Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
This is very bad news for consumers who should be safe from these problems when using a Mac. But it's important to note a trojan is not a virus. So we're still well ahead of Windoze users.

How is it important that is a trojan and not a virus?? Are you happy to have Trojans on your computer??

Running Avast on my PC I feel very safe at the moment. I am less cocky on my mac though. The current detection system for mac malware seems to be news headlines..... its the windoze guys who are laughing at us, a click of a button, they can scan their systems with the latest nightly malware/virus definitions.
 
The malware is such a coward. Its Windows brothers and sisters never fear the existence of Visual Studio LOL
 
It's a Hole in Java.
Yes update Java, the update's patched for that vulnerability.

Ok thanks!

Check to make sure your mac is clean, then go get all the updates. It doesn't make sense to stay behind date unless you absolutely have an incompatible application. Those updates are there to protect you.

Yea I followed the steps using the terminal checks out ok!
 
From what I understand most hackers these days don't bother with virus's anyways. Trojans are easier and easy enough to get people to fall for it they don't need to create virus's.

Nowdays... people are the biggest vulnerability to a system. A machine cannot protect you from yourself - if you enter a password when you are prompted to, without checking to make sure you initiated a command that would cause that popup window to appear (like manually launching software update or clicking a lock button in system prefs) the mac can't override your willingness to put your user/password in ....

Just use some common sense.

----------

Yea I followed the steps using the terminal checks out ok!

Great :) It's good that you avoided it then. I'm clean, too. :)
 
Hi guys, is it safe to follow the instructions posted by F-Secure ? As you know, sometimes following the instructions to remove some bad stuffs actually install them instead.
 
I thought Apple computers needed no malware or virus scanners/cleaners because the OS is a fortress and blocks all intrusion in to the system? :confused:
No, they have no need of virus scanners because doing a Software Update works better. AV software would not have caught this before there was a software update and using AV software can create an additional attack vector for malware because AV software needs to be trusted in order to do its job but there's no guarantee that the AV software itself is secure. For example, AV software has been used to attack Windows in the past.
 
clean here, update your system often and you should not run into this trojans...
The malware self-installs after you visit a compromised or malicious webpage. Obviously, it would be a good idea to update any Macs in your control.

For those who want to check if mac is infected (from F-Secure instructions):
Run the following command in terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If you get "The domain/default pair ... does not exist" for both - you are clean


from 9to5mac

Clean here. Thanks for the instructions! I've never used terminal before. ;-)
 
I thought Apple computers needed no malware or virus scanners/cleaners because the OS is a fortress and blocks all intrusion in to the system? :confused:

The Macintosh OS is as secure as an OS can be, but there is no such thing as 100% security.
Malware infection of Macs however does always involve social-engineering, which is not really possible to fight preventatively with non-savvy users and could even deceive people with decent knowledge of computers.
The "fortress" part only means that no corrupt code is going to install itself on your Mac unless you actively did something to allow it. That's where the social-engineering enters into play.
 
To check if you have this do the following:-

Run the following command in Terminal:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment

Take note of the value, DYLD_INSERT_LIBRARIES
Proceed to step 8 if you got the following error message:
"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

NOTE: You should get that message if your system is clean. If you don't get the message your system is infected, so do the following:-

Run the following command in Terminal:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:
"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"

In other words: "does not exist" means you've got a healthy rig.

For further info visit F-Secure for a more complete removal method – here: http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

----------

Funnily enough if you download the latest Apple Java Update for Mac OS X 10.7.XX from here: http://support.apple.com/kb/DL1515 – details:

Version: 1.0
Post Date: April 03, 2012
Download ID: DL1515
License: Update
File Size: 66.9 MB
System Requirements
OS X 10.7

which links to this file http://support.apple.com/downloads/DL1515/en_US/JavaForOSX.dmg

I got (running 10.7.3) There may be a problem with this disk image. Are you sure you want to open it? Opening this disk image may make your computer less secure or cause other problems".
 
Last edited:
I've owned a Mac for about seven years.

So, I've read this story, got concerned and looked to put it right but I simply don't understand what to do. I've never used Terminal and have no idea how to perform the instructions outlined. Other than running 'Software Update', I don't know how to see if I have it nor how to get rid of it.

If Macs are going to start getting malware/trojans/viruses or whatever, Apple need to create an easy-to-use, foolproof system of detecting and removing them.
 
Well, I ran the check and appear to be clean.

Granted, I have Xcode so it looks like even if I tried installing the trojan it would just abort itself.

Edit:

I've owned a Mac for about seven years.

So, I've read this story, got concerned and looked to put it right but I simply don't understand what to do. I've never used Terminal and have no idea how to perform the instructions outlined. Other than running 'Software Update', I don't know how to see if I have it nor how to get rid of it.

If Macs are going to start getting malware/trojans/viruses or whatever, Apple need to create an easy-to-use, foolproof system of detecting and removing them.

If you don't have a technical job (IE, you develop on/for Macs or are an IT guy managing Macs,) you probably haven't heard of Terminal and probably never need to use it.

Here's a quick explanation of the instructions:

1. Run the following command in Terminal:

This assumes you actually have Terminal open. It should be installed in Applications => Utilities. Alternatively, just search for it with spotlight (top right corner of the screen.)

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

Copy that, paste it into terminal (wherever the cursor already is. Terminal probably printed a little bit of stuff already when it launched,) and hit enter.

It should now have a message or two below that. I got some gibberish ending with the phrase, "does not exist". The instructions say:

3. Proceed to step 8 if you got the following error message:

"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

Yeah, that's the gibberish I got. So I skipped to step 8.

8. Run the following command in Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

So just copy and paste that directly into terminal, again, wherever it has left the cursor, and then hit enter.

It spits out some more gibberish, again ending in "does not exist".

9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:

"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"

Ah, yes, that's what I see. So my system is clean.

Now, why isn't there any easier way of doing this? Because there's no need for it. Apple has an automated malware remover in Mac OS X that will periodically update itself and remove malware for you. These instructions are for if you don't want to wait a day for the automated malware remover to handle it for you. Or if you're paranoid. Apple doesn't want you paranoid (because that makes your experience subpar), so they don't even tell you about any of it. Because really, you'd have to be paranoid. You really don't have to worry about it as long as you're not giving random people/applications your computer's password so that they can install whatever they like. If they don't have your password, they can't install anything behind your back. Thus why it's a trojan, and not a virus, because you have to actually hand over your password for it to work.
 
Last edited:
Moral of the story: Don't be an idiot. If you can't help being an idiot, be ready to pay someone who isn't an idiot to clean up after your idiocy. Let's call it an "Idiot Tax".
 
I've owned a Mac for about seven years.

So, I've read this story, got concerned and looked to put it right but I simply don't understand what to do. I've never used Terminal and have no idea how to perform the instructions outlined. Other than running 'Software Update', I don't know how to see if I have it nor how to get rid of it.

If Macs are going to start getting malware/trojans/viruses or whatever, Apple need to create an easy-to-use, foolproof system of detecting and removing them.

Just follow the instructions as listed - you dont need a science degree - its pretty damn simple

Run the following command in Terminal:
Type: defaults read /Applications/Safari.app/Contents/Info LSEnvironment

Take note of the value, DYLD_INSERT_LIBRARIES
Proceed to step 8 if you got the following error message:
"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

NOTE: You should get that message if your system is clean. If you don't get the message your system is infected, so do the following:-
 
Here we go

I just can't help but wonder if this stuff is real or if the conspiracy theorists are right. Is it a natural evolution or AV companies with decreasing PC market share? Oh well, I'm sure it's Chinese hackers that will never be caught and Antivirus companies will provide immediate solutions for a premium. :)
 
LOL you really think OSX is as secure as an OS can be?

... where do people come up with this stuff.

I can make a more secure OS. If I make an OS that has no peripherals... no ports of any kind... no means of programming it... then it cannot get a virus.

I suppose, really, it'd have to be hardwired.

The issue with hardwiring the OS, of course, is that then it cannot be upgraded.
 
Has anyone found Flashback trojan on their Mac?

The news reports are claiming 600,000 Mac infected. If that is true, then I would expect at least a few MacRumors forum readers would be infected. Anyone who found a Flashback infection please speak up.
 
Nowdays... people are the biggest vulnerability to a system. A machine cannot protect you from yourself - if you enter a password when you are prompted to, without checking to make sure you initiated a command that would cause that popup window to appear (like manually launching software update or clicking a lock button in system prefs) the mac can't override your willingness to put your user/password in ....

Just use some common sense.



In this case it can.

Flashback will prompt you for your Admin password, if you provide it it infects you one way.

If you don't provide it, it will infect you a different way. Not providing the password doesn't protect you.
 
it infects itself in every binary you run. It also installs itself just by visiting a webpage, and exploiting a security hole. No user interaction necessary, besides just visiting a bad URL.

User has to accept a self-signed certificate to launch a downloader so user interaction is required.

Everyone remembers that Flashback is a spoofed installer which requires password authentication to install the final malware payload.

"After being dropped and executed on the system via the CVE-2012-0507 exploit, the new Trojan horse prompts a dialog window that asks the user for their administrative password."

http://www.computerworld.com/s/article/9225757/Unpatched_Java_bug_infects_Macs_with_Flashback_malware
 
Last edited:
Anti malware software

Can anyone recommend anti-virus/malware software for the Mac? I am willing to pay for peace of mind.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.