5 Replies Latest reply: Apr 13, 2012 6:17 AM by etresoft
Living Golf Level 1 Level 1 (0 points)

I am not sure if my computer is infected. I was yesterday on facebook downloading one of my own IMovies to my Facebook page. I was prompted to install Adobe Flashplayer. I downloaded install_flash_player_osx.dmg which I did. During the process I was also prompted to give my administrators password, which is normal. However I now read in the news that this is exactly what happens with the malicious Flashback Trojan. Do I have to download security update 2012-001 which is over 200MB. It is a bit of a challenge as I am in a very remote area and only access to Internet via a mobile network. Thank you for any advise.


MacBook Pro, Mac OS X (10.6.8)
  • 1. Re: Malicious Flashback Trojan
    etresoft Level 7 Level 7 (24,270 points)

    Never give out your administrator password unless you manually initiated the action. If you get a pop-up asking to update flash, dismiss it, and manually verify your version at: http://www.adobe.com/software/flash/about/

    and, if necessary, update it at: http://get.adobe.com/flashplayer/

     

    Unfortunately, the standard behaviour of Flash Player and many other types of auto-update programs makes them impossible to distinguish from malware. This will be fixed in Mountain Lion with Gatekeeper. You will be able to restrict your machine to getting software only from the Mac App Store.

     

    To check if you have malware, try the following...

     

    In Terminal.app, run:

     

    cat ~/.MacOSX/environment.plist

     

    and

     

    codesign -v /Applications/Safari.app

     

    If you get anything about "DYLD_INSERT_LIBRARIES" on the first and/or "code or signagure modified" on the second, then you are infected. Any other responses (including none) means you're fine.

  • 2. Re: Malicious Flashback Trojan
    Living Golf Level 1 Level 1 (0 points)

    Thank you Etresoft, very clear. I appreciate your support very much. I have gone into Terminal in Utilities and entered:

     

    cat ~/.MacOSX/environment.plist

    No answer. When I press ENTER the answer is "No such file or directory"

     

    codesign -v /Applications/Safari.app

    The answer is " a sealed resource is missing or invalid"

     

    So I should be fine, yes? I would be grateful if you could confirm.

    Also rang Apple and they suggested to have the MacBook Pro checked by one of their technician. Also recommended not to do any Internet financial transaction until checked.

  • 3. Re: Malicious Flashback Trojan
    etresoft Level 7 Level 7 (24,270 points)

    A lot has happened since April 6. There is one more place you need to check.

     

    In Terminal.app, run:

    find ~/Library/LaunchAgents -type f -exec defaults read {} ProgramArguments \;

     

    There will be some files in there. That's normal.

    Chances are you will be fine. Everything you have reported so far sounds normal.

  • 4. Re: Malicious Flashback Trojan
    Living Golf Level 1 Level 1 (0 points)

    Thank you, I copied it into Terminal and I got 8 "does not exist". I think I am clear.

    I am relieved, thank you

    Franz

  • 5. Re: Malicious Flashback Trojan
    etresoft Level 7 Level 7 (24,270 points)

    A lot has happened since yesterday. Apple has released another Java update that includes a fix and will help prevent similar issues in the future. Just run Software Update.