Skip navigation

Do these terminal commands really work?

1508 Views 18 Replies Latest reply: Apr 10, 2012 7:03 PM by Topher Kessler RSS Branched to a new discussion.
1 2 Previous Next
NightNinjaPDX Level 2 Level 2 (255 points)
Currently Being Moderated
Apr 10, 2012 2:25 PM

Hello everyone,

 

I just found an article on CNET and I was just curious of these commands in terminal really work in showing my mac is free of the FlashBack Trojan?  Thank you!

 

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES


 

NNP

MacBook Pro, Mac OS X (10.7.3), Quad Core i7 A/G 8GB Ram 750GB 7200
  • Linc Davis Level 10 Level 10 (107,660 points)
    Currently Being Moderated
    Apr 10, 2012 3:29 PM (in response to NightNinjaPDX)

    CNET is not a reliable source of technical information, at least where the Mac platform is concerned. The commands will detect some variants of the malware, but not all.

  • Linc Davis Level 10 Level 10 (107,660 points)
    Currently Being Moderated
    Apr 10, 2012 4:15 PM (in response to NightNinjaPDX)

    Honestly, no. I've tried several ways of detecting it, and nothing seems to work consistently. If you're not having any unusual problems, such as application crashes, I think it's very unlikely that you're infected.

  • thomas_r. Level 7 Level 7 (26,935 points)
    Currently Being Moderated
    Apr 10, 2012 4:19 PM (in response to NightNinjaPDX)

    Those commands are no longer entirely reliable.  There are cases that have turned up here that have come up negative on all those tests and yet there's still a verifiable Flashback infection on the machine.  None of the various instructions or tools for detection and removal are really something you should give full trust at this point.  Anti-virus software is probably the most reliable method of detection at this point.  Two free options that are excellent are Sophos Anti-Virus for Mac Home Edition and ClamXav.

     

    For more information about all this, see About the Flashback malware.

     

    (Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)

  • thomas_r. Level 7 Level 7 (26,935 points)
    Currently Being Moderated
    Apr 10, 2012 4:52 PM (in response to NightNinjaPDX)

    That is not necessarily a sign of malware, though given that it sometimes exhibits no symptoms at all, that means little.  Have you ever installed Java?  (It's not installed by default in Mac OS X 10.7.)  Try opening Java Preferences, in /Applications/Utilities/.  If it complains that Java is not installed, you can't be infected with Flashback.

     

    If you can rule out Flashback, try some of the tips in the Mac OS X Speed FAQ.

  • Linc Davis Level 10 Level 10 (107,660 points)
    Currently Being Moderated
    Apr 10, 2012 4:58 PM (in response to NightNinjaPDX)

    Launch the Activity Monitor application in any of the following ways:

     

    Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

     

    In the Finder, select Go Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

     

    Open LaunchPad. Click Utilities, then Activity Monitor in the page that opens.

     

    Select My Processes from the menu in the toolbar, if not already selected. Enter "Safari" (without the quotes) in the "Filter" text field. Select the Safari process, then click the Sample Process button in the toolbar. When the sample window opens, select Display Sample Text in its toolbar. Copy the contents of the window into a reply to this message.

  • billcole Level 1 Level 1 (30 points)
    Currently Being Moderated
    Apr 10, 2012 5:06 PM (in response to NightNinjaPDX)

    The most complete manual detection (and removal) instructions are the ones detailed by F-Secure at http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml (for the older variant) and  http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml (for the newer variant). However, if you don't understand what those commands might show you, they aren't terribly helpful.

     

    The three you originally posted will find successful Flashback infections that have not been repaired in any way, assuming you only use Safari or Firefox as a browser. However, Flashback has abort points in its infection procedure and the mechanism it uses can hook into any application. If you use some other web browser, you should check it as well by using a 'defaults' command like the ones CNET and F-Secure give for Safari.

     

    What Flashback is using is the mechanism used by the system to pass an "environment" to a program when launched. The environment is a set of variables that are accessible to a running program and any other system facilities it uses or other programs that it may launch. The "LSEnvironment" part of those commands is the name that the MacOS X "Launch Services" subsystem uses when launching applications, and when it exists as a default setting for a single application (which is a bit unusual) it is a collection of variable names ("keys") and their values, stored in a file called "Info.plist" inside the application bundle. The third command you quoted looks inside another file in a normally hidden subdirectory of a user's home directory where MacOS X can pick up environment variables for all programs the user runs. The specific environment variable that is being set is actually used by the MacOS X "dynamic linker": the part of the system that allows application programs to find and use functions that are part of the operating system (or add-on) libraries without the app needing to worry about where exactly those libraries are or whether they exactly match the versions the application was built with. The DYLD_INSERT_LIBRARIES environment variable provides the dynamic linker with library locations that should be searched first (ahead of standard system libraries) when trying to find external function calls. That is used sometimes as a debugging tool, but there's no reason for a released application to use that environment variable for normal operations. The most common (but maybe not only!) value that Flashback uses for that variable is "/Users/Shared/.libgmalloc.dylib". If that file exists on a machine it is a sure sign that Flashback or something like it has infected the system.

  • Linc Davis Level 10 Level 10 (107,660 points)
    Currently Being Moderated
    Apr 10, 2012 6:18 PM (in response to NightNinjaPDX)

    You're not infected.

  • Linc Davis Level 10 Level 10 (107,660 points)
    Currently Being Moderated
    Apr 10, 2012 6:27 PM (in response to NightNinjaPDX)

    If you were infected, you'd have an extraneous shared library loaded into the Safari process, and it would be listed in the binary-image trace. You don't have that.

1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.