How to Know If You’ve Been Infected With Mac Flashback Trojan

Trojan

So this real mofo of a new trojan for Mac has infected at least 600k computers. It’s a mean one, and it can easily compromise your security. That said, checking for the vulnerability is easy. Launch your Terminal. (Applications > Utilities > Terminal) and run the commands found after the jump.

Please note that the following is copy-pasted direct form F-Secure. If you are unsure how to remove the malicious files yourself after the check, it may be best to take it to someone who can. Here’s how it works:

Disinfection

Manual Removal

Caution: Manual disinfection is a risky process; it is recommended only for advanced users. Otherwise, please seek professional technical assistance. F-Secure customers may also contact our Support.
Manual Removal Instructions

  • 1. Run the following command in Terminal:

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

  • 2. Take note of the value, DYLD_INSERT_LIBRARIES
  • 3. Proceed to step 8 if you got the following error message:

    “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”

  • 4. Otherwise, run the following command in Terminal:

    grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step2%

  • 5. Take note of the value after “__ldpath__”
  • 6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):

    sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment

    sudo chmod 644 /Applications/Safari.app/Contents/Info.plist

  • 7. Delete the files obtained in steps 2 and 5
  • 8. Run the following command in Terminal:

    defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

  • 9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:

    “The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”

  • 10. Otherwise, run the following command in Terminal:

    grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step9%

  • 11. Take note of the value after “__ldpath__”
  • 12. Run the following commands in Terminal:

    defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

    launchctl unsetenv DYLD_INSERT_LIBRARIES

  • 13. Finally, delete the files obtained in steps 9 and 11.
The good news is that if you received the “Does not exist” message, you are clean.
Also, the latest OS X update will plug the Java security vulnerability. Get it now. (Apple Menu > Software Update)

About 8bitjay

Google + Profile