Skip navigation

HT5228: About the security content of Java for OS X Lion 2012-002 and Java for Mac OS X 10.6 Update 7

Learn about About the security content of Java for OS X Lion 2012-002 and Java for Mac OS X 10.6 Update 7

HT5228 how to check for flashback infection?

3345 Views 13 Replies Latest reply: Apr 11, 2012 10:05 PM by spacegirl22 RSS
janreid1 Calculating status...
Currently Being Moderated
Apr 6, 2012 7:53 AM

How do I check to see if my Mac has the Flashback infection?

  • etresoft Level 7 Level 7 (23,870 points)
    Currently Being Moderated
    Apr 6, 2012 8:03 AM (in response to janreid1)

    In Terminal.app, run:

     

    cat ~/.MacOSX/environment.plist

     

    and

     

    codesign -v /Applications/Safari.app

     

    If you get anything about "DYLD_INSERT_LIBRARIES" on the first and/or "code or signagure modified" on the second, then you are infected. Any other responses (including none) means you're fine.

  • 16luca Calculating status...
    Currently Being Moderated
    Apr 6, 2012 10:07 AM (in response to janreid1)

    I jusrt did this with a simple app from http://www.cnn.com/2012/04/06/tech/web/mac-flashback-trojan-check/index.html

     

    worked great no need to use terminal.

     

    I apparently dont have it.

     

    This was the easiest way i could find so far.

  • etresoft Level 7 Level 7 (23,870 points)
    Currently Being Moderated
    Apr 6, 2012 11:19 AM (in response to 16luca)

    Well, there is a problem with that.

     

    You hear reports of some massive botnet infection of Macs. Supposedly the malware can install itself without even asking for your administrator password (which is the big news here). Supposedly the malware even comes from reputable web sites. You are worried about being infected, so you download and execute a program you found on a web site to check.

     

    I recommend against installing unverified software or believing unverified blog claims. Anyone who doubts what the commands posted above actually do to your computer is free to ask or even dispute them. You can't do that with software you download from some random web site. You need some chain of trust or at least the ability to see what is going on. Even if you don't understand what those commands do, other people do and can comment on them.

     

    I am just making a philosophical point here. The software in question from the CNN link appears to do exactly what it claims. I just feel that the primary risk in all of this is paranoia that will lead people to download and install all kinds of software that claims to "protect" you. I suggest asking here first. We may argue amongst ourselves but at least then you are free to see both sides and make up your own mind.

  • yee ha! Calculating status...
    Currently Being Moderated
    Apr 9, 2012 8:32 AM (in response to janreid1)

    I ran the script and received the following:

     

    JYYs-MacBook-Pro:~ YeeHa$ cat ~/.MacOSX/environment.plist

    cat: /Users/YeeHa/.MacOSX/environment.plist: No such file or directory

    JYYs-MacBook-Pro:~ YeeHa$ codesign -v /Applications/Safari.app

    /Applications/Safari.app: a sealed resource is missing or invalid

     

    Is this something to be concerned about?

  • etresoft Level 7 Level 7 (23,870 points)
    Currently Being Moderated
    Apr 9, 2012 9:16 AM (in response to yee ha!)

    yee ha! wrote:

     

    Is this something to be concerned about?

    No. It's fine. You would get "code or signagure modified" if there were actualy an infection.

     

    This trojan is really pretty weak. It often seems to fail at installation. You may have some additional files in ~/Library/LaunchAgents. It would be best to run an automated script like this one: https://discussions.apple.com/docs/DOC-3271

  • spacegirl22 Calculating status...
    Currently Being Moderated
    Apr 9, 2012 6:08 PM (in response to etresoft)

    I got this after I typed it in

     

    Haleys-MacBook-Pro:~ Haley$ cat ~/.MacOSX/environment.plist

    cat: /Users/Haley/.MacOSX/environment.plist: No such file or directory

    Haleys-MacBook-Pro:~ Haley$ codesign -v /Applications/Safari.app

    Haleys-MacBook-Pro:~ Haley$

     

    That is fine right?

    And, I did download your program and run through that and three boxes popped up about some programs and it said keep or delete so I deleted them. But it said no applications were affected. Plus, I updated to the newest Java 1.6.0_31 through system update...I think I am clear now right?  Thanks so much for the help!!! (:

  • etresoft Level 7 Level 7 (23,870 points)
    Currently Being Moderated
    Apr 10, 2012 7:15 AM (in response to spacegirl22)

    spacegirl22 wrote:

     

    I got this after I typed it in

     

    Haleys-MacBook-Pro:~ Haley$ cat ~/.MacOSX/environment.plist

    cat: /Users/Haley/.MacOSX/environment.plist: No such file or directory

    Haleys-MacBook-Pro:~ Haley$ codesign -v /Applications/Safari.app

    Haleys-MacBook-Pro:~ Haley$

     

    That is fine right?

    That's good.

     

    And, I did download your program and run through that and three boxes popped up about some programs and it said keep or delete so I deleted them. But it said no applications were affected. Plus, I updated to the newest Java 1.6.0_31 through system update...I think I am clear now right?  Thanks so much for the help!!! (:

     

    Are you sure you deleted them? It sets the default button based on whether it thinks the file is valid or not. There is no way to tell for sure without human intervention. If you just pressed "enter" on those, you should be fine. If you manually clicked "delete" when the "keep" button was lit, then you should probably restore those files from backup. Otherwise, you might have problems with calendar syncing of things of that scale.

     

    I will update the tip to make that more obvious.

  • etresoft Level 7 Level 7 (23,870 points)
    Currently Being Moderated
    Apr 10, 2012 8:11 AM (in response to etresoft)

    I just remembered that I had updated the script to move those files to the trash instead. You can just restore them from there. Don't worry though. That directory is not critical for anything and any problems can be easily fixed.

  • spacegirl22 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 10, 2012 5:55 PM (in response to etresoft)

    I did manually hit delete... and I emptied my trash! ):  soo are they critical because now I don't think I can get them back or know how to get them back...

  • etresoft Level 7 Level 7 (23,870 points)
    Currently Being Moderated
    Apr 11, 2012 5:40 AM (in response to spacegirl22)

    They are really not critical. Do you remember which ones they were? The only things that ever get put there are things like Mobile Me, iCal, or iCloud sync scripts. If you don't have a backup, turning iCloud off or on may recreate them. If you do have a backup, you can just navigate to that folder in the Finder with Go > (hold down option) > Library > Launch Agents. Then enter Time Machine and restore the files.

  • spacegirl22 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 11, 2012 3:18 PM (in response to etresoft)

    One was google something and another one was address book... and maybe iCal because that the only one of the three you listed that I use frequently..

  • etresoft Level 7 Level 7 (23,870 points)
    Currently Being Moderated
    Apr 11, 2012 5:50 PM (in response to spacegirl22)

    That directory is automatically populated.

     

    The Google file was probably the Google Earth autoupdater. Many people (including myself) where annoyed when Google dropped that file in there and manually removed it.

     

    The AddressBook files are automatically created. If you run AddressBook, they should automatically reappear.

     

    I suspect the same thing will happen if you run iCal.

  • spacegirl22 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 11, 2012 10:05 PM (in response to etresoft)

    Okay sounds good! Thank you so much for your help!! I am a new Mac user so just trying to work things out. (:

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.