« | »


Apple Flashback Trojan in the wild

Archived in the category: Apple, Security
Article Tags:, ,
Posted by okorioth on 05 Apr 12 0 Comments

Time to get your head out of the sand. The old mantra that Macs don’t get infected isn’t true anymore (not that it ever was to begin with), theres a new Trojan on the loose taking advantage of unsuspecting Mac machines everywhere called the Flashback Trojan. According to The Verge, Apple has already released a patch for the java vulnerability so get on those software updates people!
 
F-Secure has written an extensive write up on how to detect and remove the trojan manually here.

Manual Removal Instructions

  • 1. Run the following command in Terminal:
    defaults read /Applications/Safari.app/Contents/Info LSEnvironment
  • 2. Take note of the value, DYLD_INSERT_LIBRARIES
  • 3. Proceed to step 8 if you got the following error message:
    “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”
  • 4. Otherwise, run the following command in Terminal:
    grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step2%
  • 5. Take note of the value after “__ldpath__”
  • 6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):
    sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment
    sudo chmod 644 /Applications/Safari.app/Contents/Info.plist
  • 7. Delete the files obtained in steps 2 and 5
  • 8. Run the following command in Terminal:
    defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
  • 9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:
    “The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”
  • 10. Otherwise, run the following command in Terminal:
    grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step9%
  • 11. Take note of the value after “__ldpath__”
  • 12. Run the following commands in Terminal:
    defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
    launchctl unsetenv DYLD_INSERT_LIBRARIES
  • 13. Finally, delete the files obtained in steps 9 and 11.

Note:
Some Flashback variants include additional components, which require additional steps to remove. Please refer to ourTrojan-Downloader:OSX/Flashback.K description for additional information and removal instructions.
UPDATE: Looks like Apple is going to make a tool available soon to detect and remove this infection.

Leave a Reply