In an effort to further prepare our readers for the best Black Friday deals, we're breaking down what we think should be on your radar for Black Friday in 2020. Note: MacRumors is an affiliate partner with some of these vendors. When you click a...
app store christmas icon

Apple Shutting Down App Store Connect From December 23 to December 27

Monday November 23, 2020 10:14 am PST by
Apple shuts down App Store Connect for a week around the holidays each year in an effort to give App Store staff time off from work. This year, App Store Connect will be unavailable from December 23 to December 27. With App Store Connect unavailable, Apple will not accept new apps or app updates, so all pricing changes and new app submissions need to be locked in before those dates for...
Target November Deals 1

Black Friday Spotlight: Target Begins Week-Long Sale With Deals on iPhone 12, Powerbeats Pro, and More

Monday November 23, 2020 8:07 am PST by
We've been tracking early Black Friday deals in our dedicated Black Friday Roundup, and in an effort to prepare our readers for the big shopping event we're highlighting sales store-by-store in the lead-up to November 27. Note: MacRumors is an affiliate partner with Target. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running....
ipad pro 2020 display

Black Friday Week Kicks Off With Up to $150 Savings on 2020 iPad Pro

Sunday November 22, 2020 2:37 pm PST by
As we head into Black Friday week, we're seeing some of the best deals of the season so far, with Amazon and Best Buy today discounting the latest iPad Pro models by up to $150 at the lowest prices we've ever tracked on these models. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep ...
mac mini macbook pro macbook air

Apple M1 Hands-On Comparison: MacBook Air vs. MacBook Pro vs. Mac Mini

Monday November 23, 2020 3:40 pm PST by
Apple's M1 Macs are out in the wild now, but ahead of the holidays, you might still be trying to figure out which one to pick up, either for yourself or as a gift for someone else. We've got all three of the new Macs available, so we thought we'd give MacRumors readers a hands-on overview of each machine in our latest YouTube video. Subscribe to the MacRumors YouTube channel for more videos. ...
macos big sur m1 macs restore issue

Apple Provides Instructions to Fix macOS Reinstallation Errors on M1 Macs

Sunday November 22, 2020 3:30 pm PST by
Shortly after the launch of Apple's new M1 Macs, we saw reports that attempts to restore and reinstall macOS on those machines right away could result in an installation error that would leave your Mac non-functional. Specifically, the error message would read: "An error occurred preparing the update. Failed to personalize the software update. Please try again." Over the weekend, Apple p...
max tech xcode benchmark m1 macbook

Video Demos Performance Differences Between 8GB and 16GB Apple M1 MacBook Pro

Monday November 23, 2020 2:54 pm PST by
All of the M1 Mac models use the same M1 chip, so the upgrade options are limited to SSD storage space and RAM. We haven't seen many comparisons that demonstrate the difference between a machine with 8GB RAM and the upgraded 16GB RAM option, but Max Tech today shared a video highlighting the performance between an 8GB MacBook Pro and a 16GB MacBook Pro. The video includes a series of...
iPhone 6s main

Rumor Claims iOS 15 to Drop Support for iPhone 6s and Original iPhone SE

Sunday November 22, 2020 9:25 am PST by
Apple will drop support for the iPhone SE, iPhone 6s, and iPhone 6s Plus in next year's release of iOS 15, according to a rumor shared today by Israeli site The Verifier. If the rumor is accurate, that would mean iOS 15 will be compatible with the following Apple devices: 2021 iPhone series iPhone 12 Pro Max iPhone 12 Pro iPhone 12 mini iPhone 12 iPhone 11 iPhone 11 Pro iPhone 11 Pro ...
new mac mini logicpro screen

M1 Macs Able to Run Up to Six External Displays Using DisplayLink

Tuesday November 24, 2020 6:53 am PST by
It is possible to run up to six external displays from the M1 Mac mini, and five external displays from the M1 MacBook Air and MacBook Pro, with the aid of DisplayPort adapters, according to YouTuber Ruslan Tulupov. This far exceeds Apple's specified limits on external displays with the M1 Macs. Apple's host of new M1 Macs are not capable of supporting as many external displays as their...