TECH TIP: Checking for the Flashback Trojan in OS X

Reality check, Macs can get infected by malware too. Sure, Macs may be less affected by malware than computers running Windows, but you still have to be careful. Enter the Flashback trojan (a trojan is a malicious program that appears legitimate to the user that is used to gain backdoor access to a computer) that has allegedly affected up to 600,000 computers running OS X. Basically, a computer gets infected after a user is redirected to a fake site and then JavaScript code is used to load a Java-applet containing the code. It will then try to connect your Mac to a botnet (a botnet is used to perform automated tasks on your computer without you knowing it such as sending out spam email, spreading other malware or attacking other computers).

If you think that you might be infected or want to check just to be safe, launch Terminal (found in /Applications/Utilities/) and enter (or copy & paste) the following into the Terminal window:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
You should receive the following message:  “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist” 
Now enter (or copy & paste) the following into the Terminal window:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
Your Mac is not infected if you see the message “The domain/default pair of (/Users/<username>/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist” or something similar (Note that <username> would refer to your account name on your Mac).

UPDATE 4/10/2012: After dealing with a colleague who’s Mac was flagged as being infected with the Flashback malware, I found that the process of checking using aforementioned Terminal commands might not fully detect the infection. In addition the Terminal commands, you can also use the web-based utility provided by Dr. Web, which immediately detected it on my colleague’s iMac. You can visit the page at this link

If you are indeed infected, you can follow the steps at this link to remove the malware from your Mac.

In the meantime, you can do a few things to protect yourself from the Flashback trojan. First, download the Java fix that Apple recently released. Open System Preferences and select Software Update. Click the Check Now button. It should show Java for OS X  2012-001 (version 1.0) as an required update.

UPDATE 4/6/2012: Apple has released another update for Java that shows as Java for OS X 2012-002 when you run Software Update.

UPDATE 4/12/2012: Apple has released a new Java security update that removes the most common variants of the Flashback malware. It will show up as Java for OS X 2012-003 when you run Software Update.

Second, if you know for sure that you have no need for Java, it can be disabled by going to /Applications/Utilities/Java Preferences. Uncheck the box(es) next to the Java runtimes that are listed. Once those box(es) have been unchecked, anything that requires Java will not run until you check the box  to enable it.

Finally, if you are the extreme paranoid type, download and install a FREE antivirus solution for OS X. There are several to choose from such as Bitdefender Virus Scanner, ClamXav, Sophos or PC Tools iAntiVirus.

Bottom-line, this is not the end of world for Mac users nor is it a sign of the Apocalypse.  More than anything, it is a reminder that OS X, just like Windows, requires a small amount of maintenance and care to avoid these issues.

Leave a Reply

Your email address will not be published. Required fields are marked *