OS X

The Flashback Trojan: How To Find Out If You’ve Got It and How To Protect Yourself


The past few days have seen the emergence of one biggest Mac malware attacks in recent years in the form of the Flashback trojan. It exploits Java vulnerabilities in non-updated versions OS X to infect the Mac. Luckily there are very simple ways you can find out firstly if you have it, and then how to protect yourself from it.
[wp_ad_camp_2]

How To Find Out If You Have It

  1. Open Terminal and paste the following: defaults read /Applications/Safari.app/Contents/Info LSEnvironment
  2. You should get this error message, “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
  3. Now paste the following: defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
  4. If this appears, “The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist“, you don’t have it.

Now, if at any of the above stages something was different, chances are you’re infected. So it’s best to run through the whole thing again as shown on F-Secure, which should delete it from the system.

How To Protect Yourself From It / Prevent It Happening Again

There are two ways you can do this. One is for Snow Leopard and Lion users and the other is for users of older operating systems like Leopard and Tiger.

For Lion/Snow Leopard:

It could not be simpler. A Java update has already been released which fixes the problem, which you can either get via Software Update or here (Snow Leopard) or here (Lion). If you do that, you will be completely safe to the Flashback malware.

For Leopard, Tiger and older systems:

This is still dead easy to do. All you need is a specific piece of anti-virus software. The malware is programmed to not install when in detects certain pieces of software, one of them being ClamXAV, a great open source anti-virus which I highly recommend. It’s completely free, and you don’t even have to use it to protect yourself. Just have it installed and even if you unwittingly download the Flashback trojan, it will auto-delete itself after detecting ClamXAV.

So that’s it! If you follow the above steps, you shouldn’t have any problems whatsoever with it, and it really is that easy to deal with. It is also worth noting that 50% of the infected computers are in the US, so your chances of actually having it if you live in Europe or elsewhere is fairly film. Still better safe than sorry.

Even though this is by no means funny, there is a strong irony attached to this. 274 of the bots responsible for this are running from, wait for it, Cupertino! That takes some doing, and I’m sure that Apple won’t be at all pleased when they find out (they probably already have)!

About the author

Chris

Follow me here: |

3 Comments

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Hi

    I tried this and none of the commands for files exist, is this the virus or a OS-X version thing?

    ta

    J

  • Thanks for the information. Although I get “does not exist” for all 3 commands, when I use the Dr. Web Online Web Utility, it tells me my computer (running 10.5) is “probably infected” then lists dates for when the botnet server was first and last accessed. Of course, it then tells me that I should download Dr. Web. Is this just a scam to get me to buy their software, or is the utility believable?