1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
Mac fans recently got a little taste of what it's like to be a Windows user. That's right, a virus targeting Mac OS X is making the rounds. The latest stats from security companies tracking the virus put the number of infected Macs at well over half a million. That's nowhere near the level of some Windows viruses, but it's widespread enough to be a concern for Mac users.
The virus is known as Flashback and can hijack your Mac without so much as an administrative password. It manages to pull off its attack by exploiting a vulnerability in Java. Oracle, which makes Java, quickly issued a fix for the problem back in February. Unfortunately, because Apple ships its own version of Java (and therefore must provide its own patches), Mac users had to wait on Apple's fix, which didn't arrive until last week.
The slow fix from Apple gave Flashback time to propagate and led to well over half a million infected machines -- one of which could be yours.
So how do you know if your mac has been infected with the Flashback virus? Here's our guide to finding out if you've got the Flashback virus and how to remove it from your system if you do.
== Checking for Flashback ==
The simplest way to check for Flashback is to use the [http://www.flashbackcheck.com/ Flashback Check website] set up by security vendor Kaspersky Lab. Just head to the site, plug in your Mac's UUID (to find your UUID, follow [http://www.flashbackcheck.com/where.html these instructions]) and the site will tell you if your Mac has been infected.
If you don't want to hand over your UUID to a website, there are two other options. The first option is to download [https://github.com/jils/FlashbackChecker/wiki FlashbackChecker] and run it on your machine.
Flashback checker is really just a wrapper around the second option -- manually checking for the Flashback virus using the Terminal app. To do that open up the Terminal application (it's in the Utilities folder in your Applications folder). Now paste this line of code into the terminal and hit return:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
The response back should look something like this:
The domain/default pair of (/Users/<yourusername>/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist
If the message doesn't say that the pair "does not exist," than Flashback is present on your system. Assuming the message is negative, let's keep going. Now paste in this line:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
That should generate the same "does not exist" message. Again, if it doesn't then your Mac has been infected with Flashback. If it's negative try this line:
defaults read /Applications/Firefox.app/Contents/Info LSEnvironment
Again, the message is (hopefully) negative. If it's not, read on.
==Getting rid of Flashback ==
If your testing turns up evidence of Flashback on your system, you'll need to delete some files to reclaim your Mac. Kaspersky Lab has a special app that claims to take care of the process for you. You can download the company's [http://support.kaspersky.com/viruses/utility Flashfake Removal Tool] and run it to disinfect your Mac.
Remember to rerun the above tests when you're done to make sure it worked.
Alternately you can remove the files Flashback installed by hand and wipe it from your drive yourself. Be forewarned though, this involves the command line and is recommended only for advanced users.
These instructions come from [http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml F-Secure], which originally reported the widespread outbreak of Flashback.
<li>1. Run the following command in Terminal:
<br /> <br />
<span style="color:#800000;">defaults read /Applications/Safari.app/Contents/Info LSEnvironment</span>
<br /><br />
</li>
<li>2. Take note of the value, DYLD_INSERT_LIBRARIES</li>
<li>3. Proceed to step <b>8</b> if you got the following error message:<br />
<br />
<span style="color:#666666">"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"</span>
<br /><br />
</li>
<li>4. Otherwise, run the following command in Terminal:
<br /> <br />
<span style="color:#800000;">grep -a -o '__ldpath__[ -~]*' <b>%path_obtained_in_step2%</b></span>
<br /><br />
</li>
<li>5. Take note of the value after "__ldpath__"</li>
<li>6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):
<br /><br />
<span style="color:#800000;">sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment</span>
<br /><br />
<span style="color:#800000;">sudo chmod 644 /Applications/Safari.app/Contents/Info.plist</span>
<br /><br />
</li>
<li>7. Delete the files obtained in steps 2 and 5</li>
<li>8. Run the following command in Terminal:
<br /><br />
<span style="color:#800000;">defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES</span>
<br /><br />
</li>
<li>9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:
<br /><br />
<span style="color:#666666">"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"</span>
<br /><br />
</li>
<li>10. Otherwise, run the following command in Terminal:
<br /><br />
<span style="color:#800000;">grep -a -o '__ldpath__[ -~]*' <b>%path_obtained_in_step9%</b></span>
<br /><br />
</li>
<li>11. Take note of the value after "__ldpath__"</li>
<li>12. Run the following commands in Terminal:
<br /><br />
<span style="color:#800000;">defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES</span>
<br /><br />
<span style="color:#800000;">launchctl unsetenv DYLD_INSERT_LIBRARIES</span>
<br /><br />
</li>
<li>13. Finally, delete the files obtained in steps 9 and 11.</li>
<li>14. Run the following command in Terminal:
<br /><br />
<span style="color:#800000;">ls -lA ~/Library/LaunchAgents/</span>
<br /><br />
</li>
<li>15. Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care.</li>
<li>16. Run the following command in Terminal:
<br /><br />
<span style="color:#800000;">defaults read ~/Library/LaunchAgents/<b>%filename_obtained_in_step15%</b> ProgramArguments</span>
<br /><br />
</li>
<li>17. Take note of the path. If the filename does not start with a ".", then you might not be infected with this variant.</li>
<li>18. Delete the files obtained in steps 15 and 17.</li>
</ul>
== Is the sky falling? ==
For a long time OS X was largely ignored by virus and malware writers, partly because its Unix underpinnings are pretty well time-tested and secure at this point, but also because it lacks the market share numbers of Windows. For the most part that's likely to continue to be the case, but that doesn't mean your Mac is invulnerable to attack.
Flashback serves as a healthy reminder that every computer is vulnerable in some way.
That doesn't necessarily mean you need antivirus software on your Mac. In fact one of the more interesting aspects of Flashback is that while it deletes itself when it detects Apple's developer tools or applications like [http://www.obdev.at/products/littlesnitch/index.html Little Snitch], [http://waxy.org/2012/04/flashback_trojan_creators_scared_of_xcode_users_but_not_norton_antivir/ it doesn't care at all if you have a commercial antivirus utility like Norton Antivirus, McAfee VirusScan or F-Secure installed]. In other words, the developers of Flashback are worried about being discovered by savvy users, not anti-virus software.
Take a tip from the virus writers themselves and focus on being a savvy user -- avoiding suspicious downloads and using basic web smarts -- rather than installing anti-virus software and blindly trusting it to protect you.
|
