Is My Mac Computer Infected With The Flashback Trojan?

The Flashback Trojan, is a trojan horse affecting personal computer systems running Apple Mac OS X. More than half a million Apple computers have been infected with the Flashback Trojan.

What does the Flashback Trojan do?

According to a Russian anti-virus firm the Flashback Trojan designed to steal personal information and used as a botnet.

How do I avoid this problem?

First, apply a security update released by Apple by visiting:

From the Apple menu > Software Update

The Software update checks for available updates and install all available updates including Java security update released by Apple. You need to supply an administrator account name and password. Apple released a security update On April/04/2012 to protect against the Flashback Trojan.

How do I verify that my Mac is not infected with the Flashback Trojan?

If your Mac is up-to-date with the latest security updates and your antivirus software is also up-to-date, you probably don’t have the Flashback Trojan. However, type the following commands to verify that your Mac is infected or not. Open a command-line terminal, and then type:

defaults read /Applications/ LSEnvironment

You should get the following message:

The domain/default pair of (/Applications/, LSEnvironment) does not exist

Finally, type the following command:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

You should get the following message:

The domain/default pair of (/Users/vivek/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

If you get “does not exist” message both times, means your Mac is not infected with Flashback Trojan. A sample session from my system:

Fig.01: Command to find out if you are infected or not with Flashback Trojan malware

Fig.01: Command to find out if you are infected or not with Flashback Trojan malware

The above instructions are outlined at the F-Secure website. It also explains how to remove the trojan if your Mac is infected.

Recommended readings:

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 14 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
14 comments… add one
  • Tracy Apr 5, 2012 @ 15:44

    I use Adobe photoshop for personal and home office. For each command, I was not infected. But, I did ran Apple update and install all available updates including Java security. One question – What is a botnet and how to better protect my Mac with botnet protection and avoid malware? Should I buy antivirus and antispyware programs for my Mac?

  • Collin B Apr 5, 2012 @ 17:18

    Antivirus/Antimalware is always a good option. No OS is immune from these attacks. A botnet is basically a computer that can be taken over and used as a bot for whatever the user wishes. This can include proxying an internet connection or running commands from your machine.

    • Jon dela Cruz Apr 17, 2012 @ 5:08

      No OS is immune? This Flashback trojan is not exploit of the Apple’s OS X but it’s the Java that runs on OS X. Still the OS X is immune because I can just get rid of the Java and that’s it! No need to buy AV from Dr. Web who’s dreaming to expand his business to Apple! Good luck!

  • Jonathan Apr 5, 2012 @ 17:47

    I like hackers that hack for the good of producing jailbreaks and fixing exploits but the hackers who come up with these malware programs need to go to jail for a long time. Its like a robber who can steal millions of peoples money/identity at the same time. FBI needs to crack down on malware developers and hacking groups that hack into banks and credit card companys such as visa and mastercard. These hackers make our FBI and Cybersecurity “professionals” look foolish.

  • KKDK Apr 6, 2012 @ 13:06

    Thanks for sharing this useful and IMP tip, its so helpful

  • john Apr 7, 2012 @ 3:38

    Antivirus is a joke and a waste of CPU power and battery life, even if you have windows. So it’s even more of a joke and a waste for OS X, which has attracted very little virus/trojan writing attention. The 0day attacks that are scarier will compromise windows, linux, or mac at will and won’t be caught by any current antivirus.

  • senshikaze Apr 8, 2012 @ 12:34

    Kaspersky Labs said that 0.7 of infections were Linux and 0.5 were Windows. I know that is low (like 4200 or so of the 600k), but I can’t find any non-OS X way of checking your computers. If this can hit Windows, then I know this could explode into the millions.

  • whiteHat Apr 10, 2012 @ 8:09

    @Jonathan, You sound really scared. “Quick, install all those scanners up to catch terrorists! Quick! Quick! Grab my nuts and take my data, money, freedom, and my soul. Just protect my iTurd from haxors… Whaaaaaaa!!!!! Mommy….. snif…”

  • Barney Apr 10, 2012 @ 15:11

    Thanks very much it’s nice to be able to check my macbook is not infected

  • Doesnt detect all variants Apr 15, 2012 @ 2:52

    I did this check – my Mac checked out clean, HOWEVER, when I ran apples latest update today, apples update found a variant of the virus!! (This latest apple update actually removes all known variants of the flashback virus.) This check was not thorough enough in my case. My Mac is offline right now going through a major scan – just in case.

    Does anyone have reliable info on what exactly the virus does (in detail)? I’ve read things like:
    – harvests usernames and passwords from browser – can it get them elsewhere?
    – it updates itself from remote server
    – it reports collected info to remote server(s)
    – it enters through safari – can it enter through FF as well? (I rarely use Safari…)

  • 🐧 nixCraft Apr 15, 2012 @ 7:06

    Best solution is to automatically deactivate the Java browser plugin and Java Web Start, effectively disabling java applets in browsers under Mac.

  • shashank Apr 17, 2012 @ 12:37

    THanks for the great blog ! Fianlly kicked out after detecthing this trojan in my MAC !

  • javasucksanyway May 1, 2012 @ 7:08

    Java was just a bad idea and maybe people see why now. Running random code automatically on your machine from whatever website you happen to visit.

    I understand this can be rather efficient to spread the load but it was and is a security nightmare.

    Wake up security industry, it’s been time to excrete some more java.

    Get rid of flash while your at it. Dumb ideas like “word macros” ugh… such shit.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum