Apple Updates Anti-Malware Definitions to Address Fake Flash Player Trojan


Fake Flash Player trojan installer

While things have been relatively quiet on the malware front for OS X since a raid on Russian payment processing firm ChronoPay appeared to have taken down MacDefender nearly two months ago, one new trojan horse did pop up earlier this month. As detailed by F-Secure, the trojan known as "OSX.QHost.WB.A" masquerades as a Flash Player installer but actually adds entries to a computer's hosts file to redirect users attempting to visit certain Google sites.

Once installed, the trojan adds entries to the hosts file to hijack users visiting various Google sites (e.g., Google.com.tw, Google.com.tl, et cetera) to the IP address 91.224.160.26, which is located in Netherlands.

The server at the IP address displays a fake webpage designed to appear similar to the legitimate Google site.

Search results on the fake Google pages actually lead to pop-up windows that load external content which was broken at the time of discovery but presumably consisted of advertisements of some sort. While the threat as implemented at the time of discovery was relatively mild, inexperienced users falling for the trojan could find themselves unaware of what had happened to their systems and how to fix the hijacked routing added by the malware.


Consequently, Apple earlier this week made its first significant addition to its "XProtect.plist" file since the spate of MacDefender variants surfaced in June. The XProtect.plist file contains malware definitions to enable users' systems to recognize and warn users of malicious downloads, a feature that debuted with Mac OS X Snow Leopard back in 2009.

The original anti-malware system required manual updates to account for new threats, and as such was updated only rarely by Apple as part of larger software updates. But with an Apple software update issued in response to the MacDefender threat earlier this year, Mac OS X systems are now able to make daily checks for updates to that file to ensure up-to-date protection against malware.

Top Rated Comments

(View all)
Avatar
115 months ago
Let's get this out of the way right now : This is not an OS X virus.
Score: 36 Votes (Like | Disagree)
Avatar
115 months ago
Awesome, I was not aware that it updated daily.

And yes, this is not a virus. This is malware.
Score: 11 Votes (Like | Disagree)
Avatar
115 months ago
No, it's not a "virus". It's a trojan. You think it's good, but its bad. (heh... depending on if you think "flash" is "good").

A question I have though, is under what conditions should ANY software modify the hosts file? Should Apple even allow programs that have been granted administrative rights to alter the hosts file? There is only a very limited benvolent use case for such an action, and that very related to what they did here: some anti-ad or anti-spyware utilities modify a host file to redirect known ad-producing domains to a "safe" domain. I personally think any modification of the host file should be given a warning like this:

The program _____ is trying to update a core Mac OS X system file that is used to provide network connectivity. While online advertisement blocking programs may require legitimate use of this file, most others applications may represent an attempt to install malicious software onto your computer. Are you sure you want to allow program _____ to modify this file?

Score: 9 Votes (Like | Disagree)
Avatar
115 months ago
Funny.... I updated Flash yesterday on my kids' Mac mini and I thought that writing a Trojan that masquerades as an update to Flash would be brilliant since Flash is updated so often and getting prompted that you need to update Flash to view a website is very common..... And then today, here it is.
Score: 8 Votes (Like | Disagree)
Avatar
115 months ago

That's why you need to disable flash. :p


This has nothing to do with Flash.
Score: 8 Votes (Like | Disagree)
Avatar
115 months ago
Been out of the loop for 10 weeks and MacRumors is getting my up to speed fast. I love this site.
Score: 8 Votes (Like | Disagree)

Top Stories

'This App is No Longer Shared' iOS Bug Preventing Some Apps From Opening

Friday May 22, 2020 3:58 pm PDT by
An app bug is causing some iOS users to be unable to open their apps, with affected iPhone and iPad users seeing the message "This app is no longer shared with you" when attempting to access an app. There are multiple complaints about the issue on the MacRumors forums and on Twitter from users who are running into problems. A MacRumors reader describes the issue:Is anyone else experiencing...

Apple Memorial Day Deals: Shop the Best Apple Accessory Sales From Twelve South, eBay, Anker, Mophie, and More

Friday May 22, 2020 6:39 am PDT by
We're now just a few days away from Memorial Day on Monday, May 25, and numerous retailers have opened up discounts in celebration of the holiday. This includes sales on helpful Apple-related accessories like Anker's portable batteries, Beats headphones at eBay, Incase and Incipio's protective iPad and iPhone cases, Mophie's iPhone battery cases, JBL's Bluetooth speakers, and much more. Note:...

Former iOS Chief Scott Forstall Shares Intriguing Story of His Interview With Steve Jobs at NeXT

Friday May 22, 2020 4:01 am PDT by
Former Apple executive and iOS chief Scott Forstall made a rare public appearance this week at Code.org's virtual Code Break event, and in between classes, Forstall shared the intriguing story of how he was hired by Steve Jobs. Forstall revealed that he had been considering working at Microsoft when he went to interview at NexT, the company started by Jobs after he had left Apple. Forstall...

'Apple Glass' Rumored to Start at $499, Support Prescription Lenses, and More

Tuesday May 19, 2020 6:30 am PDT by
Front Page Tech host and leaker Jon Prosser today shared several alleged details about Apple's rumored augmented reality glasses, including an "Apple Glass" marketing name, $499 starting price, prescription lens option, and more. The marketing name will be "Apple Glass" The glasses will start at $499 with the option for prescription lenses at an extra cost There will be displays in both...

Apple's 'Bounce' AirPods Ad Wins 'Best of Advertising' Award

Friday May 22, 2020 10:09 am PDT by
Apple's creative "Bounce" ad designed to highlight the AirPods took top honors in the 99th annual ADC (Art Director's Club) awards for advertising, earning the "Best of Discipline" award along with two Gold Cube awards in the craft in video and branded content categories. Released in June 2019, the ad features a bored man who pulls his AirPods off of their wireless charging pad and then pops ...

Apple's 'AirPods Studio' Over-Ear Headphones Have Reportedly Kicked Off Production

Friday May 22, 2020 7:03 am PDT by
We've been hearing quite a bit recently about Apple's long-rumored over-ear headphones, said to be called "AirPods Studio," and it looks like a launch may be coming in the relatively near future. Artist mockup based on Beats Studio3 Rumors have generally suggested a summer or fall launch for AirPods Studio, with a report earlier this week claiming that suppliers in Vietnam will begin...

Top Stories: Apple Glass and iPhone 12 Rumors, iOS 13.5 Update, and More!

Saturday May 23, 2020 6:00 am PDT by
It was another big week for rumors this week, with a flurry of reports about Apple's augmented reality glasses, the iPhone 12, and Apple's "AirPods Studio" over-ear headphones. This week also saw the release of iOS 13.5, bringing a number of health-related updates to Apple's mobile devices. Subscribe to the MacRumors YouTube channel for more videos. Other topics of interest this week included ...

Apple Releases iPadOS and iOS 13.5 With Exposure Notification API, Face ID Mask Updates, Group FaceTime Changes and More

Wednesday May 20, 2020 10:00 am PDT by
Apple today released iOS and iPadOS 13.5, major updates that come more than a month after the launch of iOS and iPadOS 13.4.1. iOS 13.5 is a major health-related update that brings many features related to the ongoing public health crisis. The iOS and ‌‌iPadOS‌‌ 13.5 updates are available on all eligible devices over-the-air in the Settings app. To access the updates, go to Settings...

Jon Prosser Claims Apple is Working on 'Steve Jobs Heritage Edition' AR Glasses, Gurman Calls Rumor 'Complete Fiction'

Thursday May 21, 2020 4:50 pm PDT by
Apple is working on a limited-edition version of its augmented reality smart glasses that's designed to look like the round, frameless glasses that Steve Jobs was famous for wearing, according to Jon Prosser. Prosser, who runs YouTube show Front Page Tech and who has been sharing a flood of Apple rumors in recent weeks, mentioned the detail in Cult of Mac's latest Cultcast podcast....

T-Mobile and Sprint Offering Free iPhone SE With Trade-In

Thursday May 21, 2020 1:14 pm PDT by
T-Mobile is launching a Memorial Day promotion that will see the company offering a free iPhone SE to customers who trade in an eligible older smartphone in good condition. From Friday to Monday, customers who trade in an existing smartphone can get a free iPhone SE (sales tax still needs to be paid) or up to $500 off a Samsung Galaxy S20. The free iPhone SE will be provided in the form...