Apple Flashback Trojan in the wild : Kortech Services

Time to get your head out of the sand. The old mantra that Macs don’t get infected isn’t true anymore (not that it ever was to begin with), theres a new Trojan on the loose taking advantage of unsuspecting Mac machines everywhere called the Flashback Trojan. According to The Verge, Apple has already released a patch for the java vulnerability so get on those software updates people!

 

F-Secure has written an extensive write up on how to detect and remove the trojan manually here.

Manual Removal Instructions

  • 1. Run the following command in Terminal:
    defaults read /Applications/Safari.app/Contents/Info LSEnvironment
  • 2. Take note of the value, DYLD_INSERT_LIBRARIES
  • 3. Proceed to step 8 if you got the following error message:
    “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”
  • 4. Otherwise, run the following command in Terminal:
    grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step2%
  • 5. Take note of the value after “__ldpath__”
  • 6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):
    sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment
    sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
  • 7. Delete the files obtained in steps 2 and 5
  • 8. Run the following command in Terminal:
    defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
  • 9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:
    “The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”
  • 10. Otherwise, run the following command in Terminal:
    grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step9%
  • 11. Take note of the value after “__ldpath__”
  • 12. Run the following commands in Terminal:
    defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
    launchctl unsetenv DYLD_INSERT_LIBRARIES
  • 13. Finally, delete the files obtained in steps 9 and 11.

Note:

Some Flashback variants include additional components, which require additional steps to remove. Please refer to ourTrojan-Downloader:OSX/Flashback.K description for additional information and removal instructions.

UPDATE: Looks like Apple is going to make a tool available soon to detect and remove this infection.