Flashback ..

Hello carlos,

you'd have to wait for someone from Sophos for a definite answer. Looking at the analysis of OSX/FlshPlyr-A and OSX/FlshPlyr-B I see that both have been updated very recently (on 2nd and 3rd). There's also OSX/FlshPlyr-C. Of course one can never say all other - there's always a chance that a new variant goes undetected :smileyfrustrated: - but you can be sure they are trying.

Christian

Christian gave a great summary.

Just for more details:

• We have tested the files F-Secure was using in their research and we do detect them.
• OSX/FlshPlyr-C actually detects the installer at a pretty early point.
• There are now constant new variants of OSX/FlshPlyr being published by the malware author.  SophosLabs has been seeing new variants daily for the past two weeks; we detect most of them pro-actively, and are continually (24/7) monitoring for unexpected tweaks that may break our detection.

Hi

so does SAV 7.3.9, engine 3.29.0, Virus-data version 4.75 as of March 5,2012 (enterprise version of SAV provided by my university) also protect me?

thanks

phil

Hello phil,

the free and lincensed versions are indentical in terms of protection. Note that the virus-data version alone is no indicator of up-to-date protection. As new and updated detection identities are constantly issued (several times a day is not uncommon) it is important that threat detection data updates a done frequently.

Christian

I don't know about anybody else, but I don't need more drama in my life.  I read the CNET article about Flashback a couple of days ago and went googling for a detection/solution artilce that could be implemented by a non-geek... much frustration.  Went to the Sophos board and found nothing recent.   Spent a half-hour on the phone with Apple and got precisely nowhere (natch).  

 I eventually found a poor (the Russian website) and a good (a user-written script) detection method; it appears my systems are clean.

However, it would have been a great blessing if Sophos had simply put a little item on the main webpage saying something like "If you have Sophos installed, you can relax, we took care of the Flashback problem on [give date] and are continuing to monitor for variants that might threaten your system."  Or, if necessary, "Flashback is written by some very clever and aggressive psychopaths, and we're working on it; make sure to update your malware definitions every day."

Plea to Apple and also to Sophos: Denial and Avoidance do not help people.  And giving some proper info doesn't even cost much.

Things are not going to get better in the malware area.  Can we have a little help here?

I suggest you follow our web blog, Naked Security.

http://nakedsecurity.sophos.com/tag/flashback/

Recent Flashback-tagged entries were posted on April 5 and 7.

We also update this website, which is the portal for the Mac Home product.

Sophos detects the Flashback family as OSX/Flshplyr; the writers of this malware are being very aggressive in their attempts to defeat most AV software, with new variants and tricks popping up every week -- while (currently) failing to install if you have analysis tools installed (XCode and Little Snitch being notable).

---

QC wrote:

Hello carlos,

you'd have to wait for someone from Sophos for a definite answer. Looking at the analysis of OSX/FlshPlyr-A and OSX/FlshPlyr-B I see that both have been updated very recently (on 2nd and 3rd). There's also OSX/FlshPlyr-C. Of course one can never say all other - there's always a chance that a new variant goes undetected :smileyfrustrated: - but you can be sure they are trying.

Christian

---

My impression is that these OSX/FlshPlyr variants are part of the anti-virus definitions, rather than stand alones.  But I don't find them in any of the Sophos files on my Mac, so I'm curious about them.  Just what are they, and just *where* are they?

---

macphile wrote:

---

QC wrote:

Hello carlos,

you'd have to wait for someone from Sophos for a definite answer. Looking at the analysis of OSX/FlshPlyr-A and OSX/FlshPlyr-B I see that both have been updated very recently (on 2nd and 3rd). There's also OSX/FlshPlyr-C. Of course one can never say all other - there's always a chance that a new variant goes undetected :smileyfrustrated: - but you can be sure they are trying.

Christian

---

My impression is that these OSX/FlshPlyr variants are part of the anti-virus definitions, rather than stand alones.  But I don't find them in any of the Sophos files on my Mac, so I'm curious about them.  Just what are they, and just *where* are they?

---

I see that these are the threat names.  I should have done just a bit more research on the Sophos site before posting the above reply.  Sorry for the inconvenience.  Thanks to all who have posted about this new malware threat.

They're in the virus definition files... usually in the IDE files in the IDE folder.  You're not going to find loose identities floating around; there are millions of identities, and they operate in all sorts of different ways.

When looking at the FlshPlyr family, the various detections actually overlap a bit, and indicate the kind of detection more than the specific release version of Flashback that is detected by them. 

That said, most of the drive-by version of Flashback will be picked up by OSX/Flshplyr-D, and if by some chance it got itself installed prior to your scan (on-access scanning disabled, for example), you'll detect the other files as OSX/Flshplyr-E.  Certain edge cases could show up as OSX/FlshPlyr-B. 

OSX/FlshPlyr-A generally detects on the older variants that used the PDF and Flash exploits; OSX/FlshPlyr-C detects the malicious installer itself (where the end user has to run the PKG file and intentionally install Flashback). 

All identities go through continuous updating to improve both the performance of the detection scans and the proactiveness of the detection logic.  The analyses also get updated from time to time, to provide more information/change the threat prevalence, etc.

I hope that helps.