600,000 Macs Worldwide Reportedly Infected by Flashback Trojan

[sngx1275]

I'm not very tech savvy when it comes to this, but how do you run terminal or access the terminal? Once you are there, I'm confused as to what command you enter to determine if you are infected. What will it say? Pardon me for being stupid!

In Applications>Utilities there is an app called Terminal. Open it.
Alternatively hit Apple+Spacebar and type Terminal. Open it that way.

Once in there copy and paste everything on the next line and then hit enter:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

Hopefully that comes up with "The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

If so, copy paste what follows and hit enter:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If that returns this: "The domain/default pair of (/Users/YourUserName/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist" then you are clean. If not, post back.

 

[Morod]

I'm not very tech savvy when it comes to this, but how do you run terminal or access the terminal? Once you are there, I'm confused as to what command you enter to determine if you are infected. What will it say? Pardon me for being stupid!

See post #203 by RDMI for the instructions.
Go to Finder>Applications>Utilities>Terminal. Double click on it. When it opens, copy and paste the first command from post #203. Hit enter. See what the response is. Then do the same with the second command.
Just be very careful in Terminal. You can ruin your computer there if you don't know what you're doing. I copied and pasted the two commands in the referenced post and know they are safe to use.
Good luck!

 

[Aviboy97]

In Applications there is an app called Terminal. Open it.
Alternatively hit Apple+Spacebar and type Terminal. Open it that way.

Once in there copy and paste everything on the next line and then hit enter:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

Hopefully that comes up with "The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

If so, copy paste what follows and hit enter:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If that returns this: "The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist" then you are clean. If not, post back.

Thanks!!!

 

[malias4]

im also clean did copy n paste the two comants on terminal n im ok !
also did yday the update of java so hopefuly al theese horses can go away from my precious mac

 

[squidkitten]

So it looks like I'm clean!
Is there a way to detect if I have any other types of malware on my MBP?
Turns out I had Java enabled (which I have now disabled) and apparently Flash has been automatically checking for updates, so I'm worried that I may have downloaded something in the past.
I'm not experiencing any weird computer behavior, though. Should I be okay?

 

[geesix]

I get nervous in Terminal, but I was able to copy and paste the Terminal commands posted here.
I'm clean on SL 10.6.8 with the Java update.

Why do you get nervous in terminal? Is there a reson why anyone should be nervous in terminal?

 

[sngx1275]

So it looks like I'm clean!
Is there a way to detect if I have any other types of malware on my MBP?
Turns out I had Java enabled (which I have now disabled) and apparently Flash has been automatically checking for updates, so I'm worried that I may have downloaded something in the past.
I'm not experiencing any weird computer behavior, though. Should I be okay?

Good!.

I wouldn't be concerned about Flash automatically checking for updates. That is better than it not telling you about updates and you coming across a webpage that wants to update for you. If that ever happens, decline, and then go directly to Adobe's Flash page to see if you really need an update.

You are ok.


But you did bring to mind something I wonder about. Is there a site that a Mac user can go to and get an online scan? There are several for PCs (I often use eset's online scanner for PCs), but it would be great if there was one for Macs. Just for piece of mind occasionally.

 

[terahz]

My MBA was infected. I actually found out because LittleSnitch asked me if I want to allow $HOME/.rsrv to connect to some random URL I've never heard.

I have absolutely no clue when this thing installed. I don't remember updating flash or allowing untrusted certificates.

To be honest I'm glad this is getting some attention, maybe apple will start reacting a bit faster when a vulnerability is found.

That being said, thumbs up to LittleSnitch. Best $30 for your mac!

 

[^^BIGMac]

In Applications>Utilities there is an app called Terminal. Open it.
Alternatively hit Apple+Spacebar and type Terminal. Open it that way.

Once in there copy and paste everything on the next line and then hit enter:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

Hopefully that comes up with "The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

If so, copy paste what follows and hit enter:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If that returns this: "The domain/default pair of (/Users/YourUserName/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist" then you are clean. If not, post back.

Thanks. I'm clean.

 

[Ram171]

Help

Hello everyone, I'll cut to the chase..I'm a new Mac user. The transition from PC to Mac has been seamless. I honestly don't know why I didn't do it sooner. I love it. Ok.. here comes this "Flashback" nonsense. I did the terminal thing and this is what I got:

Last login: Thu Apr 5 17:37:22 on ttys000
Ivans-MacBook-Pro:~ ivanramirez2$ defaults read /Applications/Safari.app/Contents/Info LSEnvironment
2012-04-05 17:43:49.940 defaults[285:707]
The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
Ivans-MacBook-Pro:~ ivanramirez2$ defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES



Am I ok? should i regret moving over to mac? I don't think so. I've been happy so far.

 

[Poncho]

Clean here.

Just launch Terminal and then copy and paste:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

into the window and then press return.

If it says:

The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

then copy and paste:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

into the window of Terminal and hit return.

If you see:

The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

Then you know you are clean.

It's not as daunting as it sounds, really...

 

[sngx1275]

Hello everyone, I'll cut to the chase..I'm a new Mac user. The transition from PC to Mac has been seamless. I honestly don't know why I didn't do it sooner. I love it. Ok.. here comes this "Flashback" nonsense. I did the terminal thing and this is what I got:

Last login: Thu Apr 5 17:37:22 on ttys000
Ivans-MacBook-Pro:~ ivanramirez2$ defaults read /Applications/Safari.app/Contents/Info LSEnvironment
2012-04-05 17:43:49.940 defaults[285:707]
The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
Ivans-MacBook-Pro:~ ivanramirez2$ defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES



Am I ok? should i regret moving over to mac? I don't think so. I've been happy so far.

What was the result of the 2nd paste? If it was also does not exist, you are clean.

You shouldn't regret moving to a Mac. But you should also not be smug about it. So many Windows users hate Macs just to hate them. I suppose the opposite is true too. We that have used or do use both should try to be civil about things.

 

[Ram171]

Help

thats all i got. Should i do each one separately?

 

[sngx1275]

thats all i got. Should i do each one separately?

Open terminal again. paste this by itself:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If the result on that is a does not exist, then you are ok.

 

[Ram171]

Help

I got this:


Last login: Thu Apr 5 18:13:50 on ttys000
Ivans-MacBook-Pro:~ ivanramirez2$ defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
2012-04-05 18:17:20.189 defaults[374:707]
The domain/default pair of (/Users/ivanramirez2/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist
Ivans-MacBook-Pro:~ ivanramirez2$ defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
2012-04-05 18:17:32.366 defaults[375:707]
The domain/default pair of (/Users/ivanramirez2/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist
Ivans-MacBook-Pro:~ ivanramirez2$

 

[Heateris]

Good news!

My mini is flashback trojan free! Haha! My wife's MBP is also clean.

 

[munkery]

True, but how many people are going to hit "no" when they see the self-signed cirtificate? Most people would (rightfully so) think that is less dangerous than typing in your admin password.

What is the Trojan able to do if installed without authentication?

It can't inject itself into apps owned by system, such as Safari, without password authentication so not every launched app is infected with binary2.

Binary2 is designed to target Safari so it sounds like this is only collateral infection on non system owned apps.

This is much like Leap-a but without the worm-like behavior. No significant infection occurs unless user running as root or password authenticates installation.

 

[sngx1275]

I got this:


Last login: Thu Apr 5 18:13:50 on ttys000
Ivans-MacBook-Pro:~ ivanramirez2$ defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
2012-04-05 18:17:20.189 defaults[374:707]
The domain/default pair of (/Users/ivanramirez2/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist
Ivans-MacBook-Pro:~ ivanramirez2$ defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
2012-04-05 18:17:32.366 defaults[375:707]
The domain/default pair of (/Users/ivanramirez2/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist
Ivans-MacBook-Pro:~ ivanramirez2$

yep, clean.

 

[Ram171]

yep, clean.

Awesome!! Geez. Funny I run from one OS to another and whammo. I fear this Java Flash Crap. Thanks for the help. I really like this machine and as i mentioned earlier, I wish I would of done it sooner. Great for work and play. Will definitely recommend.

Thanks again.

 

[MacDav]

Little Snitch

Get it.

 

[Sylon]

Just checked my machine, its squeaky clean. And I finally downloaded that patch. Whew! Got worried there for a second.


What does this trojan do to infected machines?

 

[C. Alan]

Curious to know where they got this number from, how can they know etc.

In my buisness, we call this a WAG (wild a$$ guess). Im willing to bet that this is the case.

 

[gotluck]

So now... There's really no reason for me to move from windows baha! There will only be more and more stories like this if Mac keeps increasing in popularity.

Nah, just kidding- I enjoy pc gaming too much to really entertain switching to Mac

 

[GS17]

It is possible the folks at Ars Technica, where the article came from, were taken in by a lie. Question is, are you smarter than they are?

How is this hard? Apple makes it easy to find Terminal with finder--unlike with Windows 7, where you have a bitch of a time finding the ms dos prompt.
Also, typing commands that are given to you don't seem that difficult to me. It's no different than typing commands in ms dos.
FYI, I'm on my first mac, which I got in 2008.

A b**ch of a time to click The start button and type CMD Or command And hit enter???

 

[lilo777]

I am curious

Percentage wise - are more Mac computers now infected with malware than their Windows 7 counterparts?