Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

What should one do about this - in SIMPLE words please: quote "Half a million Mac computers 'infected with malware" unquote

What should one do about this - in SIMPLE words please:

quote "Half a million Mac computers 'infected with malware" unquote

This is very alarming! As for the rest of the article on http://www.bbc.co.uk/news/science-environment-17623422

I simply do not understand all the JARGON!

Mac OS X (10.7.2), Various

Posted on Apr 6, 2012 2:51 AM

Reply
43 replies

Apr 6, 2012 5:05 AM in response to Leciaatapple

First, make sure to turn off Java in any web browsers you use. You should also update Java, which can be done by installing anything Java-related that shows up in Software Update. But keep Java turned off anyway, if you don't need it for anything (which you probably don't).


Second, if you think you may be infected, paste the following command into the Terminal:


defaults read /Applications/Safari.app/Contents/Info LSEnvironment


If the message that is returned is anything other than something about how this does not exist, then your copy of Safari is infected. You should delete it and reinstall it. (It can be downloaded here.)


The problem is, if Safari is infected, other apps may be as well. Some variants are known to add code to Skype as well, and it wouldn't be a surprise to find other browsers infected as well. If Safari is infected, I would delete and reinstall Skype and any other web browser you have.


If Safari is clean, that only means you don't have a "type 1" infection, you could still have type 2. Run this:


defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES


If that comes up with a message about how it does not exist, you're safe. If not, you need to at a minimum delete a hidden file, which will be most easily done by running this command:


rm ~/.MacOSX/environment.plist


This will remove the active part of the malware, but will leave behind a couple pieces that should be inert. Those are hard for a novice to find and identify, though, and shouldn't be able to do anything without the environment.plist file.


For a more detailed explanation, see:


http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

Apr 6, 2012 5:10 AM in response to Leciaatapple

Dont believe everyting you read. Did they explain in detail how they established the estimate of half a million? or did they pull the number out of some oriface.


The malware is installed on some Macs and each mac owner should be aware of these malwares, how to avoid them, how to detect them, and how to remove them.


From a terminal app, run these commands. They do not do anything they just read the values.


defaults read /Applications/Safari.app/Contents/Info LSEnvironment

defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES


they should return "does not exist",

bob[18:52]~>defaults read /Applications/Safari.app/Contents/Info LSEnvironment

2012-04-06 08:07:43.011 defaults[5202:707]

The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

bob[08:07]~>defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

2012-04-06 08:07:43.072 defaults[5203:707]

The domain/default pair of (/Applications/Firefox.app/Contents/Info, LSEnvironment) does not exist

bob[08:07]~>defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

2012-04-06 08:07:52.905 defaults[5204:707]

The domain/default pair of (/Users/bob/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist


If they return anything else go here how to remove Flashback

Apr 6, 2012 5:10 AM in response to Leciaatapple

The business model for Anti-Virus software is to scare you into buying their product. The more disinformation they can spread, the better their chance to sell you something you don't need. My guess is you'll see a new Russian-made Anti-Virus program hit the market, soon.


There is a valid threat with the new Flashback trojan, but most people do not have Java installed in the first place since it is not loaded unless needed. Very few people have need for Java, so just disabling it in Safari's preferences will be sufficient.


I have a need for Java due to my classes, so I've had it enabled and haven't managed to let my computer get taken over. I'm not sure what websites you have to visit to get infected, but I apparently haven't been to any of them.

Apr 6, 2012 5:30 AM in response to bobwild

This current article is by Adam Engst in TidBits, a highly respected Apple resource for many years:

How to Detect and Protect Against Updated Flashback Malware


It includes the following:

---------------------

Significant Infection Rates -- A Russian antivirus developer, Doctor Web, says their research shows more than 550,000 Macs have been infected after users visited compromised Web sites that contain JavaScript code to activate a malicious Java applet. Sorokin Ivan of Doctor Web later raised that estimate to over 600,000 in a tweet.


Although we haven’t seen anything from Doctor Web before, the question of who they are came up on TidBITS Talk, where security analyst Brian McNett said:


"The first I heard of Doctor Web was when they were referenced, and when Sorokin Ivan later responded via Twitter to Mikko Hypponen, Chief Research Officer of F-Secure. I know and trust Mikko. He uses reliable sources. Doctor Web appears to be a Russian outfit, with largely Russian clientele, so it wouldn’t be unusual for their reputation to be unknown elsewhere. Their key discovery that Flashback uses the MAC address of the infected machine as the User-Agent when connecting to its command-and-control server. This is a unique pattern that allowed them to track infections before anyone else. That they shared this finding publicly, along with their data, adds to their credibility."


And, Mikko Hypponen said in a tweet that F-Secure has spoken with Doctor Web and that the infection numbers look real.

---------------------------------------------


The entire TidBits article is worth reading

Apr 6, 2012 5:38 AM in response to bobwild

If you haven't even read the article, which did explain that they used a sinkhole technique to obtain the count, then why are you questioning its veracity? Sinkholing involves redirecting traffic intended for the "command & control" server to an analysis server. Dr. Web evidently worked with network authorities to do this and thus obtained counts from all the infected machines "phoning home" and reaching a Dr. Web server instead.

Apr 6, 2012 6:29 AM in response to a brody

Do you have evidence to show that they have overstated the numbers? Because, based on the methods used to obtain the count, they should be fairly accurate. Probably low, in actuality, since I'm sure there's a new command & control server in place managing newer infections. Unless you're saying that Dr. Web lied, and F-Secure backed them up in the lie, which is unlikely and probably libelous.

Apr 6, 2012 6:44 AM in response to thomas_r.

I have no idea. But if it is inaccurate, I'm sure the legal team would be happy to determine matters of fact when it comes to overstating a problem. Every few months or so, another jealous PC fanatic comes in and claims that the Mac is vulnerable. Apple releases a patch, or doesn't, and the world doesn't end. We still have people coming in here with PowerPC Macs running Java who can't update their Java, because PowerPC is stuck on 10.5.8 or earlier. Are they "infected?" If they were, they probably couldn't operate their machine. Am I going to now add to my ticket of troubleshooting PowerPC Macs, did they run a Java applet before this happened? Probably not. MacKeeper itself has been more a proven malware than the built-in Java support that has been in Mac OS X since it was started. Only in Lion did Apple make Java optional. So suffice it to say, it just looks like another one of those red herrings.

Apr 6, 2012 6:59 AM in response to a brody

I'm not quite sure how to respond to that. There's so much you said that is wrong or irrelevant that I'm not going to try to address it all point-by-point. Suffice it to say that this has nothing to do with some "PC fanatic" claiming the Mac is vulnerable. The Mac is vulnerable if you haven't installed the Java update, and many people don't bother installing those updates. Pooh-poohing the issue does not make it go away for those who are affected by it.

What should one do about this - in SIMPLE words please: quote "Half a million Mac computers 'infected with malware" unquote

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.