The Flashback trojan is a Mac virus that now has control of over 600,000 Macs. It poses as the Adobe Flash Player Updater and exploits a security hole in Java. It then steals all your user names and passwords for popular websites. Apple released a Java update that fixes the problem. Download Java for Mac OS X 10.6 Update 7 (Snow Leopard users) or Java for OS X Lion 2012-002 (Lion users). Both these links are to Apple KB articles that describe the update and allow you to download the installer package.
Recently there was a question posted on Ask Different asking Is my Mac infected with the Flashback trojan? I posted an answer to the question, which was voted up quite a bit and was accepted by the asker. Here are instructions from F-Secure on how to check for the Flashback trojan, and remove it:
- Run the following command in Terminal (Applications> Utilities >Terminal
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
- Take note of the value
DYLD_INSERT_LIBRARIES
- Proceed to step 8 if you got the following error message:
The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
-
Otherwise, run the following command in Terminal:
grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2%
-
Take note of the value after
"__ldpath__"
-
Run the following commands in Terminal (first make sure there is only one entry from step 2):
sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment
sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
- Delete the files obtained in steps 2 and 5.
-
Run the following command in Terminal:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
-
Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:
"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"
-
Otherwise, run the following command in Terminal:
grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%
-
Take note of the value after
"__ldpath__"
-
Run the following commands in Terminal:
defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
launchctl unsetenv DYLD_INSERT_LIBRARIES - Finally, delete the files obtained in steps 9 and 11.
An alternative to the Terminal method is Flashback Checker. It is a free little application that checks for the trojan and tell you whether you are infected or not.
No comments:
Post a Comment