Skip navigation

Flashback trojan

5809 Views 30 Replies Latest reply: Sep 12, 2013 8:11 AM by bhillinger RSS
1 2 3 Previous Next
Deb7000000 Calculating status...
Currently Being Moderated
Apr 5, 2012 12:42 PM

How do i find out if i have flashback trojan. Simple explanation please

iMac, Mac OS X (10.6.8)
  • Rudegar Level 6 Level 6 (18,550 points)
    Currently Being Moderated
    Apr 5, 2012 1:16 PM (in response to Deb7000000)

    If you install the java Update from auto Update it Will be removed if you do

  • WZZZ Level 6 Level 6 (11,900 points)
    Currently Being Moderated
    Apr 5, 2012 1:47 PM (in response to Rudegar)

    Rudegar wrote:

     

    If you install the java Update from auto Update it Will be removed if you do

    Where are you getting that from? AFAIK the update/patch will prevent a new infection (for a time until Java is inevitably exploited again), but not remove an existing one. This is closing the barn door after the horses have escaped.

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 5, 2012 1:50 PM (in response to Rudegar)

    Rudegar wrote:

     

    If you install the java Update from auto Update it Will be removed if you do

     

    That is incorrect.  The java security update fixes some security holes in java to protect against the strains of trojans that are trying to uses those flaws in the security to install themselves.  It does nothing to a system that is already infected.  The injected code is still in the infected system.  It may stop further information from being sent to the bad guys but I doubt it since I think the java flaws were only used to get the real non-java code injected.

     

    So don't get complacent. 

     

    Here's what I am suggesting as a rudimentary test for some of the known strains of the flashback trojans.  Open a terminal window and copy past each of the following lines hitting return after each one and note the results:

     

    defaults read ~/.MacOSX/environment

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

    ls -la ~/Library/LaunchAgents

    grep "/Users/" ~/Library/LaunchAgents/*

     

    For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.

     

    The third command, ls, just lists the contents of your LaunchAgents, if any.  That's additional info to be used inconjuntion with the last grep command.  If the grep shows any results then that too may indicate infection and again post its results.

  • killhippie Level 3 Level 3 (615 points)
    Currently Being Moderated
    Apr 5, 2012 1:49 PM (in response to Rudegar)

    As has been said the patch is not a Trojan removal tool, a further conversation can be seen here. I don't have Java installed myself, but telling people the patch 'fixes' the issue is reckless

    https://discussions.apple.com/message/18049046#18049046

  • R Tweaky Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 5, 2012 3:30 PM (in response to X423424X)

    I ran the commands that you posted and for the first two i got the "does not exist" so that is clean. And for the other two I got the following:

    This is the ls Command:

     

    total 24

    drwxr-xr-x@  5 Joe  staff   170 Mar 10 12:03 .

    drwx------@ 43 Joe  staff  1462 Mar 10 13:59 ..

    -rw-r--r--   1 Joe  staff   618 Feb 19 09:32 com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.D7BA66B7-C0EE-4E6A-B546-EE 300832E399.plist

    -rw-r--r--@  1 Joe  staff   801 Mar 10 12:03 com.google.keystone.agent.plist

    -rw-r--r--   1 Joe  staff   758 Feb 25 16:12 com.valvesoftware.steamclean.plist

     

    This is the grep Command:

     

    /Users/Joe/Library/LaunchAgents/com.google.keystone.agent.plist:            <string>/Users/Joe/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bun dle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwa reUpdateAgent</string>

    /Users/Joe/Library/LaunchAgents/com.valvesoftware.steamclean.plist:          <string>/Users/Joe/Library/Application Support/Steam/SteamApps/steamclean</string>

    /Users/Joe/Library/LaunchAgents/com.valvesoftware.steamclean.plist:                     <string>/Users/Joe/Library/Application Support/Steam/SteamApps/steamclean</string>

    /Users/Joe/Library/LaunchAgents/com.valvesoftware.steamclean.plist:                     <string>/Users/Joe/Library/Application Support/Steam/SteamApps</string>

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 5, 2012 4:21 PM (in response to R Tweaky)

    Well based on those commands I would say you are not infected.

     

    It did tell me one thing though.  I got to fix that grep command the next time I post those commands.  Even though grep displayed stuff when I said it shouldn't in your case it should.  My command is in error on what I intended.  Not your fault.  Mine.

  • R Tweaky Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 6, 2012 12:11 AM (in response to X423424X)

    Its ok, thanks for the usefull information

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 6, 2012 2:19 AM (in response to Deb7000000)

    Here's my corrected grep command:

     

    grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*

     

    Hopefully nothing will be displayed unless if finds a reference to a dot file in the LaunchAgents.

     

    As for AV software, I don't recommend it either.  It may only detect what has been not what may come in the future.  And you can be sure something different will be coming.

     

    There's the other school of thought it may be useful as a secondary check.  But AV software can add to the overhead  and sometimes may be unstable.

  • kd17 Calculating status...
    Currently Being Moderated
    Apr 6, 2012 2:18 AM (in response to Deb7000000)

    can you tell me how to open a terminal session?  I am most familiar with PC but at home I am a mac.  i use it daily.  thank you

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 6, 2012 2:29 AM (in response to kd17)

    Terminal is in your Utilities folder.  Open it like any other app and a window will be displayed (which you can enlarge if you want).  Then you can copy/paste each command into the window and hit return.

     

    You should see a "prompt" at the beginning of each line (e.g., "bash-3.2$  ").  The command follows the prompt.

  • Gemztone Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 6, 2012 5:22 PM (in response to Deb7000000)

    I got environment does not exist for the first two. Then for the next 2. Does my mac look clean? Not sure what I'm looking for. Thx!

     

     

    cg-zarbocks-computer-4:~ Zee2$ ls -la ~/Library/LaunchAgents

    total 32

    drwxr-xr-x   6 Zee2  Zee2   204 Sep 30  2011 .

    drwx------+ 52 Zee2  Zee2  1768 Jun  9  2011 ..

    -rw-r--r--   1 Zee2  Zee2   589 Sep 30  2011 com.adobe.ARM.32fc92aadecf45c6150edfbd059d518c174248ca67bf63e4a9386b86.plist

    -rw-r--r--   1 Zee2  Zee2   589 Feb  8  2010 com.adobe.ARM.925793fb327152fd34795896fa1fb9ffa268b2a852256fe56609efa3.plist

    -rw-r--r--   1 Zee2  Zee2   601 Sep 16  2011 com.adobe.ARM.930da3ce175de4e82bd3cdf1dd8571f74bd3b6a7236bc94bfc00f6e9.plist

    -rw-r--r--   1 Zee2  Zee2   801 Jul  8  2011 com.google.keystone.agent.plist

    cg-zarbocks-computer-4:~ Zee2$ grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*

    cg-zarbocks-computer-4:~ Zee2$

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 6, 2012 5:41 PM (in response to Gemztone)

    Those look ok.

1 2 3 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.