Why do I keep finding "Pieces" of Flashback on my iMacs?

Question

Level 1

92 points

Why do I keep finding "Pieces" of Flashback on my iMacs?

For the past 2 or 3 months, occasionally when I run F-Secure Flashback Removal Tool v1.2.1, it is finding Flashback infection traces. If I do a removal, and run the tool again, it shows that the system appears to be clean. This will typically remain "clean" on several checks over the next week or so, but eventually it shows up again. I'm not sure where it is coming from

Running macOS 10.12.6 on iMac Retina 5K, Late 2015 and a late 2010 iMac as well.

Posted on Oct 5, 2019 6:59 PM

Reply

Answer 1

VikingOSX

Level 10

119,231 points

Oct 6, 2019 8:02 AM in response to Jeff Wiseman

What happens if you run the free Malwarebytes for Mac and toss that F-Secure into the false alarm bin? The Flashback malware is also on the detection list (OSX.Flashback.[A-C]) for the current (2019-10-02) Mac GateKeeper X-protect lists in the case of software downloaded from outside of the Mac App Store.

Reply

Answer 2

macjack

Level 10

111,216 points

Oct 6, 2019 8:07 AM in response to VikingOSX

+1 for Malwarebytes

Reply

Answer 3

VikingOSX

Level 10

119,231 points

Oct 6, 2019 12:57 PM in response to macjack

Sipping some Peet's Costa Rica dark roast from my slate-gray Apple travel mug. All good in your locale?

Reply

Answer 4

Jeff Wiseman Author

Level 1

92 points

Oct 6, 2019 10:57 PM in response to VikingOSX

Malwarebytes does not find anything at present, but neither does F-Secure's Flashback Removal tool. As I mentioned before, it might stay like this for another 1-3 weeks as I just cleaned it up recently. Either I occasionally visit some site or I haven't gotten everything cleaned out. When I run the clean function on Flashback Removal Tool, It extracts some files from the system and puts them into a flashback_quarantine.zip file (i've forgotten the password they use so I can't find the files names that were quarantined). If I delete the .zip file, later on sometime, I'll get another positive indicator and a clean again extracts the same files. However, I've attached the current RemoveFlashback.log file. Note that I occasionally would run the tool just to check things so on several occasions.

I use both Safari as well as Firefox. The log seems to indicate that the problem keeps being found in the Firefox application. I've noticed that my Firefox Auto-update has been failing recently as well (I have to update manually). Do you think it is related?

RemoveFlashback

Mon Jul 1 18:51:47 CDT 2019 ------- Scanonly mode 2019-07-01 18:51:48.921 defaults[23288:27241852] The domain/default pair of (/tmp/RemoveFlashback.23269, DYLD_INSERT_LIBRARIES) does not exist Found DYLD_INSERT_LIBRARIES in /Applications/Firefox.app/Contents/Info.plist LSEnvironment: grep: /etc/launchd.conf: No such file or directory Mon Jul 1 20:34:27 CDT 2019 ------- Scanonly mode 2019-07-01 20:34:28.237 defaults[23574:27537929] The domain/default pair of (/tmp/RemoveFlashback.23556, DYLD_INSERT_LIBRARIES) does not exist Found DYLD_INSERT_LIBRARIES in /Applications/Firefox.app/Contents/Info.plist LSEnvironment: grep: /etc/launchd.conf: No such file or directory ------- Quarantine mode touch: /Applications/Safari.app: Operation not permitted 2019-07-01 20:34:55.052 defaults[23606:27540099] The domain/default pair of (/tmp/RemoveFlashback.23587, DYLD_INSERT_LIBRARIES) does not exist Found DYLD_INSERT_LIBRARIES in /Applications/Firefox.app/Contents/Info.plist LSEnvironment: Removing... /Applications/Firefox.app/Contents/Info.plist -> /tmp/RemoveFlashback.23587.quarantine/Info.plist grep: /etc/launchd.conf: No such file or directory Nothing to quarantine. Quarantined files stored in password-protected zip file /Users/jeffwiseman/flashback_quarantine.zip ------- Scanonly mode grep: /etc/launchd.conf: No such file or directory No Flashback malware found. Your system has been cleaned. Mon Jul 1 20:42:30 CDT 2019 ------- Scanonly mode grep: /etc/launchd.conf: No such file or directory No Flashback malware found. Wed Jul 10 15:46:21 CDT 2019 ------- Scanonly mode grep: /etc/launchd.conf: No such file or directory No Flashback malware found. Tue Jul 16 12:23:03 CDT 2019 ------- Scanonly mode grep: /etc/launchd.conf: No such file or directory No Flashback malware found. Sat Aug 17 15:01:04 CDT 2019 ------- Scanonly mode 2019-08-17 15:01:06.168 defaults[16236:19225896] The domain/default pair of (/tmp/RemoveFlashback.16217, DYLD_INSERT_LIBRARIES) does not exist Found DYLD_INSERT_LIBRARIES in /Applications/Firefox.app/Contents/Info.plist LSEnvironment: grep: /etc/launchd.conf: No such file or directory ------- Quarantine mode touch: /Applications/Safari.app: Operation not permitted 2019-08-17 15:01:39.589 defaults[16264:19228712] The domain/default pair of (/tmp/RemoveFlashback.16245, DYLD_INSERT_LIBRARIES) does not exist Found DYLD_INSERT_LIBRARIES in /Applications/Firefox.app/Contents/Info.plist LSEnvironment: Removing... /Applications/Firefox.app/Contents/Info.plist -> /tmp/RemoveFlashback.16245.quarantine/Info.plist grep: /etc/launchd.conf: No such file or directory Nothing to quarantine. Quarantined files stored in password-protected zip file /Users/jeffwiseman/flashback_quarantine.zip ------- Scanonly mode grep: /etc/launchd.conf: No such file or directory No Flashback malware found. Your system has been cleaned. Sat Aug 17 15:03:22 CDT 2019 ------- Scanonly mode grep: /etc/launchd.conf: No such file or directory No Flashback malware found. Fri Aug 23 11:48:22 CDT 2019 ------- Scanonly mode 2019-08-23 11:48:23.978 defaults[2789:1390342] The domain/default pair of (/tmp/RemoveFlashback.2771, DYLD_INSERT_LIBRARIES) does not exist Found DYLD_INSERT_LIBRARIES in /Applications/Firefox.app/Contents/Info.plist LSEnvironment: grep: /etc/launchd.conf: No such file or directory ------- Quarantine mode touch: /Applications/Safari.app: Operation not permitted 2019-08-23 11:48:43.447 defaults[2818:1392158] The domain/default pair of (/tmp/RemoveFlashback.2799, DYLD_INSERT_LIBRARIES) does not exist Found DYLD_INSERT_LIBRARIES in /Applications/Firefox.app/Contents/Info.plist LSEnvironment: Removing... /Applications/Firefox.app/Contents/Info.plist -> /tmp/RemoveFlashback.2799.quarantine/Info.plist grep: /etc/launchd.conf: No such file or directory Nothing to quarantine. Quarantined files stored in password-protected zip file /Users/jeffwiseman/flashback_quarantine.zip ------- Scanonly mode grep: /etc/launchd.conf: No such file or directory No Flashback malware found. Your system has been cleaned. Wed Aug 28 21:25:38 CDT 2019 ------- Scanonly mode grep: /etc/launchd.conf: No such file or directory No Flashback malware found. Fri Aug 30 11:34:32 CDT 2019 ------- Scanonly mode grep: /etc/launchd.conf: No such file or directory No Flashback malware found. Fri Sep 6 17:10:32 CDT 2019 ------- Scanonly mode 2019-09-06 17:10:32.525 defaults[12662:11117540] The domain/default pair of (/tmp/RemoveFlashback.12644, DYLD_INSERT_LIBRARIES) does not exist Found DYLD_INSERT_LIBRARIES in /Applications/Firefox.app/Contents/Info.plist LSEnvironment: grep: /etc/launchd.conf: No such file or directory ------- Quarantine mode touch: /Applications/Safari.app: Operation not permitted 2019-09-06 17:10:58.284 defaults[12690:11119172] The domain/default pair of (/tmp/RemoveFlashback.12671, DYLD_INSERT_LIBRARIES) does not exist Found DYLD_INSERT_LIBRARIES in /Applications/Firefox.app/Contents/Info.plist LSEnvironment: Removing... /Applications/Firefox.app/Contents/Info.plist -> /tmp/RemoveFlashback.12671.quarantine/Info.plist grep: /etc/launchd.conf: No such file or directory Nothing to quarantine. Quarantined files stored in password-protected zip file /Users/jeffwiseman/flashback_quarantine.zip ------- Scanonly mode grep: /etc/launchd.conf: No such file or directory No Flashback malware found. Your system has been cleaned. Fri Sep 6 17:15:22 CDT 2019 ------- Scanonly mode grep: /etc/launchd.conf: No such file or directory No Flashback malware found. Sun Sep 22 23:01:36 CDT 2019 ------- Scanonly mode 2019-09-22 23:01:38.518 defaults[22874:26038868] The domain/default pair of (/tmp/RemoveFlashback.22856, DYLD_INSERT_LIBRARIES) does not exist Found DYLD_INSERT_LIBRARIES in /Applications/Firefox.app/Contents/Info.plist LSEnvironment: grep: /etc/launchd.conf: No such file or directory ------- Quarantine mode touch: /Applications/Safari.app: Operation not permitted 2019-09-22 23:01:57.859 defaults[22901:26039811] The domain/default pair of (/tmp/RemoveFlashback.22882, DYLD_INSERT_LIBRARIES) does not exist Found DYLD_INSERT_LIBRARIES in /Applications/Firefox.app/Contents/Info.plist LSEnvironment: Removing... /Applications/Firefox.app/Contents/Info.plist -> /tmp/RemoveFlashback.22882.quarantine/Info.plist grep: /etc/launchd.conf: No such file or directory Nothing to quarantine. Quarantined files stored in password-protected zip file /Users/jeffwiseman/flashback_quarantine.zip ------- Scanonly mode grep: /etc/launchd.conf: No such file or directory No Flashback malware found. Your system has been cleaned. Sun Sep 22 23:06:08 CDT 2019 ------- Scanonly mode grep: /etc/launchd.conf: No such file or directory No Flashback malware found. Sun Sep 22 23:12:28 CDT 2019 ------- Scanonly mode grep: /etc/launchd.conf: No such file or directory No Flashback malware found. Sat Oct 5 17:24:52 CDT 2019 ------- Scanonly mode 2019-10-05 17:24:53.550 defaults[23967:19145700] The domain/default pair of (/tmp/RemoveFlashback.23949, DYLD_INSERT_LIBRARIES) does not exist Found DYLD_INSERT_LIBRARIES in /Applications/Firefox.app/Contents/Info.plist LSEnvironment: grep: /etc/launchd.conf: No such file or directory ------- Quarantine mode touch: /Applications/Safari.app: Operation not permitted 2019-10-05 17:25:35.146 defaults[23995:19147784] The domain/default pair of (/tmp/RemoveFlashback.23976, DYLD_INSERT_LIBRARIES) does not exist Found DYLD_INSERT_LIBRARIES in /Applications/Firefox.app/Contents/Info.plist LSEnvironment: Removing... /Applications/Firefox.app/Contents/Info.plist -> /tmp/RemoveFlashback.23976.quarantine/Info.plist grep: /etc/launchd.conf: No such file or directory Nothing to quarantine. Quarantined files stored in password-protected zip file /Users/jeffwiseman/flashback_quarantine.zip ------- Scanonly mode grep: /etc/launchd.conf: No such file or directory No Flashback malware found. Your system has been cleaned. Sat Oct 5 17:27:52 CDT 2019 ------- Scanonly mode grep: /etc/launchd.conf: No such file or directory No Flashback malware found. Sat Oct 5 20:49:18 CDT 2019 ------- Scanonly mode grep: /etc/launchd.conf: No such file or directory No Flashback malware found. Sat Oct 5 20:56:40 CDT 2019 ------- Scanonly mode grep: /etc/launchd.conf: No such file or directory No Flashback malware found. Sun Oct 6 10:21:07 CDT 2019 ------- Scanonly mode grep: /etc/launchd.conf: No such file or directory No Flashback malware found. Sun Oct 6 10:38:45 CDT 2019 ------- Scanonly mode grep: /etc/launchd.conf: No such file or directory No Flashback malware found.

Reply

Answer 5

Jeff Wiseman Author

Level 1

92 points

Oct 6, 2019 11:59 PM in response to Jeff Wiseman

OK, So I tried this on my other iMac. The FlashbackRemovalTool showed that it had FlashBack Infection Traces. Malwarebytes showed that the system was clean.

I can't clearly remember but I have a suspicion that the "infection traces" would show up after Firefox Auto-updated, failed, and then I had to manually install it.

From the following text in the RemoveFlashback.log:

Found DYLD_INSERT_LIBRARIES in /Applications/Firefox.app/Contents/Info.plist LSEnvironment:

Removing...

/Applications/Firefox.app/Contents/Info.plist -> /tmp/RemoveFlashback.23976.quarantine/Info.plist

It seems that FlashbackRemoval tool is finding something in Firefox's Info.plist file that it doesn't like. When I allow the tool to cleanup things, it is removing the Info.plist file (which of course gets regenerated the next time Firefox is run. That may be why the Autoupdate for Firefox has been failing.

What do you think?

Reply

Answer 6

Oct 7, 2019 12:15 AM in response to Jeff Wiseman

Looks spurious. Delete Firefox, and download a fresh copy. Auto-update failures with Firefox are not unknown, too.

Reply

Answer 7

Jeff Wiseman Author

Level 1

92 points

Oct 16, 2019 11:41 AM in response to MrHoffman

Yea, downloading fresh copies of Firefox re-introduces the problem. When the Info.plist stuff in the Firefox.app is exorcized, the traces disappear even though Malwarebytes didn't show a problem in the first place. I suspect that the automatic regeneration of the Info.plist by subsequent runs of Firefox is now missing some information needed for autoupdates later on.

My only concern is why Malwarebytes isn't seeing the Flashback detected pieces in the Info.plist file.

Reply

Answer 8

Oct 16, 2019 2:13 PM in response to Jeff Wiseman

I’d consider removing the add-on anti-malware that’s (mis?)detecting this. Most (all?) of the add-on anti-malware ties into macOS in ways little different from how malware ties into macOS. And more than a little of what’s on the market is somewhere between useless, and junk, and some actively hostile. More than a few add-on packages on the market have ended up introducing vulnerabilities into the underlying platforms, too. And many of the simplistic anti-malware signature checks have long ago been bypassed by the malware authors. Put differently, I’d wonder why you haven’t removed this anti-malware. But If you wish to persist with this effort, contact the anti-malware vendor, and find out if this is a false positive. Malware in a plist certainly seems spurious, after all.

Reply

Answer 9

Jeff Wiseman Author

Level 1

92 points

Oct 16, 2019 7:13 PM in response to MrHoffman

Yea, the user license agreement is even marked Nov 2009. I know it worked many years ago but I'm not sure about now. apparently the newer Mac OS and Safari's are supposed to be more impervious to Flashback but I just didn't know what the current situation is.

I've taken it off my system. What do you think about Malwarebytes? Do you think it would pick up this trojan signatures if it was still around?

Reply

Answer 10

Oct 16, 2019 8:33 PM in response to Jeff Wiseman

Start your reading here:

Effective defenses against malware and other threats - Apple Community

I use the in-built anti-malware, use two-factor authentication, stay on the current or one of the two previous (supported) macOS versions, use a password manager, and keep multiple backups. I’ve not had issues with malware.

General security has gotten substantially better with Catalina too, with the write-protected system environment.

Have backups, too. Preferably multiple backups.

Where I’ve had issues with systems used by others? Systems where folks loaded anything and everything, bluntly. Folks that loaded anti-malware were usually also infested. Either by the add-on anti-malware, or the add-on anti-malware was hosed, or the anti-malware reasonably assumed the other dreck they had also intentionally installed wasn’t malware.

Problems from those folks that had realized that the enter your admin password to install prompt means giving over your entire system and all your passwords to what was just installed, not so much.

MalwareBytes has a decent reputation around the forums. I’ve poked at it a few times locally, to have a look at how it operates. But I don’t run it, and I’m not comfortable with the intrusive nature of even the (legitimate) anti-malware around.

And the folks that are getting in trouble with malware? They’re often getting phished, or otherwise socially engineered. Pop-ups with You have 32653 viruses!!!!!! install our free anti-virus now!!!!! and Your Apple ID is locked due to was log in attempts from {far away], log in now to unlock! and such. Those sorts of social-engineering scams are just far easier to run, and are proving far more effective. And any anti-malware security has a very difficult time identifying those scams. They pop up and disappear far too quickly. But a password manager also won’t auto-fill your credentials on a sketchy looks-like-Apple-but-isn’t web site.

BTW: Windows 10 with the in-built Defender is probably the best approach for most Windows users.

Reply

Answer 11

Jeff Wiseman Author

Level 1

92 points

Oct 17, 2019 9:28 AM in response to MrHoffman

MrHoffman,

Thanks for the link, I could probably do with some refreshing on the topic.

I pretty well agree with all you've said. In addition to TimeMachine (for quick retrievals of lost application data), I also have multiple bootable backups created and maintained with SuperDuper. Since I have 3 virtual machines on my iMac as well (including Windows 10), they are excluded from my TimeMachine.

In general, I never really used anti-malware on my machine since sometime after Apple went to OS X. However, when Flashback showed up, I recognized it as a real threat so I tried the scanner from F-Secure and found that my machine actually did have traces all through it. After cleaning it all up, I got the newer version of the FlashbackRemoval tool (the one I had now). Some time a little later, It detected an infection as well (I believe it was a mutant from the first version I saw), so I used it to remove the traces. Then, for several years, it didn't show any positives until just recently. However, this time the "traces" were limited to a single one found in the Firefox info.plist file which you've now convinced me is likely a false positive.

However, the reason I've still been a bit nervous about it is when dealing with the Flash Player. I need it for 2 or 3 websites I visit. Because it was the original carrier for the Flashback trojan, I know that updating the player should ONLY be done directly from the system preferences' Flash Player update capability, or getting it directly from the Adobe website itself. But in spite of the fact that this trojan showed up a decade ago, I STILL get the phony "You have to update Flash Player to use this site" popup occasionally, and I couldn't tell where it was coming from (i.e., was it from a piece of the trojan already on my system?) Confirmation that it is phony can be had by just checking the Update status on Flash Player from my System Preferences (it'll say that I'm already using the most recent player)

I just didn't know how susceptible my system is to any new variants of that particular trojan.

Reply

Answer 12

Oct 17, 2019 9:59 AM in response to Jeff Wiseman

Back when I still had Flash around, I used a Flash blocker that prevented that from triggering, save on specific sites.

Now, there are other ways to shut off Flash Player, and to restrict it to specific sites.

Hilariously, among the very few recent uses of Flash seen around here have been security-training courses.

Reply

Shop

Quick Links

Shop Special Stores

Explore Mac

Shop Mac

More from Mac

Explore iPad

Shop iPad

More from iPad

Explore iPhone

Shop iPhone

More from iPhone

Explore Watch

Shop Watch

More from Watch

Explore Vision

Shop Vision

More from Vision

Explore AirPods

Shop AirPods

More from AirPods

Explore TV & Home

Shop TV & Home

More from TV & Home

Explore Entertainment

Support

Shop Accessories

Explore Accessories

Explore Support

Get Help

Helpful Topics

Quick Links

Why do I keep finding "Pieces" of Flashback on my iMacs?

Similar questions