Skip navigation

do i have malware?

1404 Views 7 Replies Latest reply: Apr 8, 2012 6:45 PM by X423424X RSS
creekster Calculating status...
Currently Being Moderated
Apr 7, 2012 10:52 AM

How do I know if I have been infected with the Flashback malware?

Mac mini, Mac OS X (10.6.8)
  • Kappy Level 10 Level 10 (221,080 points)
    Currently Being Moderated
    Apr 7, 2012 10:54 AM (in response to creekster)
  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Apr 7, 2012 1:12 PM (in response to creekster)

    There are checks one can perform to see

     

    1: If any of their machines have been seen on the Flashback botnet

     

    http://public.dev.drweb.com/april/

     

     

    2: Terminal commands to see if their machine is infected (use copy and paste, then press enter)

     

    https://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

     

     

    3: Preventative methods to avoid becoming infected.

     

    Update Java via Software Update.

     

    Disable Java in all your web browsers preferences (notice Java is not Javascript)

     

     

    Check your status of all browser plug-ins

     

    https://www.mozilla.org/en-US/plugincheck/

     

     

    Firefox + NoScript add-on + Temp Allow All Button on Firefox's toolbar to turn on scripts only on sites you trust.

     

     

    Learn how to make bootable clones, this way a complete erase can occur and a reverse clone done.

     

    https://discussions.apple.com/community/notebooks/macbook_pro?view=documents

     

     

    4: Resources if one is infected

     

    Data Recovery, wiping entire machine, reinstalling OS X, returning clean files, etc.

     

    https://discussions.apple.com/community/notebooks/macbook_pro?view=documents

  • etresoft Level 7 Level 7 (23,905 points)
    Currently Being Moderated
    Apr 7, 2012 3:38 PM (in response to creekster)

    I have created a user tip and malware checker/removal tool:https://discussions.apple.com/docs/DOC-3271

  • Jürgen Kraus Level 4 Level 4 (2,450 points)
    Currently Being Moderated
    Apr 8, 2012 1:14 PM (in response to etresoft)

    I got rid of it by reinstalling Lion. Restart machine and hold down the option key --> select Recovery drive. Then select reinstall Lion.

     

    It took about 1 h and it left everything else in place. But the flashback had disappeared. I then went into Safari preferences --> security, and unchecked Java.

     

    Bingo!

  • WZZZ Level 6 Level 6 (11,880 points)
    Currently Being Moderated
    Apr 8, 2012 2:45 PM (in response to Jürgen Kraus)

    Someone else will have to give a definitive answer on this since I don't use Lion. But, if reinstalling in Lion is anything like it is in Snow, it brings over apps and users intact. If that's so in Lion, I'm not sure I'd trust that as a way of eradicating this thing.

     

    If it left everything in place, sounds like you may still be infected.

     

    Did you run the various Terminal commands to see if it was still present?

  • Jürgen Kraus Level 4 Level 4 (2,450 points)
    Currently Being Moderated
    Apr 8, 2012 3:00 PM (in response to WZZZ)

    I did run the virus scanner again. Everything in place...I was referring to user files, i.e. data.

     

    There are a couple of Applescripts that help you finding out whether you are infected: http://c-mac.me/Fc21?cnn=yes

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 8, 2012 6:45 PM (in response to Jürgen Kraus)

    Those apple scripts are deficient.  And now someone posted a applescript app on macupdate which is also deficient.

     

    Here's what I am suggesting as a rudimentary test for (not remove) some of the known strains of the flashback trojans.  Open a terminal window and copy/paste each of the following lines hitting return after each one and note the results:

     

    defaults read ~/.MacOSX/environment

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

    defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

    ls -la ~/Library/LaunchAgents

    grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v "/Users/$USER/\.Trash"

     

    For the three defaults commands if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.

     

    The fourth command, ls, just lists the contents of your LaunchAgents, if any.  That's additional info to be used in conjunction with the last grep command.  If the grep displays any results then that too may indicate infection and again post its results.

     

    For removal, the current instructions are specified at F-Secure's Trojan-Downloader:OSX/Flashback.K.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.