9 Replies Latest reply: Apr 28, 2012 4:51 AM by WZZZ
micah238 Level 1 (0 points)

Any word yet from Apple about an "approved" way to check for the Flashback Trojan?

iMac, Mac OS X (10.7.3)
  • Klaus1 Level 8 (47,755 points)

    In order to prevent a potential infection with “Flashback” Trojans, Mac users should always obtain their copy of Adobe Flash Player directly from Adobe’s official website and to disable the "Open 'safe' files after downloading" option in Apple's Safari browser to avoid automatically running files downloaded from the Internet. Also, do not turn on Java in Safari Preferences/Security. Few websites use Java. Javascript is something entirely different and should be left active.


    http://www.appleinsider.com/articles/11/10/19/fake_adobe_flash_malware_seeks_to_ disable_mac_os_x_anti_malware_protection.html


    Flashback Trojan - Detection, and how to remove (with caution):



  • WZZZ Level 6 (12,855 points)

    Courtesty X423424X


    Here's what I am suggesting as a rudimentary test for some of the known strains of the flashback trojans.  Open a terminal window and copy/paste each of the following lines hitting return after each one and note the results:


    defaults read ~/.MacOSX/environment

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

    ls -la ~/Library/LaunchAgents

    grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*


    For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.


    The third command, ls, just lists the contents of your LaunchAgents, if any.  That's additional info to be used in conjunction with the last grep command.  If the grep shows any results then that too may indicate infection and again post its results.

  • PaolaRN Level 1 (0 points)

    For the first default I got "Safari can’t open the page “http://defaults%20read%20~/.MacOSX/environment” because the page’s address isn’t valid."

    FOr the second I got "Safari can’t open the page “http://defaults%20read%20/Applications/Safari.app/Contents/Info%20LSEnvironmentl s%20-la%20~/Library/LaunchAgents” because Safari can’t find the server “defaults%20read%20”."

    And the third command I got, "Safari can’t open the page “http://grep%20"/Users/$USER/\..*"%20~/Library/LaunchAgents/*” because the page’s address isn’t valid."


    DOES THIS MEAN I AM INFECTED??? Help please!

  • X423424X Level 6 (14,215 points)

    First, you don't do those commands in a browser, you enter them into a terminal  (in Utilities) window as mentioned in the paragraphs prior to those commands.


    Second, you are picking up on a post that was dated April 6.  Since that time things changed, and other Flashback detectors have come along.  Specifically, go to F_Secure's Flashback Removal Tool web page, download their Flashback trojan detection/removal tool, and follow the instructions you find there.


    Third, apple has released java updates which also attempt to detect and remove flashback strains.


    Java for OS X Lion 2012-003


    Java for Mac OS X 10.6 Update 8

  • rkaufmann87 Level 9 (55,258 points)

    No not at all! Run Software update on your computer if you using OS X 10.6.x or 10.7.x if you have not since April 13th. You will download:




    and you will also bring your system up-to-date for all the security updates it needs. Install all other updates Apple recommends for your system, these will also be included in Software Update.

  • PaolaRN Level 1 (0 points)

    Oh okay, that makes sense. I am not too computer savvy. I have just been having computer issues and thought it could be the trojan. I went to the F_Secure's website and I downloaded th zip; it said I don't have the malware . Is this sufficent?


    I am still on leopard on version 10.5.8, so I cannot try those other downloads you provided.

  • rkaufmann87 Level 9 (55,258 points)

    I am not familiar with F_Secure so I can't recommend their  applicaiton. If you are not in the habit of running Java based applications and or have not installed Java then your system is fine.  However to be sure re-read WZZ's post above and look at how to detect and un-install the Trojan if necessary.

  • PaolaRN Level 1 (0 points)

    I did it the right way, going to "utilities" and using a terminal, not a browser window (I feel so dumb for doing that), I got appropriate answers...so assuming I am not infected. Thank you!

  • WZZZ Level 6 (12,855 points)

    I went to the F_Secure's website and I downloaded th zip; it said I don't have the malware . Is this sufficent?

    Probably, unless it can't find a newer variant. It's good up to 4/11.


    I wonder if anyone's got a detection tool or if there's any AV that includes the latest variants...or if that's even necesssary?