find flashback trojan on chrome?

Chrome is not an Apple product. You need to ask Google.

You may find this User Tip on Viruses, Trojan Detection and Removal, as well as general Internet Security and Privacy, useful:

https://discussions.apple.com/docs/DOC-2435

The User Tip (which you are welcome to print out and retain for future reference) seeks to offer some guidance on the main security threats and how to avoid them.

Bear in mind that from April to December 2011 there were only 58 attempted security threats to the Mac - a mere fraction compared to Windows malware:

http://www.f-secure.com/weblog/archives/00002300.html

Just make sure Chrome is up to date.

gusperik wrote:

Cant find a single note, googling on how to search for the trojan if youre using chrome, so i turn this way to ask the pros (?) how to deal with this.

Well, I'm not a "pro", or even a "pro (?)", but I'll take a bite.

What this strain of Flashback does, in this instance, is change a specific key in an application bundle's configuration file. The key is LSEnvironment (LS = Launch Services), and it defines environment variables to be set before launching the application. The altered key tells LS to load a shared code library in the app's virtual memory space prior to launching the app.

All Mac OS X application bundles have this configuration file, so the method is not specific to any app. Most configuration files do not contain this key, but some do (eg, iTunes, GarageBand), so the presence of the key, in itself, is not diagnostic. What is significant is:

(a) The presence of the LSEnvironment key in configuration files of apps which normally do not have it (eg, Safari);

(b) Its content, ie, the instruction to load the shared code library, for apps which normally do not have it;

(c) The shared code library's name and location.

Therefore, to check Chrome, all you need to do is simply to change the path specified in the defaults command from Safari to Chrome. Assuming Chrome is in its default location, ie, </Applications>, first, we do

$ defaults read /Applications/Google\ Chrome.app/Contents/Info

This should return the entire contents of the configuration file, and we do it only to make sure we have the right path. If we type the correct command and it returns an error message, either Chrome is not installed, or it's in a different location.

If we have the right path, then we check the content of the LSEnvironment key

$ defaults read /Applications/Google\ Chrome.app/Contents/Info LSEnvironment

Chrome doesn't use this key, so the reply should be

The domain/default pair of (/Applications/Google Chrome.app/Contents/Info, LSEnvironment) does not exist

For Chrome (but not necessarily for other apps), anything else means something is not quite right; if it contains the string "DYLD", then it's serious, because it calls the dynamic loader, which is responsible for loading the shared code library. In the case of Chrome, it probably indicates the presence of the Trojan (but, so far, I'm not aware of any report of Flashback targeting Chrome).

Clear as mud?