05 April, 2012

Mac Flashback Trojan: Find Out If You're One of the 600,000 Infected

April 5th, 2012Top Story

Mac Flashback Trojan: Find Out If You're One of the 600,000 Infected

By Kyle Wagner

Mac Flashback Trojan: Find Out If You're One of the 600,000 InfectedThere's a new Mac trojan that's been floating around, and it's terrifying everyone. It's written in an unknown language, doesn't even need your password to compromise you, and now it's apparently infected 600,000 users. Here's how to use Terminal to check if you're one of the unlucky many.

The instructions come from F-Secure, which also details how you can remove the trojan if your Mac is, in fact affected. But let's not put the cart before the virus; here's how to see if you're clean.

First, open Terminal from your Utilities folder. If you've never ever done that before, don't be scared! It's a nice way to turn your Mac into a computer you actually have some control over.

Then, once you're in, follow these easy steps to detection:

1. Run the following command in Terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

2. Take note of the value, DYLD_INSERT_LIBRARIES
3. Proceed to step 8 if you got the following error message:

"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

If you don't get that error message, well, time to head to F-Secure for your fix. If you're clean so far, you can move on to step eight:

8. Run the following command in Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:

"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"

In other words: "does not exist" means you've got a healthy rig. Anything else, just keep following F-Secure's instructions to vanquish the intruder. And even if you get the all clear for now, don't wait on downloading the security update that patches the Java vulnerability that started this whole mess. [F-Secure via Ars]

Number of comments