drjbhl
Ramblings of an old Doc
Mac “Flashback” Trojan: How to discover if you have it and how to get rid of it
Published on April 6, 2012 By DrJBHL In Personal Computing

 

Somewhere around 600,000 Mac users have this Trojan written in an unknown language. It gets on your OSX without a password.

What it does (per F-secure):

“Trojan-Downloader:OSX/Flashback.I connects to a remote site to download its payload; on successful infection, the malware modifies targeted webpages displayed in the web browser.”

How to discover if it’s there and disinfect (per F-Secure):

Manual Removal

Caution: Manual disinfection is a risky process; it is recommended only for advanced users. Otherwise, please seek professional technical assistance.

Manual Removal Instructions

  • 1. Run the following command in Terminal:
    defaults read /Applications/Safari.app/Contents/Info LSEnvironment
  • 2. Take note of the value, DYLD_INSERT_LIBRARIES
  • 3. Proceed to step 8 if you got the following error message:
    "The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"
  • 4. Otherwise, run the following command in Terminal:
    grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2%
  • 5. Take note of the value after "__ldpath__"
  • 6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):
    sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment
    sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
  • 7. Delete the files obtained in steps 2 and 5
  • 8. Run the following command in Terminal:
    defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
  • 9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:
    "The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"
  • 10. Otherwise, run the following command in Terminal:
    grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%
  • 11. Take note of the value after "__ldpath__"
  • 12. Run the following commands in Terminal:
    defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
    launchctl unsetenv DYLD_INSERT_LIBRARIES
  • 13. Finally, delete the files obtained in steps 9 and 11.

 

Now, there are some variants of this Trojan, and some have additional components. The disinfect method is detailed here:  http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

 

Hope none of our Mac users are affected by this Trojan… but if you are, F-Secure has the steps described above and the additional steps as above. You can find them and the links to the additional steps here:

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml


Popular Articles in this Category
Safe and free software download sites for windows
Keep an Eye Out!
A new and more functional PC Manager widget from MS
Popular Articles from DrJBHL
Safe and free software download sites for windows
A new and more functional PC Manager widget from MS
Comments
1
2of3
on Apr 06, 2012

Oh no. Macs don't get viruses......just ask any ihole

2
CarGuy1
on Apr 06, 2012

iRony [ahy-ruh-nee, ahy-er-]

1. directions to remove a iVirus on a Windows based website.

3
DrJBHL
on Apr 06, 2012

CG1:

Some readers have more than one computer and some are Macs. No one forced you to read the post.

4
CarGuy1
on Apr 06, 2012

iRony [ahy-ruh-nee, ahy-er-]

2. Doc taking my attempt at humor as a serious reply.

5
jackswift85
on Apr 07, 2012


If anything I've seen the amount of "iHole-ishness" decrease over the last few years. I like to hope that it's because people are realizing that it's just another operating system and not a "cool way of life brand-identity" thing. Or that everyone has one so it's no longer "trendy".

But yeah, on topic. We just got a few macs at work that I have to be in charge of, so I get to familiarize myself with them after 10 years of using nothing but Windows. And knowing about viruses helps.

6
Dr Guy
on Apr 09, 2012

This is but the beginning.  At least for the Apple side of the house.  The dominance of the iPad and iPhone mean they are the new windows.

First rule of Security - anonymity is no defense.

7
Uvah
on Apr 09, 2012

No defense. Watch out for the Gremlins. They developed a taste for Apple(s)

8
Jafo
on Apr 10, 2012

jackswift85
reply 5
I like to hope that it's because people are realizing that it's just another operating system and not a "cool way of life brand-identity" thing. Or that everyone has one so it's no longer "trendy".

Ditto ...

9
DaveRI
on Apr 14, 2012

I stumbled on an article on CBS News that says Apple has released a removal tool for this today if anyone is interested

http://www.cbsnews.com/8301-501465_162-57413764-501465/apples-flashback-malware-remover-now-live/?tag=cbsnewsSectionContent.10

Probably no need to read the article really if you already know how to get the patch.  I don't know all the gory details, just trying to be useful.

Meta
Views
» 17229
Comments
» 9
Category
» Personal Computing
Comment
Recent Article Comments
LightStar Design Windowblind...
Let's see your political mem...
Let's start a New Jammin Thr...
A day in the Life of Odditie...
Safe and free software downl...
Veterans Day
A new and more functional PC...
Post your joy
AI Art Thread: 2022
WD Black Internal and Extern...
Sponsored Links
Terms of Service Privacy Policy About Us Contact Us Stardock.com
© 2024 Stardock Corporation. All rights reserved.
JoeUser v1.0.0.0