Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 6 subscribers
  • Views 2691 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Flashback ..

carlos1

Hi,

Protect SAV against the new ...

http://www.f-secure.com/weblog/archives/00002341.html

and all other Flashback.

greets

:1005707


This thread was automatically locked due to age.
Parents
  • 0

    They're in the virus definition files... usually in the IDE files in the IDE folder.  You're not going to find loose identities floating around; there are millions of identities, and they operate in all sorts of different ways.

    When looking at the FlshPlyr family, the various detections actually overlap a bit, and indicate the kind of detection more than the specific release version of Flashback that is detected by them. 

    That said, most of the drive-by version of Flashback will be picked up by OSX/Flshplyr-D, and if by some chance it got itself installed prior to your scan (on-access scanning disabled, for example), you'll detect the other files as OSX/Flshplyr-E.  Certain edge cases could show up as OSX/FlshPlyr-B. 

    OSX/FlshPlyr-A generally detects on the older variants that used the PDF and Flash exploits; OSX/FlshPlyr-C detects the malicious installer itself (where the end user has to run the PKG file and intentionally install Flashback). 

    All identities go through continuous updating to improve both the performance of the detection scans and the proactiveness of the detection logic.  The analyses also get updated from time to time, to provide more information/change the threat prevalence, etc.

    I hope that helps.

    :1006323
Reply
  • 0

    They're in the virus definition files... usually in the IDE files in the IDE folder.  You're not going to find loose identities floating around; there are millions of identities, and they operate in all sorts of different ways.

    When looking at the FlshPlyr family, the various detections actually overlap a bit, and indicate the kind of detection more than the specific release version of Flashback that is detected by them. 

    That said, most of the drive-by version of Flashback will be picked up by OSX/Flshplyr-D, and if by some chance it got itself installed prior to your scan (on-access scanning disabled, for example), you'll detect the other files as OSX/Flshplyr-E.  Certain edge cases could show up as OSX/FlshPlyr-B. 

    OSX/FlshPlyr-A generally detects on the older variants that used the PDF and Flash exploits; OSX/FlshPlyr-C detects the malicious installer itself (where the end user has to run the PKG file and intentionally install Flashback). 

    All identities go through continuous updating to improve both the performance of the detection scans and the proactiveness of the detection logic.  The analyses also get updated from time to time, to provide more information/change the threat prevalence, etc.

    I hope that helps.

    :1006323
Children
No Data