Is My Mac Computer Infected With The Flashback Trojan?

by on April 5, 2012 · 14 comments· LAST UPDATED April 5, 2012

in OS X, Troubleshooting

The Flashback Trojan, is a trojan horse affecting personal computer systems running Apple Mac OS X. More than half a million Apple computers have been infected with the Flashback Trojan.

What does the Flashback Trojan do?

According to a Russian anti-virus firm the Flashback Trojan designed to steal personal information and used as a botnet.

How do I avoid this problem?

First, apply a security update released by Apple by visiting:

From the Apple menu > Software Update

The Software update checks for available updates and install all available updates including Java security update released by Apple. You need to supply an administrator account name and password. Apple released a security update On April/04/2012 to protect against the Flashback Trojan.

How do I verify that my Mac is not infected with the Flashback Trojan?

If your Mac is up-to-date with the latest security updates and your antivirus software is also up-to-date, you probably don't have the Flashback Trojan. However, type the following commands to verify that your Mac is infected or not. Open a command-line terminal, and then type:

 
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
 

You should get the following message:

The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

Finally, type the following command:

 
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
 

You should get the following message:

The domain/default pair of (/Users/vivek/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

If you get "does not exist" message both times, means your Mac is not infected with Flashback Trojan. A sample session from my system:

Fig.01: Command to find out if you are infected or not with Flashback Trojan malware

Fig.01: Command to find out if you are infected or not with Flashback Trojan malware

The above instructions are outlined at the F-Secure website. It also explains how to remove the trojan if your Mac is infected.

Recommended readings:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 14 comments… read them below or add one }

1 Tracy April 5, 2012 at 3:44 pm

I use Adobe photoshop for personal and home office. For each command, I was not infected. But, I did ran Apple update and install all available updates including Java security. One question – What is a botnet and how to better protect my Mac with botnet protection and avoid malware? Should I buy antivirus and antispyware programs for my Mac?

Reply

2 Collin B April 5, 2012 at 5:18 pm

Antivirus/Antimalware is always a good option. No OS is immune from these attacks. A botnet is basically a computer that can be taken over and used as a bot for whatever the user wishes. This can include proxying an internet connection or running commands from your machine.

Reply

3 Jon dela Cruz April 17, 2012 at 5:08 am

No OS is immune? This Flashback trojan is not exploit of the Apple’s OS X but it’s the Java that runs on OS X. Still the OS X is immune because I can just get rid of the Java and that’s it! No need to buy AV from Dr. Web who’s dreaming to expand his business to Apple! Good luck!

Reply

4 Jonathan April 5, 2012 at 5:47 pm

I like hackers that hack for the good of producing jailbreaks and fixing exploits but the hackers who come up with these malware programs need to go to jail for a long time. Its like a robber who can steal millions of peoples money/identity at the same time. FBI needs to crack down on malware developers and hacking groups that hack into banks and credit card companys such as visa and mastercard. These hackers make our FBI and Cybersecurity “professionals” look foolish.

Reply

5 KKDK April 6, 2012 at 1:06 pm

Thanks for sharing this useful and IMP tip, its so helpful

Reply

6 john April 7, 2012 at 3:38 am

Antivirus is a joke and a waste of CPU power and battery life, even if you have windows. So it’s even more of a joke and a waste for OS X, which has attracted very little virus/trojan writing attention. The 0day attacks that are scarier will compromise windows, linux, or mac at will and won’t be caught by any current antivirus.

Reply

7 senshikaze April 8, 2012 at 12:34 pm

Kaspersky Labs said that 0.7 of infections were Linux and 0.5 were Windows. I know that is low (like 4200 or so of the 600k), but I can’t find any non-OS X way of checking your computers. If this can hit Windows, then I know this could explode into the millions.

Reply

8 whiteHat April 10, 2012 at 8:09 am

@Jonathan, You sound really scared. “Quick, install all those scanners up to catch terrorists! Quick! Quick! Grab my nuts and take my data, money, freedom, and my soul. Just protect my iTurd from haxors… Whaaaaaaa!!!!! Mommy….. snif…”

Reply

9 Barney April 10, 2012 at 3:11 pm

Thanks very much it’s nice to be able to check my macbook is not infected

Reply

10 Doesnt detect all variants April 15, 2012 at 2:52 am

I did this check – my Mac checked out clean, HOWEVER, when I ran apples latest update today, apples update found a variant of the virus!! (This latest apple update actually removes all known variants of the flashback virus.) This check was not thorough enough in my case. My Mac is offline right now going through a major scan – just in case.

Does anyone have reliable info on what exactly the virus does (in detail)? I’ve read things like:
- harvests usernames and passwords from browser – can it get them elsewhere?
- it updates itself from remote server
- it reports collected info to remote server(s)
- it enters through safari – can it enter through FF as well? (I rarely use Safari…)

Reply

11 nixCraft April 15, 2012 at 7:05 am

There is another Mac OS X trojan in the wild and this one also exploits Java vulnerabilities just like the Flashback Trojan. This new Trojan requires no user interaction to infect your Apple Mac. It is called as Backdoor.OSX.SabPub.a or SX/Sabpab-A. Above method will not detect Backdoor.OSX.SabPub.a or SX/Sabpab-A. More info:
How to detect and remove new trojan called Backdoor.OSX.SabPub.a or SX/Sabpab-A

Reply

12 nixCraft April 15, 2012 at 7:06 am

Best solution is to automatically deactivate the Java browser plugin and Java Web Start, effectively disabling java applets in browsers under Mac.

Reply

13 shashank April 17, 2012 at 12:37 pm

THanks for the great blog ! Fianlly kicked out after detecthing this trojan in my MAC !

Reply

14 javasucksanyway May 1, 2012 at 7:08 am

Java was just a bad idea and maybe people see why now. Running random code automatically on your machine from whatever website you happen to visit.

I understand this can be rather efficient to spread the load but it was and is a security nightmare.

Wake up security industry, it’s been time to excrete some more java.

Get rid of flash while your at it. Dumb ideas like “word macros” ugh… such shit.

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , ,

Previous post:

Next post: