Previous 1 2 3 Next 42 Replies Latest reply: Apr 7, 2012 3:39 PM by dianeoforegon
Leciaatapple Level 1 (0 points)

What should one do about this - in SIMPLE words please:

quote "Half a million Mac computers 'infected with malware" unquote

This is very alarming!  As for the rest of the article on http://www.bbc.co.uk/news/science-environment-17623422

I simply do not understand all the JARGON!


Mac OS X (10.7.2), Various
  • a brody Level 9 (65,753 points)

    This is called Misinformation.  Report it to http://www.apple.com/legal contacts and tell them they have a libel case on their hands.

  • thomas_r. Level 7 (30,742 points)

    First, make sure to turn off Java in any web browsers you use.  You should also update Java, which can be done by installing anything Java-related that shows up in Software Update.  But keep Java turned off anyway, if you don't need it for anything (which you probably don't).

     

    Second, if you think you may be infected, paste the following command into the Terminal:

     

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

     

    If the message that is returned is anything other than something about how this does not exist, then your copy of Safari is infected.  You should delete it and reinstall it.  (It can be downloaded here.)

     

    The problem is, if Safari is infected, other apps may be as well.  Some variants are known to add code to Skype as well, and it wouldn't be a surprise to find other browsers infected as well.  If Safari is infected, I would delete and reinstall Skype and any other web browser you have.

     

    If Safari is clean, that only means you don't have a "type 1" infection, you could still have type 2.  Run this:

     

    defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

     

    If that comes up with a message about how it does not exist, you're safe.  If not, you need to at a minimum delete a hidden file, which will be most easily done by running this command:

     

    rm ~/.MacOSX/environment.plist

     

    This will remove the active part of the malware, but will leave behind a couple pieces that should be inert.  Those are hard for a novice to find and identify, though, and shouldn't be able to do anything without the environment.plist file.

     

    For a more detailed explanation, see:

     

    http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

  • thomas_r. Level 7 (30,742 points)

    This is called Misinformation.

     

    How so?

  • bobwild Level 4 (1,625 points)

    Dont believe everyting you read. Did they explain in detail how they established the estimate of half a million? or did they pull the number out of some oriface.

     

    The malware is installed on some Macs and each mac owner should be aware of these malwares, how to avoid them, how to detect them, and how to remove them.

     

    From a terminal app, run these commands. They do not do anything they just read the values.

     

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

    defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

    defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

     

    they should return "does not exist",

    bob[18:52]~>defaults read /Applications/Safari.app/Contents/Info LSEnvironment

    2012-04-06 08:07:43.011 defaults[5202:707]

    The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

    bob[08:07]~>defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

    2012-04-06 08:07:43.072 defaults[5203:707]

    The domain/default pair of (/Applications/Firefox.app/Contents/Info, LSEnvironment) does not exist

    bob[08:07]~>defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

    2012-04-06 08:07:52.905 defaults[5204:707]

    The domain/default pair of (/Users/bob/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

     

    If they return anything else go here how to remove Flashback

  • Barney-15E Level 8 (46,319 points)

    The business model for Anti-Virus software is to scare you into buying their product. The more disinformation they can spread, the better their chance to sell you something you don't need. My guess is you'll see a new Russian-made Anti-Virus program hit the market, soon.

     

    There is a valid threat with the new Flashback trojan, but most people do not have Java installed in the first place since it is not loaded unless needed. Very few people have need for Java, so just disabling it in Safari's preferences will be sufficient.

     

    I have a need for Java due to my classes, so I've had it enabled and haven't managed to let my computer get taken over. I'm not sure what websites you have to visit to get infected, but I apparently haven't been to any of them.

  • jsd2 Level 5 (6,200 points)

    This current  article is by Adam Engst in TidBits, a highly respected Apple resource for many years:

    How to Detect and Protect Against Updated Flashback Malware

     

    It includes the following:

    ---------------------

    Significant Infection Rates -- A Russian antivirus developer, Doctor Web, says their research shows more than 550,000 Macs have been infected after users visited compromised Web sites that contain JavaScript code to activate a malicious Java applet. Sorokin Ivan of Doctor Web later raised that estimate to over 600,000 in a tweet.

     

    Although we haven’t seen anything from Doctor Web before, the question of who they are came up on TidBITS Talk, where security analyst Brian McNett said:

     

        "The first I heard of Doctor Web was when they were referenced, and when Sorokin Ivan later responded via Twitter to Mikko Hypponen, Chief Research Officer of F-Secure. I know and trust Mikko. He uses reliable sources. Doctor Web appears to be a Russian outfit, with largely Russian clientele, so it wouldn’t be unusual for their reputation to be unknown elsewhere. Their key discovery that Flashback uses the MAC address of the infected machine as the User-Agent when connecting to its command-and-control server. This is a unique pattern that allowed them to track infections before anyone else. That they shared this finding publicly, along with their data, adds to their credibility."

     

    And, Mikko Hypponen said in a tweet that F-Secure has spoken with Doctor Web and that the infection numbers look real.

    ---------------------------------------------

     

    The entire TidBits article is worth reading

  • thomas_r. Level 7 (30,742 points)

    If you haven't even read the article, which did explain that they used a sinkhole technique to obtain the count, then why are you questioning its veracity?  Sinkholing involves redirecting traffic intended for the "command & control" server to an analysis server.  Dr. Web evidently worked with network authorities to do this and thus obtained counts from all the infected machines "phoning home" and reaching a Dr. Web server instead.

  • a brody Level 9 (65,753 points)

    Many people depend on Java for Chat engines.  There are a lot of lonely people out there. 

    Many use Java for radar weather reports.

    Many use Java checking their internet speed.

    So for those people, it is important Java is secured.

  • bobwild Level 4 (1,625 points)

    Thanks for the info.

  • bobwild Level 4 (1,625 points)

    No, i didn't read the article, just the headlines, my bad. Thanks for correcting me.

  • a brody Level 9 (65,753 points)

    Overstating the numbers in a fashion to scare people.  I know many people who never bother updating.  Have they been "infected with malware"?  No.  Granted I'm probably going to update now to 10.7.3 and 10.6.8 so I can protect my machines, but I do backup my machines at least twice in case something doesn't work.

  • thomas_r. Level 7 (30,742 points)

    Do you have evidence to show that they have overstated the numbers?  Because, based on the methods used to obtain the count, they should be fairly accurate.  Probably low, in actuality, since I'm sure there's a new command & control server in place managing newer infections.  Unless you're saying that Dr. Web lied, and F-Secure backed them up in the lie, which is unlikely and probably libelous.

  • a brody Level 9 (65,753 points)

    I have no idea.  But if it is inaccurate, I'm sure the legal team would be happy to determine matters of fact when it comes to overstating a problem.  Every few months or so, another jealous PC fanatic comes in and claims that the Mac is vulnerable.  Apple releases a patch, or doesn't, and the world doesn't end.  We still have people coming in here with PowerPC Macs running Java who can't update their Java, because PowerPC is stuck on 10.5.8 or earlier.  Are they "infected?"  If they were, they probably couldn't operate their machine.  Am I going to now add to my ticket of troubleshooting PowerPC Macs, did they run a Java applet before this happened?  Probably not.  MacKeeper itself has been more a proven malware than the built-in Java support that has been in Mac OS X since it was started.    Only in Lion did Apple make Java optional.  So suffice it to say, it just looks like another one of those red herrings.

  • thomas_r. Level 7 (30,742 points)

    I'm not quite sure how to respond to that.  There's so much you said that is wrong or irrelevant that I'm not going to try to address it all point-by-point.  Suffice it to say that this has nothing to do with some "PC fanatic" claiming the Mac is vulnerable.  The Mac is vulnerable if you haven't installed the Java update, and many people don't bother installing those updates.  Pooh-poohing the issue does not make it go away for those who are affected by it.

Previous 1 2 3 Next