According to Russian antivirus company Dr. Web, there are about 600,000 Macs around the world that are infected by different variations of the Flashback trojan and are now part of a fast-growing Mac botnet. Of the 600,000 infected Macs the majority are located in North America – 57% from the US and 20% in Canada.
If you own a Mac and would like to check whether it’s infected or not, you can follow these step-by-step instructions provided by the folks from F-Secure.
NOTE: This procedure is risky and could be a bit tricky so it is recommended only for advanced users. If you think you’re not capable of doing it yourself, you can request a friend or a professional technician to assist you.
1. Open up Terminal (Finder > Applications > Utilities > Terminal).
2. Key in and run the following command in Terminal:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment3. Take note of the value, DYLD_INSERT_LIBRARIES
4. Proceed to step 8 if you got the following error message:
"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"
5. Otherwise, run the following command in Terminal:
grep -a -o '__ldpath__[ -~]*' %path_obta</blockquote>ined_in_step2%6. Take note of the value after “__ldpath__“
7. Run the following commands in Terminal (first make sure there is only one entry, from step 2):
sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironmentsudo chmod 644 /Applications/Safari.app/Contents/Info.plist8. Delete the files obtained in steps 2 and 5
9. Run the following command in Terminal:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES10. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:
"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"
11. Otherwise, run the following command in Terminal:
grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%12. Take note of the value after “__ldpath__“
13. Run the following commands in Terminal:
defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIESlaunchctl unsetenv DYLD_INSERT_LIBRARIES14. Finally, delete the files obtained in steps 9 and 11.
If you get both “does not exist” errors on Steps 4 and 10, it basically means that your Mac is not infected by the latest Flashback trojan variation. However, other Flashback trojan variations include additional components which require additional removal steps. Please refer to this link for further information and removal instructions.
I performed the procedure on my Mac and fortunately for me, it isn’t one of the 600,000 infected machines. I strongly recommend that you do the same thing and check to make sure whether your Mac is infected or not. It won’t hurt if you do and it’s always better to be safe than sorry.
Does anyone here who got infected by the latest Flashback trojan or a different variant? What did you do to fix/disinfect your machine?
Why does step #4 if “does not exist” tell you to go to step#8 only for it to tell you to “8. Delete the files obtained in steps 2 and 5”