Previous 1 2 Next 22 Replies Latest reply: Apr 12, 2012 5:35 PM by Chametzoo
Chametzoo Level 1 (55 points)

Hi all,

 

I recently posted one of the trillions of discussions regarding the Flashback virus here:

 

file://localhost/Users/michaelm/Desktop/Power%20PC%20apps%20crash%20on%20startup %20in%20OS...-%20Apple%20Support%20Communities.webloc

 

I confirmed that my 10.5.8 Leopard run Mac Pro did indeed have the virus.  All the behaviors were there: Power PC/Rosetta run apps were crashing on start up and the Terminal utility showed the presence of the dreaded DYLD_INSERT_LIBRARIES.  After that, I was out of town for about a week and the Mac Pro was shut down for that period and upon my return, I was to wipe and reinstall to start fresh.  While away, I read some more articles about the virus and some remedies and removal techniques, so I returned home hopeful that the wipe and reinstall would not be necessary.

 

But.... when I fired up the Mac Pro today after a week of being shut down, it seems the virus was gone.  ???  Is this possible?  I entered the following lines in Terminal and got 'does not exist' on all of them!

 

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

My older Power PC/Rosetta run apps started up fine with no crashes.  I also turned off Java in Safari preferences.  So the question is, what to do now? Should I immediately update to 10.6 Snow Leopard (I have too many Rosetta run apps right now to shift to Lion) and get all native softwares up to date?  I would imagine that Snow Leopard would be safer at this point than my old Leopard.  Should I install a Mac virus protection app as well?  Should I also keep Java OFF at all times?

Thanks! Mike


Mac Pro Quad Core Intel Xeon / Macbook 2.4GHz, Mac OS X (10.5.8)
  • BDAqua Level 10 (122,202 points)

    Hi Mike, this thing is changing, so it may even move itself around, or uninstall some things to hide or change itself.

     

    Disable Java in your Browser settings, not JavaScript.

     

    http://support.apple.com/kb/HT5241?viewlocale=en_US

    http://support.google.com/chrome/bin/answer.py?hl=en-GB&answer=142064

    http://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets

     

    Flashback - Detect and remove the uprising Mac OS X Trojan...

     

    http://www.mac-and-i.net/2012/04/flashback-detect-and-remove-uprising.html

     

    In order to avoid detection, the installer will first look for the presence of some antivirus tools and other utilities that might be present on a power user's system, which according to F-Secure include the following:

     

    /Library/Little Snitch

    /Developer/Applications/Xcode.app/Contents/MacOS/Xcode

    /Applications/VirusBarrier X6.app

    /Applications/iAntiVirus/iAntiVirus.app

    /Applications/avast!.app

    /Applications/ClamXav.app

    /Applications/HTTPScoop.app

    /Applications/Packet Peeper.app

     

    If these tools are found, then the malware deletes itself in an attempt to prevent detection by those who have the means and capability to do so. Many malware programs use this behavior, as was seen in others such as the Tsunami malware bot.

     

    http://reviews.cnet.com/8301-13727_7-57410096-263/how-to-remove-the-flashback-ma lware-from-os-x/

     

    http://x704.net/bbs/viewtopic.php?f=8&t=5844&p=70660#p70660

     

    The most current flashback removal instructions are F-Secure's Trojan-Downloader:OSX/Flashback.K.

     

     

    Check now whether your Mac is infected by Backdoor.Flashback.39!

     

    http://public.dev.drweb.com/april/

  • WZZZ Level 6 (12,845 points)

    You might try scanning with Sophos Home Free. They probably have up to date definitions. There's also this out from Kaspersky.

     

    https://www.securelist.com/en/blog/208193454/Flashfake_Removal_Tool_and_online_c hecking_site

  • BDAqua Level 10 (122,202 points)

    Thanks W!

  • Chametzoo Level 1 (55 points)

    BD... All good information.  Thanks.  I do not have any anti-virus software so I don't think Flashback has deleted itself for that reason.... and my hardware UUID checked out OK with Dr. Web.  Is the free Dr. Web Light useful?  Would updating to 10.6 from my current 10.5 be helpful?  I don't think 10.5 gets any security updates or any service at all anymore from Apple.  Mike

  • Chametzoo Level 1 (55 points)

    Thanks W.... Is there a preferred protection?  Kapersky, Sophos or Dr. Web???  Where specifically can I find the Java update for 10.5.8 (Safari 5.0.8)?  Should I update my system software from 10.5 to 10.6?  Right now no indicators are telling me that I have the virus, although I confimred it a week ago, before I shut my computer down for a week.  Right now I have no virus software that might induce the malware to delete itself. 

  • WZZZ Level 6 (12,845 points)

    I recommended the Kaspersky and the Sophos as an infection scanner, since you said you were infected. No way it would have completely disappeared by itself, unless, maybe, you're now using a different account. It first gets installed to the user, then spreads to the system.

     

    What indicators are telling you you don't have it?

     

    The Java update is for 10.6 and above, but disabling Java is really the best bet, even with the update.

  • Chametzoo Level 1 (55 points)

    Thanks, WZZZ.  No... I'm still using the same account.  This is a personal/one man business computer, so I'm the administrator account.  Originally I checked the spread of the malware by signing in under a different user, and there were no Flashback symptoms within that account. 

     

    What's telling me I don't have it (at least to the same extent I did before) is that ALL of my Power PC/Rosetta apps are launching with no crashing.  This was happening regularly before.  Apps like Quicken 2007, Filemaker Pro 6, etc, etc.  As well, I fed the following lines into Terminal:

     

    defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

    defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

    ...and got 'does not exist' for each one.  I can say with some certainty that at the very least, DYLD_INSERT_LIBRARIES did come up positive last week.... but not now.  I'll also remind that until today, my Mac Pro was completely shut down for about a week while I was away.  Perhaps this arrested or at least slowed down the progress of the malware?  This morning, I also disabled Java within Safari's prefs.  I also have NO anti-viral or screening software on this system.  I'm using 10.5.8.  Mike

  • WZZZ Level 6 (12,845 points)

    What's telling me I don't have it (at least to the same extent I did before) is that ALL of my Power PC/Rosetta apps are launching with no crashing.  This was happening regularly before.  Apps like Quicken 2007, Filemaker Pro 6, etc, etc.

    They might have modified the code so that PPC apps no longer crash. That was a bug in one variant that was a tip off that there was an infection, so they probably took that out.

     

    I'd definitely run the Kaspersky tool EDIT strike running the Kaspersky tool. Some users are reporting problems with it.  Run these commands, courtesy of X4

     

    defaults read ~/.MacOSX/environment

     

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

     

    ls -la ~/Library/LaunchAgents

     

    grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v "/Users/$USER/\.Trash"

     

    (Run the Safari.app one, but also substitute "browser.app" for whatever browser you use.)

     

    For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.

     

    The third command, ls, just lists the contents of your LaunchAgents, if any. That's additional info to be used in conjuntion with the last grep command. If the grep shows any results then that too may indicate infection and again post its results.

  • Chametzoo Level 1 (55 points)

    Thanks again.... invaluable information.  Here's the results of the commands:

     

    The 2 defaults commands, in order:

    Domain /Users/michaelm/.MacOSX/environment does not exist

     

    The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

     

    The Is command:

    total 16

    drwxr-xr-x   4 michaelm  admin   136 Feb  2  2011 .

    drwxrwxr-x@ 60 michaelm  admin  2040 Apr  4 11:34 ..

    -rw-r--r--   1 michaelm  admin   292 Sep 26  2008 com.Livestation.plist

    -rw-r--r--   1 michaelm  admin   671 Sep  8  2010 com.adobe.AAM.Updater-1.0.plist

     

    The grep command:

    Nothing returned.  When entered, it just produced a new prompt.

     

    Doesn't appear that anything indicates infection???  Mike

     


  • WZZZ Level 6 (12,845 points)

    As far as I can tell, nothing there. I don't know what to make of this. Why not try a scan with Sophos?

     

    http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-ed ition.aspx

     

     

    If it doesn't cause any problems, slow downs etc. leave it. If it does, then uninstall it after finishing the scan. It will probably bring up some Windows malware/viruses you've picked up from mail.

     

    http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-ed ition.aspx

     

    To uninstall

     

    http://openforum.sophos.com/t5/Sophos-Anti-Virus-for-Mac-Home/Removing-Sophos-An ti-Virus-for-Mac-Home-Edition/td-p/37/page/7

     

    EDIT: just discovered F-Secure has a Flashback detection and removal tool.

     

    http://www.f-secure.com/weblog/archives/00002346.html

  • Chametzoo Level 1 (55 points)

    Just ran the F-Secure and it said no virus.  This thing is only 140KB.... do I have the right app?  Mike

  • WZZZ Level 6 (12,845 points)

    It's only a script. 'Doesn't need to be very big.

  • Chametzoo Level 1 (55 points)

    Is it worth trying the Sophos?

  • WZZZ Level 6 (12,845 points)

    If it were my computer and I'd seen the Trojan and then it disappeared, I really don't know what I'd do. I think I'd be kind of freaked out. I suppose it would be good if something could confirm you still have it, so you'd then know it's worth going through a laborious reinstall. I'd probably run Sophos and see what it comes up with, if anything. I'm really flummoxed here.

     

    Here's the laborious reinstall. Probably the safest way to go.

     

    https://discussions.apple.com/message/18095980#18095980

     

    Before doing that, I'd  put Little Snitch on it to see if anything is making connections to the mothership.

     

    http://www.obdev.at/products/littlesnitch/index.html

Previous 1 2 Next