False positive with Adobe Flash Player

Hello Charles,

scanning is not a trial but a protective measure and doubt is advisable in the opposite direction. Incredible is often the first reaction when hearing stories like Security firm RSA warns that its servers have been hacked, Malware compromises USAF Predator drone computer systems or Security breach: Kernel.org and Linux Foundation remain "temporarily unavailable". And Adobe Flash security update for Windows, Mac, Android, Linux and Solaris users for example shows that Adobe is (like the rest of us) not perfect. So why should it be unthinkable that a major vendor's site is (temporarily) compromised? OTOH no one doubts or denies the existence of false positives. But doubt should be used very carefully in a "final decision".

Unfortunately your post is lacking most details. First - which trojan was (perhaps falsely) detected? Second - what has been scanned? Even assuming you've downloaded the installer for your OS and as this is the MacHomeAV forum there are two downloads. Third - which version of Sophos? Using 7.3.4 I've scanned both the MacOS as well as some Windows downloads and none has been flagged. Of course if it was a false positive it's very likely that a correction has been issued in the meantime (and if indeed it was on Adobe's site - which I more than doubt as it would be in the news by now - it could have been replaced). There is a third possibility: you haven't visited Adobe's site (which I don't imply - but that's how the Flashback trojan is distributed).

If you think you've encountered a false positive you should submit a sample.

Christian

The Trojan was, allegedly, Flashplayer-A. See screen shot, attached.

What was scanned was the DMG file I downloaded from Adobe. The Sophos version was the latest, 7.3.4C, 3 Oct. See screenshot, attached.

I got the download by going to <http://get.adobe.com/flashplayer/ >, which sure 'nuff looks like Adobe's site to me.

The DMG will be sent to your sample site.

The version available from get.adobe.com/flashplayer is "install_flash_player_osx_intel.dmg/Install Adobe Flash Player.app/Contents/Resources/Adobe Flash Player.pkg".  This is the file you submitted, and we do not detect it.

The one in your Quarantine Manager is being picked up from your Time Machine backup from before Adobe released Flash Player 11; it has the same name as the Flashback trojan horse mentioned earlier in this thread, and is not related to the file you submitted.

Interesting. I went and had a closer look at my Downloads folder after I read that, and found this:

There are several DMG installers, and a stand-alone PKG file which I don't recall downloading. The Adobe DMGs have the correct dates, the PKG shows a date of 7 Oct and a date indicating that it was added to the folder on the 12th, or this morning. Which would be several hours _after_ Sophos flagged it last night. There's something _very_ strange going on here. Has that thing been there since the 7th? Why did Sophos only spot it _after_ I downloaded the DMG from Adobe? Why does it have a date added of the 12th, at least 3 hours after Sophos flagged it? And, most important, did it get installed and if so how do I get rid of it?

To answer your last question first: Do you have "Open "safe" files after downloading disabled?  If so, you're fine, nothing executed.  If not, you're fine as long as you never clicked install for the fake Adobe installer window....

As for the others, try going to terminal.app, typing mdls and dragging the file to the command line.  Then press return, and check the *actual* date stamps associated with the file.  Not only will you get the date created and modified listed in the Finder, you'll also get date added, date content last changed, and date created on your system.  Check the link to the Flashback description in this thread to find out more.

It's possible that you picked up a copy of the trojan that wasn't detected by Sophos, and then we updated the detection to catch it after the fact.

While in Terminal, type "grep DYLD_INSERT_LIBRARIES ~/.MacOSX/environment.plist /Applications/*/Contents/Info.plist" -- if the response contains a line that says something like <key>DYLD_INSERT_LIBRARIES</key> then you are likely infected.  If you just get "environment.plist: No such file or directory," then you're clean.  Also, if you're running Little Snitch, you're likely clean as the trojan detects this when it's installed and deletes itself.

Okay, I think that I've got everything under control now. I am running Little Snitch, and I've got 'Open Safe Files' turned off. And I never launched the PKG. The grep command doesn't find anything, either.

I'd just love to know where that file came from, though.

It was likely a drive-by download from a Google Image search.