If you don't have Java on your system, or you have an up-to-date version of Java, you have 0% chance of being infected by this.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
600,000 Macs Worldwide Reportedly Infected by Flashback Trojan
- Thread starter MacRumors
- Start date
- Sort by reaction score
If you don't have Java on your system, or you have an up-to-date version of Java, you have 0% chance of being infected by this.
In terminal run:
You should get this error:
Then run:
You should get this error:
If you do you are clean of this variant!
If this doesn't happen go here to fix it:
http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml
Oh wow good to know. I will still check my machine when I get home just in case.
Here's a little experiment you can try to prove to yourself that I do, indeed, know what I'm talking about.
- Right-click on your Desktop and select "New Folder".
- Browse in Finder to your /Applications folder
- Right-click on Safari.app and select "Show Package Contents"
- Double-click on "Contents", then on "Resources"
- Drag the folder you created in step 1 to the Resources folder
- Now close all Finder windows
- Go back and repeat steps 2-4 and verify that the folder you created is in Safari.app
- Notice that at no point in time were you prompted for your admin password
Create a bash file to do the following and see if it works.
It can not modify "/Applications/Safari.app/Contents/Info.plist" without you manually giving it permission to do so.
Neither does it modify pages you visit on anything other than Safari. Firefox/Chrome/Opera users aren't affected at all even if this on your machine.
It can not keylog you either unless you give it permission to do so. This perticular Trojan doesn't keylog anyways, if you do decide to give it permission.
Last edited:
Here Here. Says the person who can't upgrade past Snow Leopard and still has a imac with Panther. Call me sentimental. Or broke. I can't afford a new computer.
OF course....the imac can't get on the net' anyway, because I can't find a web browser that'll work anymore and if I did the sites wouldn't support it. But it does get light use and share files with my other mac.
I was grateful I already had Clamxav installed when I found out the trojan would decide my mac was not an appealing target. I mainly installed it to make sure I didn't pass anything onto PC users. Just for security sake, I rarely pay attention to those Flash pop ups. I always double check on the Adobe site just to be sure it's the real deal.
Has anyone else had issues with software updates or the Apple site lately? I had trouble installing any updates, even the java one. And sometimes I go to the support or discussions and they redirect me to the main page. That becomes rather urgent when it's a security upgrade you need.
It appears to depend on which version of Mac OS X you're running, whether it prompts or not.
...Then those Windows users have a false sense of security. I had a PC infected with Torpig that no virus scanner could detect, and was fully protected and up to date. I only detected it after blowing the partition away and starting from scratch. Was hiding in the boot sector. I'm still not sure how it got infected.
I'm not saying that a virus scanner is not a good idea, its just you should not trust that you are safe even with scanners and security updates.
Oh yeah, sorry, I should’ve indicated my version for reference: Lion 10.7.2
I’ll check it out on our SL machine too.
Same behavior: Snow Leopard 10.6.8
I was infected with this!
I checked, and sure enough my Mac Pro running Lion 10.7.3 with all updates installed (including the Apple Java update from 2 days ago) was INFECTED with this trojan!
I followed the F-Secure instructions, found out where the offending files had been installed, and followed the removal procedure. Getting this trojan through the previously unpatched Java exploit rattled me a bit, as I felt Macs were safer than this. This Java exploit was fixed by Oracle back in February, but it took Apple until 2 days to release the updated Java patched version.
So even if you ran the latest Apple Java update that was recently released 2 days ago, check via Terminal to make sure you weren't infected before that date via the Java exploit, as mine was.
Turns out my Mac was infected around March 3rd (from the date the trojan was installed), so who knows what data they scammed from my Mac in the last month. Hopefully I am free of this trojan now, but I am not at all pleased with finding out I was infected, and my Mac system was compromised.
I checked, and sure enough my Mac Pro running Lion 10.7.3 with all updates installed (including the Apple Java update from 2 days ago) was INFECTED with this trojan!
I followed the F-Secure instructions, found out where the offending files had been installed, and followed the removal procedure. Getting this trojan through the previously unpatched Java exploit rattled me a bit, as I felt Macs were safer than this. This Java exploit was fixed by Oracle back in February, but it took Apple until 2 days to release the updated Java patched version.
So even if you ran the latest Apple Java update that was recently released 2 days ago, check via Terminal to make sure you weren't infected before that date via the Java exploit, as mine was.
Turns out my Mac was infected around March 3rd (from the date the trojan was installed), so who knows what data they scammed from my Mac in the last month. Hopefully I am free of this trojan now, but I am not at all pleased with finding out I was infected, and my Mac system was compromised.
The syntax response means it was not entered correctly, and that could be simply because you do not appear to have a space between read and the path.
The command has 4 parts:
defaults
read
<path>
<key>
that should be separated by a space (so the parser can delineate the different parts).
If you don't use Safari, then it hasn't manipulated any webpages you've visited. It doesn't keylog you either. I would suggest getting LittleSnitch for your Mac, even if having nothing to do with this particular Trojan. If something did get on your system in the future, and it attempted to communicate with someone outside of your computer, LittleSnitch would warn you and let you choose whether to let it communicate.
I personally disable Java and any other plugins in all my browsers to begin with. Unless you have a reason to use Java regularly, you should disable it.
For Safari, just move the Java files located @ /Library/Internet Plug-Ins/ to /Library/Internet Plug-Ins/Disabled Plug-Ins/
For Firefox and Chrome, just type
Code:
about:plugins
Last edited:
Not infected, like I suspected.
First there's a Trojan that doesn't install if you have an antivirus application running or MS Office for Mac, Xcode and Skype.
Something that I find really wierd, because Trojans on Wintel systems really don't care if an antivirus is running to install themselfs.
Makes me suspicious about the 'design' of the Trojan, especially when you know that present day hackers are just guns for hire.
AV software selling for 32 million Macs can be considered a lucrative deal.
Also everyone that posts in this thread about keeping your head cool and following the instructions of f-secure, in short people that say that you still don't need AV software get "negative varrots" (always a max of -4), while people that advocate getting AV software get "positive varrots" (also always a max of +4).
At GGIstudio, yes I was mistaken by name, it's not your Apple-id and password, but your Mac admin-Id and password that most Trojans ask, before they can install. But you get the idea that I was trying to explain: it takes human interaction.
First there's a Trojan that doesn't install if you have an antivirus application running or MS Office for Mac, Xcode and Skype.
Something that I find really wierd, because Trojans on Wintel systems really don't care if an antivirus is running to install themselfs.
Makes me suspicious about the 'design' of the Trojan, especially when you know that present day hackers are just guns for hire.
AV software selling for 32 million Macs can be considered a lucrative deal.
Also everyone that posts in this thread about keeping your head cool and following the instructions of f-secure, in short people that say that you still don't need AV software get "negative varrots" (always a max of -4), while people that advocate getting AV software get "positive varrots" (also always a max of +4).
At GGIstudio, yes I was mistaken by name, it's not your Apple-id and password, but your Mac admin-Id and password that most Trojans ask, before they can install. But you get the idea that I was trying to explain: it takes human interaction.
Thanks for the instructions, all!
I get nervous in Terminal, but I was able to copy and paste the Terminal commands posted here.
I'm clean on SL 10.6.8 with the Java update.
I get nervous in Terminal, but I was able to copy and paste the Terminal commands posted here.
I'm clean on SL 10.6.8 with the Java update.
How to run terminal
I'm not very tech savvy when it comes to this, but how do you run terminal or access the terminal? Once you are there, I'm confused as to what command you enter to determine if you are infected. What will it say? Pardon me for being stupid!
I'm not very tech savvy when it comes to this, but how do you run terminal or access the terminal? Once you are there, I'm confused as to what command you enter to determine if you are infected. What will it say? Pardon me for being stupid!