Jump to content

Mac Flashback TROJAN HORSE

Rick

By Rick
in Digital Post Processing Forum

Recommended Posts

Rick

Rick

Posted
Posted

Advertisement (gone after registration)

Don't know if this was posted already but, I guess there is a Mac Trojan going around as of yesterday that exploits JAVA script. Read about it here on how to check for it.

 

How to find out if your Mac has the Flashback Trojan - CNN.com

 

http://mashable.com/2012/04/05/mac-flashback-trojan/?cnn=yes

 

Just run Software Update(click the black apple on the top left), Apple has a patch. But, do run the two machine scripts to see if you have it. If, you do, you have to remove it.

 

Rick

Link to post
Share on other sites
swamiji

swamiji

Posted
Posted

Well, this is not the first Virus for the Mac, It certainly won't be the last.

 

Their even was a cross platform virus that was Microsoft Office specific. This one seems to piggy back on Java, so any machine that uses Java can catch it, however the modifications done, only harm the Mac.

 

It's always better to be safe with some form of Anti virus software. Even though Mac OS is better in preventing attacks, it isn't perfect.

Link to post
Share on other sites
algrove

algrove

Posted
Posted
Well, this is not the first Virus for the Mac, It certainly won't be the last.

 

Their even was a cross platform virus that was Microsoft Office specific. This one seems to piggy back on Java, so any machine that uses Java can catch it, however the modifications done, only harm the Mac.

 

It's always better to be safe with some form of Anti virus software. Even though Mac OS is better in preventing attacks, it isn't perfect.

 

You know that brings up another question. Which of you use anti virus software on your Macs and if so which anti vous software do you use and like the best?

Link to post
Share on other sites
CalArts 99

CalArts 99

Posted
Posted

To check which version of Java you have (and if indeed it's even on your OS; remember that Lion didn't come with Java installed like in previous OSX versions and you have to install it if you need it), go to the terminal and use this command:

 

java -version

 

If you have Java installed, then be sure it's 1.6.0_31 (1.6.0_29 is vulnerable.)

 

The latest software update included the patch. But Apple was late getting this out, unfortunately.

 

To check if you have been infected you don't need to download anything (no special scripts or applications or any fancy GUI stuff) and can easily go into the terminal and just use these three default read commands (each for Safari, Firefox, and the OS.) If the response is "does not exist" then you're fine.

 

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

 

defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

 

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

 

btw, you can easily turn off Java in both the OS preferences (not recommended if you need Java to run a specific software, of course ;)), and also in your web browsers (Safari, Firefox, Chrome, iCab.) imho, it's always best to not allow Java applets to display in the browser. Chrome is probably best for using Java since it's an embedded sandboxed version of the program. A good idea is to just have one dedicated browser to use when you might need Java and disable it on your everyday browser.

Link to post
Share on other sites
Rick

Rick

Posted
  • Author
Posted

It can all be done without opening the terminal program and entering any command lines. I think most people aren't comfortable with terminal commands and this is simpler:

 

Step one: Just click on:Files.zip

Click on Download.

Run the two scripts.

The OP has a CNN linked article that shows exactly what you should see if you are not infected.

 

Step two: Update your MAC OS version like you usually do if, you haven't already.

Link to post
Share on other sites
CalArts 99

CalArts 99

Posted
Posted

I'm not sure why I would want to download a script from some source I have no real clue about (except that it's posted on CNN and written by some journalist who just decided to link that script.) It comes from c-mac.me and is a file hosted on CloudApp from this person who put it up: ChristinaWarren.com-www.ChristinaWarren.com

 

But each to their own. Whatever works.

 

The default read commands are harmless and the terminal is your friend. I guess I'd rather do it myself than download a script from who knows where (which is exactly what can get you in trouble in the first place.) I just personally wouldn't recommend downloading scripts off the internet. But again, that's just me. So take it or leave it.

 

Even though Christina Warren might be a nice girl, safe sex is still safe sex. :)

Link to post
Share on other sites
farnz

farnz

Posted
Posted
...

To check if you have been infected ... go into the terminal and just use these three default read commands ...

 

defaults read /Applications/Safari.app/Contents/Info LSEnvironment ...

Thanks. I note that if you mistype the argument then Terminal will simply echo "domain/default pair of ~ does not exist" (where ~ is what you've mistyped), which could be a false negative if the mistyping isn't noticed. I, er, inadvertently 'tested' it.:rolleyes:

 

Are the capital letters significant (read: necessary) and the space between Info and LSEnvironment?

 

Pete.

Link to post
Share on other sites
Rick

Rick

Posted
  • Author
Posted

CalArts, to each his own. I ran the scripts a%nd I am**! not hav*$%@ing any problems

!#$^&&&*IO that I am$*)_& aware of. Zombie Bot control do you read me. Port 168 is open, I repeat all ports open for business.

Link to post
Share on other sites
CalArts 99

CalArts 99

Posted
Posted
Thanks. I note that if you mistype the argument then Terminal will simply echo "domain/default pair of ~ does not exist" (where ~ is what you've mistyped), which could be a false negative if the mistyping isn't noticed. I, er, inadvertently 'tested' it.:rolleyes:

 

Are the capital letters significant (read: necessary) and the space between Info and LSEnvironment?

 

Pete.

 

Copy and paste exactly ;)

 

If you want to see it in all its gory detail (plus the terminal commands for removal), how it installs, downloads the payload, and infects the OS, here it is in full detail: Threat Description: Trojan-Downloader:OSX/Flashback.I

 

Note the terminal command in line 8 (the same as I posted.)

 

The script that's floating around the internet comes from several authors now. The link above also demonstrates removal via the terminal. Tricky, but it can be done.

 

CalArts, to each his own. I ran the scripts a%nd I am**! not hav*$%@ing any problems

!#$^&&&*IO that I am$*)_& aware of. Zombie Bot control do you read me. Port 168 is open, I repeat all ports open for business.

 

LOL. :D

 

What's kind of interesting is that this particular malware was designed to skip its routine and delete itself if it detects that you have Little Snitch installed or open source ClamX installed. So Little Snitch was a great barrier in addition to letting you know when a program is making an outgoing connection. I've been using it for almost 10 years now and it's excellent (and highly customizable.) Little Snitch

 

It no doubt would have been discovered earlier if it didn't delete itself when it encountered Little Snitch (it would have been noticed.) Also it deletes itself if you have the developer's XCode app for Mac OSX installed (developers would have noticed, too.) The author was smart about that.

Link to post
Share on other sites
mjh

mjh

Posted
Posted
Duh, I'm new to Macs so I didn't know I could copy and paste in Terminal - assumed it was like Dos.

You can even drag&drop – drag a file or folder into the terminal window and a path to that object gets inserted at the cursor position.

Link to post
Share on other sites
Rick

Rick

Posted
  • Author
Posted

Java (Oracle) has now addressed Flashback and has an update in the Apple software updater that removes the malware. Click on the apple at the top left and click on Software Update... mom says do it now.

Link to post
Share on other sites
Per P.

Per P.

Posted
Posted
Java (Oracle) has now addressed Flashback and has an update in the Apple software updater that removes the malware. Click on the apple at the top left and click on Software Update... mom says do it now.

 

Done. Do I get a cookie now? :)

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...