Robert OToole Photography

Apr11

Example

Image © 2012 Robert OToole Photography

What is the Flashback Trojan?

This is a new version of malicious software called Flashback that exploits a security flaw in Java in order to install itself on Mac OS and has made news headlines all over the world over the last couple of weeks.

First thing you want to do it update your Mac. Apple released a Java update on April 3, 2012 that fixes the Java security flaw for systems running OS X v10.7 and Mac OS X v10.6. Now your Mac automatically checks for software updates every week, but you can run Software Update at any time to manually check for the latest updates – go to the Apple menu and choose Software Update.

Mac users have been almost in a panic over this in the last couple of weeks thanks to the media. Even though I still have yet to hear of someone from people in the computer industry that actually knows someone that was infected by it I would recommend checking your Macs just in case.

How to check if your Mac is infected

Checking your Mac is easy and only takes a few seconds.

You can find instructions to check your Mac and complete instructions on how to remove it on the F-secure site:

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

To check for the Flashback Trojan go to the Manual Removal Instructions and follow them carefully. This will tell you if you have it in a few keystrokes and how to remove it in a few seconds if you do.

You will be doing is opening the Terminal app and entering some instructions (commands).

If you don’t want to run a Terminal command you can also download a free app to check your Mac:

https://github.com/jils/FlashbackChecker/wiki

To run the Terminal application go to Applications/Utilities/Terminal

Type or better yet cut and past from the F-secure site into Terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

You should see:

“The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”

This means the Mac you are on is not infected but you are not done yet.

Next type in the command:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If you see the following then your system is clean.

“The domain/default pair of (/Users/…/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”

If you see anything other than the above the F-secure link will give you all the info you need to know how to remove the virus.

Important Flashback Trojan Links

Apple’s support page:

http://support.apple.com/kb/HT5244

Apple’s support page for manual software update:

http://support.apple.com/kb/HT1338

F-secure site:

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

Free Flashback Checker App:

https://github.com/jils/FlashbackChecker/wiki

Update April 12, 2012

Apple has released a security update to take of the Java vulnerability and remove the Flashback Trojan variants. To download just  run Software Update manually by going to the Apple menu and choose Software Update.

http://support.apple.com/kb/HT5242

This update disables the automatic execution of Java applets.

All content (including text, design, photos, layout, and graphics) are copyright © 2012 Robert OToole. All rights reserved.

2 Comments

  • Comment by Peter Kes — April 11, 2012 @ 3:59 pm

    Knowing the power of java and java scripts, I disabled javascript by default. Only activating it when I see I really need it. Often you get to websites where you are getting these nice adds (onmouseclick – onhover etc etc)> Turn of Javascript in the browser and you reduce malware by 99%. Also, I use firefox. It has proven to be the best and most reliable browser.

  • Comment by admin — April 11, 2012 @ 11:55 pm

    Yes that is a good tip. Thanks for sharing.

    I have also know that some people disable java system wide but I don’t know if a lot of programs like Adobe products would even run.

    Robert

RSS feed for comments on this post. TrackBack URL

Leave a comment