Currently Being ModeratedApr 11, 2012 10:33 AM (in response to Chametzoo)
Hi Mike, this thing is changing, so it may even move itself around, or uninstall some things to hide or change itself.
Flashback - Detect and remove the uprising Mac OS X Trojan...
In order to avoid detection, the installer will first look for the presence of some antivirus tools and other utilities that might be present on a power user's system, which according to F-Secure include the following:
If these tools are found, then the malware deletes itself in an attempt to prevent detection by those who have the means and capability to do so. Many malware programs use this behavior, as was seen in others such as the Tsunami malware bot.
The most current flashback removal instructions are F-Secure's Trojan-Downloader:OSX/Flashback.K.
Check now whether your Mac is infected by Backdoor.Flashback.39!
Currently Being ModeratedApr 11, 2012 11:19 AM (in response to Chametzoo)
You might try scanning with Sophos Home Free. They probably have up to date definitions. There's also this out from Kaspersky.
Currently Being ModeratedApr 11, 2012 11:48 AM (in response to BDAqua)
BD... All good information. Thanks. I do not have any anti-virus software so I don't think Flashback has deleted itself for that reason.... and my hardware UUID checked out OK with Dr. Web. Is the free Dr. Web Light useful? Would updating to 10.6 from my current 10.5 be helpful? I don't think 10.5 gets any security updates or any service at all anymore from Apple. Mike
Currently Being ModeratedApr 11, 2012 11:57 AM (in response to WZZZ)
Thanks W.... Is there a preferred protection? Kapersky, Sophos or Dr. Web??? Where specifically can I find the Java update for 10.5.8 (Safari 5.0.8)? Should I update my system software from 10.5 to 10.6? Right now no indicators are telling me that I have the virus, although I confimred it a week ago, before I shut my computer down for a week. Right now I have no virus software that might induce the malware to delete itself.
Currently Being ModeratedApr 11, 2012 12:43 PM (in response to Chametzoo)
I recommended the Kaspersky and the Sophos as an infection scanner, since you said you were infected. No way it would have completely disappeared by itself, unless, maybe, you're now using a different account. It first gets installed to the user, then spreads to the system.
What indicators are telling you you don't have it?
The Java update is for 10.6 and above, but disabling Java is really the best bet, even with the update.
Currently Being ModeratedApr 11, 2012 1:33 PM (in response to WZZZ)
Thanks, WZZZ. No... I'm still using the same account. This is a personal/one man business computer, so I'm the administrator account. Originally I checked the spread of the malware by signing in under a different user, and there were no Flashback symptoms within that account.
What's telling me I don't have it (at least to the same extent I did before) is that ALL of my Power PC/Rosetta apps are launching with no crashing. This was happening regularly before. Apps like Quicken 2007, Filemaker Pro 6, etc, etc. As well, I fed the following lines into Terminal:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info LSEnvironment
...and got 'does not exist' for each one. I can say with some certainty that at the very least, DYLD_INSERT_LIBRARIES did come up positive last week.... but not now. I'll also remind that until today, my Mac Pro was completely shut down for about a week while I was away. Perhaps this arrested or at least slowed down the progress of the malware? This morning, I also disabled Java within Safari's prefs. I also have NO anti-viral or screening software on this system. I'm using 10.5.8. Mike
Currently Being ModeratedApr 11, 2012 1:54 PM (in response to Chametzoo)
What's telling me I don't have it (at least to the same extent I did before) is that ALL of my Power PC/Rosetta apps are launching with no crashing. This was happening regularly before. Apps like Quicken 2007, Filemaker Pro 6, etc, etc.
They might have modified the code so that PPC apps no longer crash. That was a bug in one variant that was a tip off that there was an infection, so they probably took that out.
I'd definitely run the Kaspersky tool EDIT strike running the Kaspersky tool. Some users are reporting problems with it. Run these commands, courtesy of X4
defaults read ~/.MacOSX/environment
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
ls -la ~/Library/LaunchAgents
grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v "/Users/$USER/\.Trash"
(Run the Safari.app one, but also substitute "browser.app" for whatever browser you use.)
For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.
The third command, ls, just lists the contents of your LaunchAgents, if any. That's additional info to be used in conjuntion with the last grep command. If the grep shows any results then that too may indicate infection and again post its results.
Currently Being ModeratedApr 11, 2012 2:30 PM (in response to WZZZ)
Thanks again.... invaluable information. Here's the results of the commands:
The 2 defaults commands, in order:
Domain /Users/michaelm/.MacOSX/environment does not exist
The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
The Is command:
drwxr-xr-x 4 michaelm admin 136 Feb 2 2011 .
drwxrwxr-x@ 60 michaelm admin 2040 Apr 4 11:34 ..
-rw-r--r-- 1 michaelm admin 292 Sep 26 2008 com.Livestation.plist
-rw-r--r-- 1 michaelm admin 671 Sep 8 2010 com.adobe.AAM.Updater-1.0.plist
The grep command:
Nothing returned. When entered, it just produced a new prompt.
Doesn't appear that anything indicates infection??? Mike
Currently Being ModeratedApr 11, 2012 4:43 PM (in response to Chametzoo)
As far as I can tell, nothing there. I don't know what to make of this. Why not try a scan with Sophos?
If it doesn't cause any problems, slow downs etc. leave it. If it does, then uninstall it after finishing the scan. It will probably bring up some Windows malware/viruses you've picked up from mail.
EDIT: just discovered F-Secure has a Flashback detection and removal tool.
Currently Being ModeratedApr 11, 2012 6:09 PM (in response to Chametzoo)
If it were my computer and I'd seen the Trojan and then it disappeared, I really don't know what I'd do. I think I'd be kind of freaked out. I suppose it would be good if something could confirm you still have it, so you'd then know it's worth going through a laborious reinstall. I'd probably run Sophos and see what it comes up with, if anything. I'm really flummoxed here.
Here's the laborious reinstall. Probably the safest way to go.
Before doing that, I'd put Little Snitch on it to see if anything is making connections to the mothership.