Skip navigation

Could I still have Flashback if everything comes back negative?

4480 Views 18 Replies Latest reply: Apr 19, 2012 12:32 AM by MadMacs0 RSS
1 2 Previous Next
Exsiss Calculating status...
Currently Being Moderated
Apr 13, 2012 9:15 AM

My university emailed me saying they detected Flashback on my Mac and that they were taking my network priveliges away until I wiped my hard drive and reinstalled the OS. I immediately got on Terminal and inputted the lines of code:

 

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

 

Both came back saying the file did not exist. I then ran FlashbackChecker for good measure. It said I was not infected.

I let my university know this, asking what caused the alarm. They said they have more advanced technology that can pick up malware I can't locally (I pasted part of the email they sent below). Is this true?

 

Could I still have Flashback if everything I did came back negative? Is wiping my computer really the only option?

 

"Because our systems detected that your computer was infected with Flashback and the problem with many malicious

programs like this is that they often are not detected with conventional scans on the computer. The way [university] systems

detect and track outbreaks like this is far more advanced than scans run on a local machine so they can often detect

programs while local scans do not"

  • leroydouglas Level 6 Level 6 (13,285 points)

    Not likely.

     

    This Java security update removes the most common variants of the Flashback malware.

     

    http://support.apple.com/kb/HT5242?viewlocale=en_US&locale=en_US

     

     

    Run your Software Updater

     

    >Software Update...

    MacBook Pro, Mac OS X (10.7.3), 2.4GHz IntelCorei5 320GB HD 8GB RAM
  • John Galt Level 7 Level 7 (33,055 points)

    ... The way [university] systems

    detect and track outbreaks like this is far more advanced than scans run on a local machine so they can often detect

    programs while local scans do not"

     

    Not bloody likely is theirs more advanced that Apple's. Your university may have thousands of Macs to maintain. Apple has 58 million.

  • Linc Davis Level 10 Level 10 (107,565 points)

    Tell them you reinstalled the OS and be done with it.

  • Linc Davis Level 10 Level 10 (107,565 points)

    If you installed the latest Java update, or if Java wasn't installed at all, then according to all information now available you are free from Flashback infection. You're not free from incompetent IT administrators.

  • John Galt Level 7 Level 7 (33,055 points)

    ... a file of Flashback did return.

     

    Thanks for the update.

     

    What is the exact file name and location on your Mac?

     

    A "file of Flashback" is too vague to mean anything specific. If it is a new attack this information would be very important.

     

    The way most utilities like Symantec work, it could easily have been identified as a required OS X component, in which case its removal would corrupt your system.

  • leroydouglas Level 6 Level 6 (13,285 points)

    John Galt wrote:

     

    A "file of Flashback" is too vague to mean anything specific. If it is a new attack this information would be very important.

     

    Yes, too vague to mean anything specific except Symantec is wanting you to buy their software.

    MacBook Pro, Mac OS X (10.7.3), 2.4GHz IntelCorei5 320GB HD 8GB RAM
  • MadMacs0 Level 4 Level 4 (3,320 points)

    Exsiss wrote:

     

    My university emailed me saying they detected Flashback on my Mac and that they were taking my network priveliges away until I wiped my hard drive and reinstalled the OS. I immediately got on Terminal and inputted the lines of code:

     

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

    defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

    Both came back saying the file did not exist. I then ran FlashbackChecker for good measure. It said I was not infected.

    Unfortunately, the first set of commands are incomplete and without knowing exactly where you got FlashbackChecker and when, it probably wasn't the correct version for checking the current variant either. I'm just glad you didn't run the first version of Kaspersky's tool which would have locked you out of your account for the same reason.

     

    I don't read anywhere if the Apple Java Update told you there was malware on your computer. It is supposed to notify you if there was, but not if there was not.

    I got Symantec and ran a full computer scan and a file of Flashback did return. All responses in Terminal still return as "does not exist". The FlashbackChecker still says I don't have it. I have updated all softwares recommended by Apple. Yet I still have it.

    The only tool other than the Apple Updates that I trust is the Flashback Removal app from F-Secure. None of us really know how the Apple MRT works, but your's would be one of the first that indicated it did not.

    For that reason, many of us want to know what the file name is/was and where it was found. Can you help us out here?

  • Linc Davis Level 10 Level 10 (107,565 points)

    The file was called .flserv...

     

    That is a Flashback file, though its presence doesn't necessarily indicate an active infection. Did you find that after you ran the Apple removal tool?

  • MadMacs0 Level 4 Level 4 (3,320 points)

    Exsiss wrote:

     

    Luckily, I have a free version through my university (of Symantecs).

     

    The FlashbackChecker I had used was the one found at GitHub that was suggested from many sites.

     

    Weirdly enough, even though Symantec's said I had a Flashback file, when I ran their Flashback file detector and removal software that also came back negative for having Flashback.

     

    The file was called .flserv and identified as a OSX.Flashback.K. I believe it was found in Users/myusername. I'm looking through my history to see if that's where it was, but I'm 99% sure it was.

    And that is the file all the "i" variant searchers miss. It's the module that should have been trying to communicate out and what your university must have intercepted.

     

    In that case there may well be one more file.  Please copy and paste the following Terminal command:

     

         ls -la ~/Library/LaunchAgents

     

    and hit return. Copy and paste the results back here.

  • MadMacs0 Level 4 Level 4 (3,320 points)

    Also, can you go to https://www.drweb.com/flashback/ and enter your UUID, if willing, to see if you are in the database. That will help confirm what the University saw as well as possibly establish the date of infection. It's not foolproof as Apple had their collection server shut down for some period of time, thinking they were the bad guys. You would think all these folks would get organized and coordinate these things.

     

    It's a secure site, most of us agree that the UUID can't be used for much of anything (thousands of them have been posted to this forum by now) and Dr. Web has been around for 20 years, so they seem to be a reputable A-V software vendor, just new to the Mac scene.

1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.