Flashback Trojan

According to Russian antivirus company Dr. Web, there are about 600,000 Macs around the world that are infected by different variations of the Flashback trojan and are now part of a fast-growing Mac botnet. Of the 600,000 infected Macs the majority are located in North America – 57% from the US and 20% in Canada.

If you own a Mac and would like to check whether its infected or not, you can follow these step-by-step instruction provided by the folks from F-Secure.

NOTE: This procedure is risky and could be a bit tricky so it is recommended only for advanced users. If you think you’re not capable of doing it yourself, you can request a friend or a professional technician to assist you.

1. Open up Terminal (Finder > Applications > Utilities > Terminal).
2. Key in and run the following command in Terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

3. Take note of the value, DYLD_INSERT_LIBRARIES
4. Proceed to step 8 if you got the following error message:

"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

5. Otherwise, run the following command in Terminal:

grep -a -o '__ldpath__[ -~]*' %path_obta</blockquote>ined_in_step2%

6. Take note of the value after “__ldpath__
7. Run the following commands in Terminal (first make sure there is only one entry, from step 2):

sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment

sudo chmod 644 /Applications/Safari.app/Contents/Info.plist

8. Delete the files obtained in steps 2 and 5
9. Run the following command in Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

10. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:

"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"

11. Otherwise, run the following command in Terminal:

grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%

12. Take note of the value after “__ldpath__
13. Run the following commands in Terminal:

defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

launchctl unsetenv DYLD_INSERT_LIBRARIES

14. Finally, delete the files obtained in steps 9 and 11.

If you get both “does not exist” errors on Step 4 and 10, it basically means that your Mac is not infected by the latest Flashback trojan variation. However, other Flashback trojan variations include additional components which require additional removal steps. Please refer to this link for further information and removal instructions.

I performed the procedure on my Mac and fortunately for me, it isn’t one of the 600,000 infected machines. I strongly recommend that you do the same thing and check to make sure whether your Mac is infected or not. It won’t hurt if you do and its always better to be safe than sorry.

Anyone here who got infected by the latest Flashback trojan or a different variant? What did you do to fix/disinfect your machine?

Share:

administrator

Owner and editor of JaypeeOnline. Self-proclaimed geek. New media writer and consultant. WordPress advocate. Loves blogging, gadgets, video games and sports. You can follow him on Facebook or Twitter.

1 Comment

  • ^_^, April 13, 2012 @ 1:33 AM Reply

    Why does step #4 if “does not exist” tell you to go to step#8 only for it to tell you to “8. Delete the files obtained in steps 2 and 5”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.