Mac “Flashback” Trojan: How to discover if you have it and how to get rid of it

from JoeUser Forums

 

Somewhere around 600,000 Mac users have this Trojan written in an unknown language. It gets on your OSX without a password.

What it does (per F-secure):

“Trojan-Downloader:OSX/Flashback.I connects to a remote site to download its payload; on successful infection, the malware modifies targeted webpages displayed in the web browser.”

How to discover if it’s there and disinfect (per F-Secure):

Manual Removal

Caution: Manual disinfection is a risky process; it is recommended only for advanced users. Otherwise, please seek professional technical assistance.

Manual Removal Instructions

  • 1. Run the following command in Terminal:
    defaults read /Applications/Safari.app/Contents/Info LSEnvironment
  • 2. Take note of the value, DYLD_INSERT_LIBRARIES
  • 3. Proceed to step 8 if you got the following error message:
    "The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"
  • 4. Otherwise, run the following command in Terminal:
    grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2%
  • 5. Take note of the value after "__ldpath__"
  • 6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):
    sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment
    sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
  • 7. Delete the files obtained in steps 2 and 5
  • 8. Run the following command in Terminal:
    defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
  • 9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:
    "The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"
  • 10. Otherwise, run the following command in Terminal:
    grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%
  • 11. Take note of the value after "__ldpath__"
  • 12. Run the following commands in Terminal:
    defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
    launchctl unsetenv DYLD_INSERT_LIBRARIES
  • 13. Finally, delete the files obtained in steps 9 and 11.

 

Now, there are some variants of this Trojan, and some have additional components. The disinfect method is detailed here:  http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

 

Hope none of our Mac users are affected by this Trojan… but if you are, F-Secure has the steps described above and the additional steps as above. You can find them and the links to the additional steps here:

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

27,268 views 9 replies
Reply #1 from WinCustomize Forums Top

Oh no. Macs don't get viruses......just ask any ihole :P

Reply #2 from WinCustomize Forums Top

iRony [ahy-ruh-nee, ahy-er-]

1. directions to remove a iVirus on a Windows based website.

Start11 - Customize the Start Menu and Taskbar in Windows 10/11.
Reply #3 from WinCustomize Forums Top

CG1:

Some readers have more than one computer and some are Macs. No one forced you to read the post.

Reply #4 from WinCustomize Forums Top

iRony [ahy-ruh-nee, ahy-er-]

2. Doc taking my attempt at humor as a serious reply. ;)

Reply #5 from Elemental Forums Top


If anything I've seen the amount of "iHole-ishness" decrease over the last few years. I like to hope that it's because people are realizing that it's just another operating system and not a "cool way of life brand-identity" thing. Or that everyone has one so it's no longer "trendy".

But yeah, on topic. We just got a few macs at work that I have to be in charge of, so I get to familiarize myself with them after 10 years of using nothing but Windows. And knowing about viruses helps.

Reply #6 from JoeUser Forums Top

This is but the beginning.  At least for the Apple side of the house.  The dominance of the iPad and iPhone mean they are the new windows.

First rule of Security - anonymity is no defense.

Reply #7 from WinCustomize Forums Top

No defense. Watch out for the Gremlins. They developed a taste for Apple(s)

Reply #8 from WinCustomize Forums Top

Quoting jackswift85, reply 5
I like to hope that it's because people are realizing that it's just another operating system and not a "cool way of life brand-identity" thing. Or that everyone has one so it's no longer "trendy".
End of jackswift85's quote

Ditto ...;)

Reply #9 from WinCustomize Forums Top

I stumbled on an article on CBS News that says Apple has released a removal tool for this today if anyone is interested

http://www.cbsnews.com/8301-501465_162-57413764-501465/apples-flashback-malware-remover-now-live/?tag=cbsnewsSectionContent.10

Probably no need to read the article really if you already know how to get the patch.  I don't know all the gory details, just trying to be useful. ;)