Apr 11 2012
Generally it is considered that only Windows computers are the ones that can get infected with backdoor trojan but the scenario has changed overtime. Recently a large number of Macs (600,000 plus Macs including 247 from Cupertino: its the Apple HQ) were found infected with a backdoor trajan Flashback ( Trojan-Downloader.OSX.Flashfake.ab ) . Its is to be noted that the trojan works on venerability of Java ( Java 6 update 31.) and not the core Mac OS.How ever the fault which I see of Apple is that they did not patch the CVE-2012-0507 exploit even after 6 weeks.
If you are reading this on your shiny new MacBook Pro or a Mac you should be thinking by now how to remove it. Well here is a guideline on finding if you are infected with Flashback trojan.
Manually removing Flashback Trojan.
Manual Removal Instructions
- 1. Run the following command in Terminal:defaults read /Applications/Safari.app/Contents/Info LSEnvironment
- 2. Take note of the value, DYLD_INSERT_LIBRARIES
- 3. Proceed to step 8 if you got the following error message:”The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”
- 4. Otherwise, run the following command in Terminal:grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step2%
- 5. Take note of the value after “__ldpath__”
- 6. Run the following commands in Terminal (first make sure there is only one entry, from step 2):sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironmentsudo chmod 644 /Applications/Safari.app/Contents/Info.plist
- 7. Delete the files obtained in steps 2 and 5
- 8. Run the following command in Terminal:defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
- 9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:”The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”
- 10. Otherwise, run the following command in Terminal:grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step9%
- 11. Take note of the value after “__ldpath__”
- 12. Run the following commands in Terminal:defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIESlaunchctl unsetenv DYLD_INSERT_LIBRARIES
- 13. Finally, delete the files obtained in steps 9 and 11.
Please note that I cant assure you that following these steps will remove ALL traces of the Flashback trojan, its highly recommended that you install a antivirus for Mac and run a through scan after updating it.
Steps to help protect your Mac from future attacks.
1 Create a non admin account in your Mac. And use it for daily purpose like checking emails and surfing internet.(the account that is generally created by default and you use has admin rights)
2 Download and use a secure browser. I recommend to use Google Chrome as it got a sandboxing plus it also comes with a sandboxed flash player of its own.
3 After you have downloaded and installed the new browser dont forget to make it your default browser.
4 Uninstall or update the default flash player (Apple does not update the flash player regularly) Note: As you have default Google Chrome you no longer need the default flash player as Chrome comes with the updated flash player.
5 Uninstall/Disable Java, Apple does not regularly updates the Java it generally does after months since the release of it, and its not possible to manually update it on Mac. So if you don’t want to uninstalled it because you use some java web applets it is recommended that you at least disable it from Safari browser.
6 Update your Mac software on a regular basis, it wont cost you a dime but will save you from known vulnerabilities.
7 Install a good antivirus for Mac. And update and run the antivirus from time to time.
8 Install the Little Snitch, it is a firewall program that shows you which application is trying to use the network and offers you to allow or block that application to connect to network.
Apple has yet to come up with a tool to remove the Flashback Trojan but guys from Kaspersky has come up with a tool which can be downloaded from here.