Flashback Trojan

In order to prevent a potential infection with “Flashback” Trojans, Mac users should always obtain their copy of Adobe Flash Player directly from Adobe’s official website and to disable the "Open 'safe' files after downloading" option in Apple's Safari browser to avoid automatically running files downloaded from the Internet. Also, do not turn on Java in Safari Preferences/Security. Few websites use Java. Javascript is something entirely different and should be left active.

http://www.appleinsider.com/articles/11/10/19/fake_adobe_flash_malware_seeks_to_ disable_mac_os_x_anti_malware_protection.html

Flashback Trojan - Detection, and how to remove (with caution):

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

Courtesty X423424X

Here's what I am suggesting as a rudimentary test for some of the known strains of the flashback trojans. Open a terminal window and copy/paste each of the following lines hitting return after each one and note the results:

defaults read ~/.MacOSX/environment

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

ls -la ~/Library/LaunchAgents

grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*

For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.

The third command, ls, just lists the contents of your LaunchAgents, if any. That's additional info to be used in conjunction with the last grep command. If the grep shows any results then that too may indicate infection and again post its results.

For the first default I got "Safari can’t open the page “http://defaults%20read%20~/.MacOSX/environment” because the page’s address isn’t valid."

FOr the second I got "Safari can’t open the page “http://defaults%20read%20/Applications/Safari.app/Contents/Info%20LSEnvironmentl s%20-la%20~/Library/LaunchAgents” because Safari can’t find the server “defaults%20read%20”."

And the third command I got, "Safari can’t open the page “http://grep%20"/Users/$USER/\..*"%20~/Library/LaunchAgents/*” because the page’s address isn’t valid."

DOES THIS MEAN I AM INFECTED??? Help please!

First, you don't do those commands in a browser, you enter them into a terminal (in Utilities) window as mentioned in the paragraphs prior to those commands.

Second, you are picking up on a post that was dated April 6. Since that time things changed, and other Flashback detectors have come along. Specifically, go to F_Secure's Flashback Removal Tool web page, download their Flashback trojan detection/removal tool, and follow the instructions you find there.

Third, apple has released java updates which also attempt to detect and remove flashback strains.

Java for OS X Lion 2012-003

Java for Mac OS X 10.6 Update 8

No not at all! Run Software update on your computer if you using OS X 10.6.x or 10.7.x if you have not since April 13th. You will download:

http://support.apple.com/kb/DL1517

and you will also bring your system up-to-date for all the security updates it needs. Install all other updates Apple recommends for your system, these will also be included in Software Update.

Oh okay, that makes sense. I am not too computer savvy. I have just been having computer issues and thought it could be the trojan. I went to the F_Secure's website and I downloaded th zip; it said I don't have the malware 🙂. Is this sufficent?

I am still on leopard on version 10.5.8, so I cannot try those other downloads you provided.

I am not familiar with F_Secure so I can't recommend their applicaiton. If you are not in the habit of running Java based applications and or have not installed Java then your system is fine. However to be sure re-read WZZ's post above and look at how to detect and un-install the Trojan if necessary.

I did it the right way, going to "utilities" and using a terminal, not a browser window (I feel so dumb for doing that), I got appropriate answers...so assuming I am not infected. Thank you!

I went to the F_Secure's website and I downloaded th zip; it said I don't have the malware 🙂. Is this sufficent?

Probably, unless it can't find a newer variant. It's good up to 4/11.

I wonder if anyone's got a detection tool or if there's any AV that includes the latest variants...or if that's even necesssary?