Skip navigation

Flashback Trojan

3304 Views 9 Replies Latest reply: Apr 28, 2012 4:51 AM by WZZZ RSS
micah238 Calculating status...
Currently Being Moderated
Apr 6, 2012 10:54 AM

Any word yet from Apple about an "approved" way to check for the Flashback Trojan?

iMac, Mac OS X (10.7.3)
  • Klaus1 Level 8 Level 8 (43,425 points)
    Currently Being Moderated
    Apr 6, 2012 10:56 AM (in response to micah238)

    In order to prevent a potential infection with “Flashback” Trojans, Mac users should always obtain their copy of Adobe Flash Player directly from Adobe’s official website and to disable the "Open 'safe' files after downloading" option in Apple's Safari browser to avoid automatically running files downloaded from the Internet. Also, do not turn on Java in Safari Preferences/Security. Few websites use Java. Javascript is something entirely different and should be left active.

     

    http://www.appleinsider.com/articles/11/10/19/fake_adobe_flash_malware_seeks_to_ disable_mac_os_x_anti_malware_protection.html

     

    Flashback Trojan - Detection, and how to remove (with caution):

     

    http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

  • WZZZ Level 6 Level 6 (11,880 points)
    Currently Being Moderated
    Apr 6, 2012 11:12 AM (in response to micah238)

    Courtesty X423424X

     

    Here's what I am suggesting as a rudimentary test for some of the known strains of the flashback trojans.  Open a terminal window and copy/paste each of the following lines hitting return after each one and note the results:

     

    defaults read ~/.MacOSX/environment

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

    ls -la ~/Library/LaunchAgents

    grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*

     

    For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.

     

    The third command, ls, just lists the contents of your LaunchAgents, if any.  That's additional info to be used in conjunction with the last grep command.  If the grep shows any results then that too may indicate infection and again post its results.

  • PaolaRN Calculating status...
    Currently Being Moderated
    Apr 27, 2012 9:16 PM (in response to WZZZ)

    For the first default I got "Safari can’t open the page “http://defaults%20read%20~/.MacOSX/environment” because the page’s address isn’t valid."

    FOr the second I got "Safari can’t open the page “http://defaults%20read%20/Applications/Safari.app/Contents/Info%20LSEnvironmentl s%20-la%20~/Library/LaunchAgents” because Safari can’t find the server “defaults%20read%20”."

    And the third command I got, "Safari can’t open the page “http://grep%20"/Users/$USER/\..*"%20~/Library/LaunchAgents/*” because the page’s address isn’t valid."

     

    DOES THIS MEAN I AM INFECTED??? Help please!

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 27, 2012 9:25 PM (in response to PaolaRN)

    First, you don't do those commands in a browser, you enter them into a terminal  (in Utilities) window as mentioned in the paragraphs prior to those commands.

     

    Second, you are picking up on a post that was dated April 6.  Since that time things changed, and other Flashback detectors have come along.  Specifically, go to F_Secure's Flashback Removal Tool web page, download their Flashback trojan detection/removal tool, and follow the instructions you find there.

     

    Third, apple has released java updates which also attempt to detect and remove flashback strains.

     

    Java for OS X Lion 2012-003

     

    Java for Mac OS X 10.6 Update 8

  • rkaufmann87 Level 8 Level 8 (40,635 points)
    Currently Being Moderated
    Apr 27, 2012 9:29 PM (in response to PaolaRN)

    No not at all! Run Software update on your computer if you using OS X 10.6.x or 10.7.x if you have not since April 13th. You will download:

     

    http://support.apple.com/kb/DL1517

     

    and you will also bring your system up-to-date for all the security updates it needs. Install all other updates Apple recommends for your system, these will also be included in Software Update.

  • PaolaRN Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 27, 2012 9:42 PM (in response to X423424X)

    Oh okay, that makes sense. I am not too computer savvy. I have just been having computer issues and thought it could be the trojan. I went to the F_Secure's website and I downloaded th zip; it said I don't have the malware . Is this sufficent?

     

    I am still on leopard on version 10.5.8, so I cannot try those other downloads you provided.

  • rkaufmann87 Level 8 Level 8 (40,635 points)
    Currently Being Moderated
    Apr 27, 2012 9:59 PM (in response to PaolaRN)

    I am not familiar with F_Secure so I can't recommend their  applicaiton. If you are not in the habit of running Java based applications and or have not installed Java then your system is fine.  However to be sure re-read WZZ's post above and look at how to detect and un-install the Trojan if necessary.

  • PaolaRN Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 27, 2012 10:24 PM (in response to rkaufmann87)

    I did it the right way, going to "utilities" and using a terminal, not a browser window (I feel so dumb for doing that), I got appropriate answers...so assuming I am not infected. Thank you!

  • WZZZ Level 6 Level 6 (11,880 points)
    Currently Being Moderated
    Apr 28, 2012 4:51 AM (in response to PaolaRN)

    I went to the F_Secure's website and I downloaded th zip; it said I don't have the malware . Is this sufficent?

    Probably, unless it can't find a newer variant. It's good up to 4/11.

     

    I wonder if anyone's got a detection tool or if there's any AV that includes the latest variants...or if that's even necesssary?

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.