How to Check for the Flashback Trojan in Mac OS X

Apr 5, 2012 - 33 Comments

Check for Flashback Trojan

Update: Apple has released a Java software update that includes automatic detection and Flashback removal ability. Go to “Software Update” from the  Apple menu to download that update and automatically remove the trojan if you happen to have it on your Mac.

Trojans and viruses are generally something Mac users don’t have to worry about, but there’s a lot of hubub about the so-called Flashback trojan that has apparently infected a several hundred thousand Macs worldwide. The trojan takes advantage of a vulnerability in an older version of Java that allows it to download malware which then “modifies targeted webpages displayed in the web browser.” As we mentioned yesterday on Twitter, the vulnerability has already been patched by Apple and if you haven’t downloaded the latest version of Java for OS X yet you should do so now. Go to Software Update and install the Java for OS X Lion 2012-001 or Java for Mac OS X 10.6 Update 7, depending on your version of Mac OS. That will prevent future infections from occurring, but you’ll also want to review if a Mac is infected.

We haven’t heard of or seen a single case of the Flashback infection on a Mac, but for the sake of optimal security we’re going to cover how to quickly check if a Mac is afflicted by Flashback trojan:

  • Launch Terminal (found in /Applications/Utilities/) and enter the following commands:
  • defaults read /Applications/Safari.app/Contents/Info LSEnvironment

  • If you see a message like “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist” than so far so good, no infection, proceed to the next defaults write command to confirm further:
  • defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

  • If you see a message similar to “The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist” then the Mac is NOT infected.

What if you see something different in the Terminal? If the defaults read commands show actual values rather than the “does not exist” response, you may have the trojan, though this does seem to be extraordinarily rare. In the event you run into a Mac with the problem follow the guide on f-secure to remove the Flashback trojan, it’s just a matter of copying and pasting a few commands into the Terminal.

All in all this is nothing to freak out about, but it does serve as another reminder as to why it’s important to update system software as part of a general maintenance routine. If you want to take some extra security precautions and preventative measures, don’t miss our article on simple tips to prevent Mac virus infections, malware, and trojans.

Enjoy this tip? Subscribe to the OSXDaily newsletter to get more of our great Apple tips, tricks, and important news delivered to your inbox! Enter your email address below:

Related articles:

Posted by: William Pearson in Mac OS X, Security, Tips & Tricks, Troubleshooting

33 Comments

» Comments RSS Feed

  1. BBQ Bob says:

    Ever notice the only trojans for Mac are coming to us from crappy third parties? Protect yourself:

    * Disable Java

    * Uninstall Flash

    * Uninstall Adobe Acrobat Reader

    Those are basically the only three attack vectors to the Mac platform, avoid those and there is practically no threat potential.

    • john says:

      @BBQ Bob
      Can you give steps to do the things you listed please? Thank You!

    • Bob Scott says:

      All be it true regarding the current method for trojan delivery (via java, flash, or reader) to a MacIntosh computer… I would hardly say that Java, Flash and Adobe Acrobat Reader are as you say “crappy” third parties. Indeed, protect yourself from the hackers that use these products to deliver their malware. Don’t blame the the software developers, blame the PC hackers that write the the Trojans, Viruses, and Malware! Adobe, for example has been an integral software pioneer for almost 30 years. The internet would not be what it is today without Java, Flash, and Reader!

  2. adam says:

    Thanks for the tips,
    @BBQ Bob
    yes, its true !

  3. Regulas says:

    Thanks guys, mine is clean, good to know since I do my banking on it.

  4. ceeli says:

    relieved to know i don’t have it!
    bookmarked this site.
    thanks.

  5. [...] #1. Check to See if Your Mac is Infected: Since so many Macs have been infected, many without user error, you should check your Mac to make sure you are not infected. To do so follow the simple instructions in this post. [...]

  6. richard says:

    thank-you for these simple steps, your article was so comforting, which cant be said for the “over the top” hype of papers in my country claiming mac users were ‘brought to their knees’ by this trojan.

    thank you

  7. Stewart says:

    I think they are overplaying this trojan – but any way thanks for steps – I don’t think it is major issue.

    Doing Update as I type.

  8. [...] on how to check if your Mac has been infected: How to Check for the Flashback Trojan in Mac OS X Reply With Quote   + Reply to Thread « Previous Thread [...]

  9. Arthur says:

    I was infected… :(

    • Lisis says:

      Me too :(

      • Lisis says:

        Me too :(
        We want your internet service to be safe and secure, so we would like to let you know we’ve received a report from a trusted third party indicating that a computer accessing your BigPond account may have been infected with Malware. This means that one or more computers using your BigPond service to access the web could have a virus.

        The report included:

        IP Issue Timestamp
        124.185.230.32 Trojan (Flashback) 2012-05-14 08:55:05 AEST

        So here’s what you need to do for each computer:

        make sure you’ve installed all the latest updates for your operating system.
        make sure your anti-virus and anti-spyware software is up-to-date – then close all your other applications and run a manual scan for viruses and spyware.
        make sure your Firewall is operating correctly.
        If you already have security software installed please contact the vendor directly for technical support.
        consider better protection against viruses, malware, spyware, phishing attacks, identity theft and other threats – such as BigPond Security.

  10. [...] – to offset our friends at PC Magazine – try OSX Daily …. who write : We haven’t heard of or seen a single case of the Flashback infection on a [...]

  11. Matthew says:

    I get this for the first code does it meen I’m infected

    2012-04-06 08:41:25.983 defaults[1223:707]
    The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

    • Some dude says:

      Nothing to worry about. The “does not exist” implies the directory doesn’t, as it says, exist, and thus neither does the trojan if the other terminal command gives the “does not exist” message too.

  12. alex says:

    I run the first command and I got this. Does this mean I am infected?

    Last login: Fri Apr 6 08:30:55 on ttys000
    defaults read/Applications/Safari.app/Contents/InfoLSEnvironment
    Command line interface to a user’s defaults.
    Syntax:

    ‘defaults’ [-currentHost | -host ] followed by one of the following:

    read shows all defaults
    read shows defaults for given domain
    read shows defaults for given domain, key

    read-type shows the type for the given domain, key

    write writes domain (overwrites existing)
    write writes key for domain

    rename renames old_key to new_key

    delete deletes domain
    delete deletes key in domain

    domains lists all domains
    find lists all entries containing word
    help print this help

    is ( | -app | -globalDomain )
    or a path to a file omitting the ‘.plist’ extension

    is one of:

    -string
    -data
    -int[eger]
    -float
    -bool[ean] (true | false | yes | no)
    -date
    -array …
    -array-add …
    -dict …
    -dict-add …

    • copypaste says:

      No, but you didn’t enter the command properly, you need a spaces between certain characters:

      defaults read /Applications/Safari.app/Contents/Info LSEnvironment

    • Dave says:

      Alex,

      Just copy paste the command, when you typed it you left out a critical blank space [' '] between /Info and LSEnvironment

  13. James says:

    Checked all my macs, and two friends macs, nary a sign of the virus. Granted this is a very small sample, but I have a feeling this whole flashback thing is being overblown.

  14. Ruben says:

    I think it’s great that there is a quick and easy way to detect this trojan and remove it, but I couldn’t help but notice that the 1st command you give is only related to Safari.app.

    Does that mean this trojan only effects Safari users? If not, how do I check with relation to my other browsers (Firefox, Chrome, Opera)?

  15. [...] recent outbreak of the Flashback trojan has brought a lot of attention to potential viruses and trojans hitting the Mac platform. Most of [...]

  16. lyshmac says:

    What about a java update for users of older systems such as the oh-so-ancient Leopard???

    • James Hess says:

      If you are still running MacOS 10.5 Leopard, or earlier,
      then the version of Java packaged with your system is very old and missing MANY security updates.

      It’s totally unsafe to leave Java applets enabled, in the case you are using the old versions of Java in those OSes. I would recommend you open each of your browsers and edit the preferences to DISABLE Java applets, in the case of Safari.

      Or in the Case of Firefox, go to Tools > Addons
      Plugins and disable the Java 1.5 plugin.

      Repeat with each browser.
      If you require the ability to run Java applets, then you will want to upgrade from MacOS 10.5 to a newer version that has a more recent Java runtime available.

  17. [...] less tech savvy people for checking their Macs, though if you follow us you probably already checked for the Flashback trojan using the manual Terminal method. This new app-based detection method is very nontechnical and is [...]

  18. girlstar says:

    Thank you for this easy to follow instruction that helped me confirm I am safe.

  19. drjazz says:

    Thanks for the easy instructions for us non-geeks!

    Have a vivacious, virus-free day.

  20. [...] new Java security update that automatically removes the most frequently occurring variations of the Flashback trojan malware. The software update is recommended for all Mac users to install, even if they have [...]

  21. ask says:

    I ran these commands and the “does not exist” message. Then I ran the Apple OSX Java update 2012-003 and it said I did have the Flashback virus. Not sure which to believe. I have also been running ESET Antivirus for months and that did not detect this trojan.

  22. [...] who don’t, theoretically preventing some potential security problems with Java like the old Flashback [...]

  23. [...] If you need to use Java, installing the Java Runtime Environment (JRE) in OS X Mountain Lion is necessary even if you had Java previously installed in OS X Lion or Snow Leopard and just performed an upgrade to 10.8. That’s because Mountain Lion uninstalls Java during the upgrade process, this is to insure the newest version of the runtime is installed on the Mac for those who need it and leaving it out for those who don’t, theoretically preventing some potential security problems with Java like the old Flashback trojan. [...]

Leave a Reply

 

Shop for Apple & Mac Deals on Amazon.com

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates