Level 3

860 points

Disable Java in Safari

I have never installed Java in Lion, I just don't need it, but I noticed in Safari the tick box for 'enable Java' is still ticked, would turning this off disable prompts to install the JRE, or does it not matter? I find it odd that its listed as enabled in Safari even though Lion does not come with Java installed. Any ideas would be appreciated as reducing any attack vector is always a good move, especially at this time.

iMac, Mac OS X (10.7.3), 21.5 Mid 2011 i7 2.8Ghz, 8Gb ram.

Posted on Apr 6, 2012 4:44 PM

23 replies

MadMacs0

Level 5

5,233 points

Apr 6, 2012 11:24 PM in response to WZZZ

Actually, the version that has been making the rounds for the last week or so is better described in http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

MadMacs0

Level 5

5,233 points

Apr 7, 2012 1:26 AM in response to a brody

@a brody,

Can't seem to leave a comment on your Tip sheet, but I noticed you are using an old reference. As I mentioned to WZZZ earlier, the latest variant is described in http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml. I don't think it will change your tip, however.

WZZZ

Level 6

13,238 points

Apr 7, 2012 4:51 AM in response to MadMacs0

MadMacs0 wrote:

Actually, the version that has been making the rounds for the last week or so is better described in http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

Yeah, I only gave that link in order to supply attribution for the quote in that post and to give some idea, not necessariy the most recent, of the infection process. It was getting late and I didn't have the energy to search for something more up to date.

Whether or not the user inputs the administrator password, the malware will attempt to infect the system, though entering the password will affect how the infection is done.

There was some doubt expressed here and in another thread in the Intel forum about the infection proceeding without any user interaction. The idea that one can only acquire a Trojan on a Mac through some social engineering that tricks a user into supplying a password has now passed into the realm of urban myth. Old habits die hard.

Courtesy of X423424X, a good basic test to see if the Tojan is lurking.

Here's what I am suggesting as a rudimentary test for some of the known strains of the flashback trojans. Open a terminal window and copy/paste each of the following lines hitting return after each one and note the results:

defaults read ~/.MacOSX/environment

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

ls -la ~/Library/LaunchAgents

grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*

For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.

The third command, ls, just lists the contents of your LaunchAgents, if any. That's additional info to be used in conjuntion with the last grep command. If the grep shows any results then that too may indicate infection and again post its results.

I realize the topic of this thread refers to an infection that may have affected Safari, but for anyone using Firefox, run this command in Terminal.

defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

And here's the one for Safari (I realize a brody gave another one)

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

a brody

Level 10

85,308 points

Apr 7, 2012 6:05 AM in response to MadMacs0

I'll add it to the tip.

MadMacs0

Level 5

5,233 points

Apr 7, 2012 12:59 PM in response to WZZZ

WZZZ wrote:

There was some doubt expressed here and in another thread in the Intel forum about the infection proceeding without any user interaction. The idea that one can only acquire a Trojan on a Mac through some social engineering that tricks a user into supplying a password has now passed into the realm of urban myth. Old habits die hard.

Yes, I may have seen some of that but was way too busy to respond. All I can tell you is that I've observed at least three users myself here since the weekend flurry of Little Snitch alerts, who said they saw and dismissed the request for Software Update admin password and dismissed it. They were proven to have been Type 2 infected, so I suppose if you want to count refusing to enter your password as "user interaction" one could, but that doesn't count in my book.

Courtesy of X423424X, a good basic test to see if the Tojan is lurking.

Here's what I am suggesting as a rudimentary test for some of the known strains of the flashback trojans. Open a terminal window and copy/paste each of the following lines hitting return after each one and note the results:

defaults read ~/.MacOSX/environment

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

ls -la ~/Library/LaunchAgents

grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*

For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.

The third command, ls, just lists the contents of your LaunchAgents, if any. That's additional info to be used in conjuntion with the last grep command. If the grep shows any results then that too may indicate infection and again post its results.

I'm pretty sure I was in the room when X4 came up with his first draft of this even before the "K" variant showed up and have watched as it evolved to make it easier to use for farreting things out. It doesn't tell you the exact variant or Type of infection, but at least it's useful in ruling out infection and giving one a starting point for exploring for more. Somebody, I think it was fane_j, came up with a slick AppleScript approach for those that won't touch Terminal with a ten foot pole, but that fell by the wayside. Edit: No sooner did I post this than I found etresoft's Malware Checker.

I think a brody's new approach is perhaps more elegant. And there is Topher's c|net article "How to remove the Flashback malware from OS X" which has four commands, the last of which I have not seen used before.

And for those that want a more traditional approach there are some tools starting to prolifferate.

http://rsdeveloper.com/downloads/test4flashback.zip

and the free Dr.Web Light which I see is already at v6.0.5

I realize the topic of this thread refers to an infection that may have affected Safari, but for anyone using Firefox, run this command in Terminal.

defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

Which are for an older variant, but may still be around from that era. There's one for Chrome, as well, but I don't have it handy.

X423424X

Level 6

14,271 points

Apr 7, 2012 1:15 PM in response to MadMacs0

If I post my commands in the future I'll add the FF check to them. Also the grep I used has been modified slightly to,

grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v "/Users/$USER/\.Trash"

Some users of AppCleaner, I think it was, have a launchagent referencing ~/.Trash.

Alternative maybe it's just easier to refer to etresoft's stuff. I need to take a closer look at that.

MadMacs0

Level 5

5,233 points

Apr 7, 2012 1:58 PM in response to X423424X

This was just tweeted by the CRO of F-Secure:

Mikko Hypponen @mikko

Now that USA Today is linking to our Flashback removal instructions, I can imagine old people in Kansas typing grep -a -o '__ldpath__[ -~]*'

LOL 😁

WZZZ

Level 6

13,238 points

Apr 7, 2012 2:59 PM in response to MadMacs0

How ya gonna keep 'em down on the farm once they've typed in grep -a -o '__ldpath__[ -~]*'

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Disable Java in Safari