Previous 1 2 Next 18 Replies Latest reply: Apr 19, 2012 12:32 AM by MadMacs0
Exsiss Level 1 Level 1 (0 points)

My university emailed me saying they detected Flashback on my Mac and that they were taking my network priveliges away until I wiped my hard drive and reinstalled the OS. I immediately got on Terminal and inputted the lines of code:

 

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

 

Both came back saying the file did not exist. I then ran FlashbackChecker for good measure. It said I was not infected.

I let my university know this, asking what caused the alarm. They said they have more advanced technology that can pick up malware I can't locally (I pasted part of the email they sent below). Is this true?

 

Could I still have Flashback if everything I did came back negative? Is wiping my computer really the only option?

 

"Because our systems detected that your computer was infected with Flashback and the problem with many malicious

programs like this is that they often are not detected with conventional scans on the computer. The way [university] systems

detect and track outbreaks like this is far more advanced than scans run on a local machine so they can often detect

programs while local scans do not"

  • leroydouglas Level 6 Level 6 (14,765 points)

    Not likely.

     

    This Java security update removes the most common variants of the Flashback malware.

     

    http://support.apple.com/kb/HT5242?viewlocale=en_US&locale=en_US

     

     

    Run your Software Updater

     

    >Software Update...

  • John Galt Level 8 Level 8 (39,490 points)

    ... The way [university] systems

    detect and track outbreaks like this is far more advanced than scans run on a local machine so they can often detect

    programs while local scans do not"

     

    Not bloody likely is theirs more advanced that Apple's. Your university may have thousands of Macs to maintain. Apple has 58 million.

  • Linc Davis Level 10 Level 10 (150,990 points)

    Tell them you reinstalled the OS and be done with it.

  • Exsiss Level 1 Level 1 (0 points)

    I thought about this, but I worry what sparked the walware detection in the first place. They said if they find it again I'll be blacklisted. These responses make me feel more confident that my computer is indeed clean.

     

    I didn't have my system updated when they sent out the detection, but I do now. I'm hoping the detection was just caused by not having the update and that now that it is I won't have problems.

  • Linc Davis Level 10 Level 10 (150,990 points)

    If you installed the latest Java update, or if Java wasn't installed at all, then according to all information now available you are free from Flashback infection. You're not free from incompetent IT administrators.

  • Exsiss Level 1 Level 1 (0 points)

    Just a heads up for people who think they are safe from the virus for doing the things suggested: I got Symantec and ran a full computer scan and a file of Flashback did return. All responses in Terminal still return as "does not exist". The FlashbackChecker still says I don't have it. I have updated all softwares recommended by Apple. Yet I still have it.

     

    So if you think you are clean, be sure to run a scan just in case!

  • John Galt Level 8 Level 8 (39,490 points)

    ... a file of Flashback did return.

     

    Thanks for the update.

     

    What is the exact file name and location on your Mac?

     

    A "file of Flashback" is too vague to mean anything specific. If it is a new attack this information would be very important.

     

    The way most utilities like Symantec work, it could easily have been identified as a required OS X component, in which case its removal would corrupt your system.

  • leroydouglas Level 6 Level 6 (14,765 points)

    John Galt wrote:

     

    A "file of Flashback" is too vague to mean anything specific. If it is a new attack this information would be very important.

     

    Yes, too vague to mean anything specific except Symantec is wanting you to buy their software.

  • MadMacs0 Level 5 Level 5 (4,470 points)

    Exsiss wrote:

     

    My university emailed me saying they detected Flashback on my Mac and that they were taking my network priveliges away until I wiped my hard drive and reinstalled the OS. I immediately got on Terminal and inputted the lines of code:

     

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

    defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

    Both came back saying the file did not exist. I then ran FlashbackChecker for good measure. It said I was not infected.

    Unfortunately, the first set of commands are incomplete and without knowing exactly where you got FlashbackChecker and when, it probably wasn't the correct version for checking the current variant either. I'm just glad you didn't run the first version of Kaspersky's tool which would have locked you out of your account for the same reason.

     

    I don't read anywhere if the Apple Java Update told you there was malware on your computer. It is supposed to notify you if there was, but not if there was not.

    I got Symantec and ran a full computer scan and a file of Flashback did return. All responses in Terminal still return as "does not exist". The FlashbackChecker still says I don't have it. I have updated all softwares recommended by Apple. Yet I still have it.

    The only tool other than the Apple Updates that I trust is the Flashback Removal app from F-Secure. None of us really know how the Apple MRT works, but your's would be one of the first that indicated it did not.

    For that reason, many of us want to know what the file name is/was and where it was found. Can you help us out here?

  • Exsiss Level 1 Level 1 (0 points)

    Luckily, I have a free version through my university (of Symantecs).

     

    The FlashbackChecker I had used was the one found at GitHub that was suggested from many sites.

     

    Weirdly enough, even though Symantec's said I had a Flashback file, when I ran their Flashback file detector and removal software that also came back negative for having Flashback.

     

    The file was called .flserv and identified as a OSX.Flashback.K. I believe it was found in Users/myusername. I'm looking through my history to see if that's where it was, but I'm 99% sure it was.

  • Linc Davis Level 10 Level 10 (150,990 points)

    The file was called .flserv...

     

    That is a Flashback file, though its presence doesn't necessarily indicate an active infection. Did you find that after you ran the Apple removal tool?

  • Exsiss Level 1 Level 1 (0 points)

    I found it after I updated all my software, but in the case the Apple removal tool isn't part of that then I didn't realize I needed to download it manually. It did include the newest Java update though.

  • MadMacs0 Level 5 Level 5 (4,470 points)

    Exsiss wrote:

     

    Luckily, I have a free version through my university (of Symantecs).

     

    The FlashbackChecker I had used was the one found at GitHub that was suggested from many sites.

     

    Weirdly enough, even though Symantec's said I had a Flashback file, when I ran their Flashback file detector and removal software that also came back negative for having Flashback.

     

    The file was called .flserv and identified as a OSX.Flashback.K. I believe it was found in Users/myusername. I'm looking through my history to see if that's where it was, but I'm 99% sure it was.

    And that is the file all the "i" variant searchers miss. It's the module that should have been trying to communicate out and what your university must have intercepted.

     

    In that case there may well be one more file.  Please copy and paste the following Terminal command:

     

         ls -la ~/Library/LaunchAgents

     

    and hit return. Copy and paste the results back here.

  • MadMacs0 Level 5 Level 5 (4,470 points)

    Also, can you go to https://www.drweb.com/flashback/ and enter your UUID, if willing, to see if you are in the database. That will help confirm what the University saw as well as possibly establish the date of infection. It's not foolproof as Apple had their collection server shut down for some period of time, thinking they were the bad guys. You would think all these folks would get organized and coordinate these things.

     

    It's a secure site, most of us agree that the UUID can't be used for much of anything (thousands of them have been posted to this forum by now) and Dr. Web has been around for 20 years, so they seem to be a reputable A-V software vendor, just new to the Mac scene.

Previous 1 2 Next