Another new Mac OS X Threat has been discovered and disguises as Adobe Flash Player Installer. Like other malware, it also uses social engineering tricks to lure users to download the malware.

Once the user unknowingly visited a malicious website to watch a video, it will prompt the user that the Adobe Flash plugin has crashed [Figure 1].

[Figure 1 - Fake Error Adobe Flash Plugin Crash Message]

Then it will prompt the user that the Adobe Flash Player needs to be updated to the latest version to fix the "crush" of Adobe Flash Player [Figure 2].

[Figure 2 - Fake Adobe Flash Player Installer GUI]

[Figure 3 - Fake Adobe Flash Player GUI]

By now, users should have already noticed that this is not the real installer for Adobe Flash Player. First, because of the wrong grammar and second it seems that the "Install" button is grayed out.

It will lead you to download a file called "FlashPlayer-11-macos.pkg" which is detected by Total Defense as OSX/Flashback.A.

[Figure 3 - OSX/Flashback Downloaded File]

[Figure 4 - OSX/Flashback Downloaded Installer]

The installation of this fake Adobe Flash Player still needs user intervention to complete the installation process.

[Figure 5 - OSX/Flashback Installation GUI]

Once the installation process has been completed, it will delete the downloaded installation package. Then the malware installs a backdoor component named "Preferences.dylib" in /Library/Preferences/. The file Preferences.dylib communicates with a remote server and sends information about the infected machine.

Some tips:

1. Download product updates from the main vendor website. Note that the real GUI of Adobe Flash Player looks like this:

[Figure 6 - The Real GUI for Adobe Flash Player Installer]

2. Disable "Open "Safe" files after downloading" from the Safari preferences to avoid automatically running any applications after downloading.
3. Ensure that your Total Defense Products are updated with the latest signatures at all times.