6 Replies Latest reply: Apr 6, 2012 6:30 AM by gusperik
gusperik Level 1 Level 1 (0 points)

Sitting here, a bit paranoid after recent newflash bout mac trojans. Trying to follow instructions from F-secure on how to detect if my computers been infected .They say i must use terminal and use a command like this: defaults read /Applications/Safari.app/Contents/Info LSEnvironment. When i do this its all ok, but the problem is i am using chrome as browser. Cant find a single note, googling on how to search for the trojan if youre using chrome, so i turn this way to ask the pros (?) how to deal with this.

 

Is flashback able to affect chrome and how do i detect it?

 

Thanks!


MacBook Pro, Mac OS X (10.6.8)
  • Klaus1 Level 8 Level 8 (45,510 points)

    Chrome is not an Apple product. You need to ask Google.

  • gusperik Level 1 Level 1 (0 points)

    Well, macbook is an apple product in wich a possible trojan could be lurking. Isnt it? How do I navigate in a macbook to detect a possible trojan, infected by chrome? There are explanations for Safari (apple product) and firefox (not an apple product), is it ******** to ask the same question for chrome?

  • Klaus1 Level 8 Level 8 (45,510 points)

    You may find this User Tip on Viruses, Trojan Detection and Removal, as well as general Internet Security and Privacy, useful:

     

    https://discussions.apple.com/docs/DOC-2435

     

     

    The User Tip (which you are welcome to print out and retain for future reference) seeks to offer some guidance on the main security threats and how to avoid them.

     

     

    Bear in mind that from April to December 2011 there were only 58 attempted security threats to the Mac - a mere fraction compared to Windows malware:

     

    http://www.f-secure.com/weblog/archives/00002300.html

  • Shootist007 Level 6 Level 6 (16,645 points)

    Just make sure Chrome is up to date.

  • fane_j Level 4 Level 4 (3,660 points)

    gusperik wrote:

     

    Cant find a single note, googling on how to search for the trojan if youre using chrome, so i turn this way to ask the pros (?) how to deal with this.

    Well, I'm not a "pro", or even a "pro (?)", but I'll take a bite.

     

    What this strain of Flashback does, in this instance, is change a specific key in an application bundle's configuration file. The key is LSEnvironment (LS = Launch Services), and it defines environment variables to be set before launching the application. The altered key tells LS to load a shared code library in the app's virtual memory space prior to launching the app.

     

    All Mac OS X application bundles have this configuration file, so the method is not specific to any app. Most configuration files do not contain this key, but some do (eg, iTunes, GarageBand), so the presence of the key, in itself, is not diagnostic. What is significant is:

     

    (a) The presence of the LSEnvironment key in configuration files of apps which normally do not have it (eg, Safari);

    (b) Its content, ie, the instruction to load the shared code library, for apps which normally do not have it;

    (c) The shared code library's name and location.

     

    Therefore,  to check Chrome, all you need to do is simply to change the path specified in the defaults command from Safari to Chrome. Assuming Chrome is in its default location, ie, </Applications>, first, we do

     

    $ defaults read /Applications/Google\ Chrome.app/Contents/Info

     

    This should return the entire contents of the configuration file, and we do it only to make sure we have the right path. If we type the correct command and it returns an error message, either Chrome is not installed, or it's in a different location.

     

    If we have the right path, then we check the content of the LSEnvironment key

     

    $ defaults read /Applications/Google\ Chrome.app/Contents/Info LSEnvironment

     

    Chrome doesn't use this key, so the reply should be

     

    The domain/default pair of (/Applications/Google Chrome.app/Contents/Info, LSEnvironment) does not exist

     

    For Chrome (but not necessarily for other apps), anything else means something is not quite right; if it contains the string "DYLD", then it's serious, because it calls the dynamic loader, which is responsible for loading the shared code library. In the case of Chrome, it probably indicates the presence of the Trojan (but, so far, I'm not aware of any report of Flashback targeting Chrome).

     

    Clear as mud?

  • gusperik Level 1 Level 1 (0 points)

    Very good! Thanks!