Time to get your head out of the sand. The old mantra that Macs don’t get infected isn’t true anymore (not that it ever was to begin with), theres a new Trojan on the loose taking advantage of unsuspecting Mac machines everywhere called the Flashback Trojan. According to The Verge, Apple has already released a patch for the java vulnerability so get on those software updates people!
F-Secure has written an extensive write up on how to detect and remove the trojan manually here.
Manual Removal Instructions
- 1. Run the following command in Terminal:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
- 2. Take note of the value, DYLD_INSERT_LIBRARIES
- 3. Proceed to step 8 if you got the following error message:
“The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”
- 4. Otherwise, run the following command in Terminal:
grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step2%
- 5. Take note of the value after “__ldpath__”
- 6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):
sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment
sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
- 7. Delete the files obtained in steps 2 and 5
- 8. Run the following command in Terminal:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
- 9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:
“The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”
- 10. Otherwise, run the following command in Terminal:
grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step9%
- 11. Take note of the value after “__ldpath__”
- 12. Run the following commands in Terminal:
defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
launchctl unsetenv DYLD_INSERT_LIBRARIES
- 13. Finally, delete the files obtained in steps 9 and 11.
Some Flashback variants include additional components, which require additional steps to remove. Please refer to ourTrojan-Downloader:OSX/Flashback.K description for additional information and removal instructions.
UPDATE: Looks like Apple is going to make a tool available soon to detect and remove this infection.