How to Check for the Flashback Trojan in Mac OS X

Apr 5, 2012 - 35 Comments

Check for Flashback Trojan

Update: Apple has released a Java software update that includes automatic detection and Flashback removal ability. Go to “Software Update” from the  Apple menu to download that update and automatically remove the trojan if you happen to have it on your Mac.

Trojans and viruses are generally something Mac users don’t have to worry about, but there’s a lot of hubub about the so-called Flashback trojan that has apparently infected a several hundred thousand Macs worldwide. The trojan takes advantage of a vulnerability in an older version of Java that allows it to download malware which then “modifies targeted webpages displayed in the web browser.” As we mentioned yesterday on Twitter, the vulnerability has already been patched by Apple and if you haven’t downloaded the latest version of Java for OS X yet you should do so now. Go to Software Update and install the Java for OS X Lion 2012-001 or Java for Mac OS X 10.6 Update 7, depending on your version of Mac OS. That will prevent future infections from occurring, but you’ll also want to review if a Mac is infected.

We haven’t heard of or seen a single case of the Flashback infection on a Mac, but for the sake of optimal security we’re going to cover how to quickly check if a Mac is afflicted by Flashback trojan:

  • Launch Terminal (found in /Applications/Utilities/) and enter the following commands:
  • defaults read /Applications/Safari.app/Contents/Info LSEnvironment

  • If you see a message like “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist” than so far so good, no infection, proceed to the next defaults write command to confirm further:
  • defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

  • If you see a message similar to “The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist” then the Mac is NOT infected.

What if you see something different in the Terminal? If the defaults read commands show actual values rather than the “does not exist” response, you may have the trojan, though this does seem to be extraordinarily rare. In the event you run into a Mac with the problem follow the guide on f-secure to remove the Flashback trojan, it’s just a matter of copying and pasting a few commands into the Terminal.

All in all this is nothing to freak out about, but it does serve as another reminder as to why it’s important to update system software as part of a general maintenance routine. If you want to take some extra security precautions and preventative measures, don’t miss our article on simple tips to prevent Mac virus infections, malware, and trojans.

.

Related articles:

Posted by: William Pearson in Mac OS, Security, Tips & Tricks, Troubleshooting

35 Comments

» Comments RSS Feed

  1. Hacked User says:

    What if I seedefaults read /Applications/Safari.app/Contents/Info LSEnvironmentdefaults read /Applications/Safari.app/Contents/Info LSEnvironment

    2015-04-01 [Defalts 595:30915]

  2. […] If you need to use Java, installing the Java Runtime Environment (JRE) in OS X Mountain Lion is necessary even if you had Java previously installed in OS X Lion or Snow Leopard and just performed an upgrade to 10.8. That’s because Mountain Lion uninstalls Java during the upgrade process, this is to insure the newest version of the runtime is installed on the Mac for those who need it and leaving it out for those who don’t, theoretically preventing some potential security problems with Java like the old Flashback trojan. […]

  3. […] who don’t, theoretically preventing some potential security problems with Java like the old Flashback […]

  4. ask says:

    I ran these commands and the “does not exist” message. Then I ran the Apple OSX Java update 2012-003 and it said I did have the Flashback virus. Not sure which to believe. I have also been running ESET Antivirus for months and that did not detect this trojan.

  5. […] new Java security update that automatically removes the most frequently occurring variations of the Flashback trojan malware. The software update is recommended for all Mac users to install, even if they have […]

  6. drjazz says:

    Thanks for the easy instructions for us non-geeks!

    Have a vivacious, virus-free day.

  7. girlstar says:

    Thank you for this easy to follow instruction that helped me confirm I am safe.

  8. […] less tech savvy people for checking their Macs, though if you follow us you probably already checked for the Flashback trojan using the manual Terminal method. This new app-based detection method is very nontechnical and is […]

  9. lyshmac says:

    What about a java update for users of older systems such as the oh-so-ancient Leopard???

    • James Hess says:

      If you are still running MacOS 10.5 Leopard, or earlier,
      then the version of Java packaged with your system is very old and missing MANY security updates.

      It’s totally unsafe to leave Java applets enabled, in the case you are using the old versions of Java in those OSes. I would recommend you open each of your browsers and edit the preferences to DISABLE Java applets, in the case of Safari.

      Or in the Case of Firefox, go to Tools > Addons
      Plugins and disable the Java 1.5 plugin.

      Repeat with each browser.
      If you require the ability to run Java applets, then you will want to upgrade from MacOS 10.5 to a newer version that has a more recent Java runtime available.

  10. […] recent outbreak of the Flashback trojan has brought a lot of attention to potential viruses and trojans hitting the Mac platform. Most of […]

    • konig says:

      its not a trojan its a virus or malware.cos you can get it without installing an app, trojan is malware that hides in software that is installed with other name, i guess people will not be able to sleep due to this..check kaspersky blog and you will see this virus is installed with no user intervention and get some xanax

  11. Ruben says:

    I think it’s great that there is a quick and easy way to detect this trojan and remove it, but I couldn’t help but notice that the 1st command you give is only related to Safari.app.

    Does that mean this trojan only effects Safari users? If not, how do I check with relation to my other browsers (Firefox, Chrome, Opera)?

  12. James says:

    Checked all my macs, and two friends macs, nary a sign of the virus. Granted this is a very small sample, but I have a feeling this whole flashback thing is being overblown.

  13. alex says:

    I run the first command and I got this. Does this mean I am infected?

    Last login: Fri Apr 6 08:30:55 on ttys000
    defaults read/Applications/Safari.app/Contents/InfoLSEnvironment
    Command line interface to a user’s defaults.
    Syntax:

    ‘defaults’ [-currentHost | -host ] followed by one of the following:

    read shows all defaults
    read shows defaults for given domain
    read shows defaults for given domain, key

    read-type shows the type for the given domain, key

    write writes domain (overwrites existing)
    write writes key for domain

    rename renames old_key to new_key

    delete deletes domain
    delete deletes key in domain

    domains lists all domains
    find lists all entries containing word
    help print this help

    is ( | -app | -globalDomain )
    or a path to a file omitting the ‘.plist’ extension

    is one of:

    -string
    -data
    -int[eger]
    -float
    -bool[ean] (true | false | yes | no)
    -date
    -array …
    -array-add …
    -dict …
    -dict-add …

    • copypaste says:

      No, but you didn’t enter the command properly, you need a spaces between certain characters:

      defaults read /Applications/Safari.app/Contents/Info LSEnvironment

    • Dave says:

      Alex,

      Just copy paste the command, when you typed it you left out a critical blank space [‘ ‘] between /Info and LSEnvironment

  14. Matthew says:

    I get this for the first code does it meen I’m infected

    2012-04-06 08:41:25.983 defaults[1223:707]
    The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

    • Some dude says:

      Nothing to worry about. The “does not exist” implies the directory doesn’t, as it says, exist, and thus neither does the trojan if the other terminal command gives the “does not exist” message too.

  15. […] – to offset our friends at PC Magazine – try OSX Daily …. who write : We haven’t heard of or seen a single case of the Flashback infection on a […]

  16. Arthur says:

    I was infected… :(

    • Lisis says:

      Me too :(

      • Lisis says:

        Me too :(
        We want your internet service to be safe and secure, so we would like to let you know we’ve received a report from a trusted third party indicating that a computer accessing your BigPond account may have been infected with Malware. This means that one or more computers using your BigPond service to access the web could have a virus.

        The report included:

        IP Issue Timestamp
        124.185.230.32 Trojan (Flashback) 2012-05-14 08:55:05 AEST

        So here’s what you need to do for each computer:

        make sure you’ve installed all the latest updates for your operating system.
        make sure your anti-virus and anti-spyware software is up-to-date – then close all your other applications and run a manual scan for viruses and spyware.
        make sure your Firewall is operating correctly.
        If you already have security software installed please contact the vendor directly for technical support.
        consider better protection against viruses, malware, spyware, phishing attacks, identity theft and other threats – such as BigPond Security.

  17. […] on how to check if your Mac has been infected: How to Check for the Flashback Trojan in Mac OS X Reply With Quote   + Reply to Thread « Previous Thread […]

  18. Stewart says:

    I think they are overplaying this trojan – but any way thanks for steps – I don’t think it is major issue.

    Doing Update as I type.

  19. richard says:

    thank-you for these simple steps, your article was so comforting, which cant be said for the “over the top” hype of papers in my country claiming mac users were ‘brought to their knees’ by this trojan.

    thank you

  20. […] #1. Check to See if Your Mac is Infected: Since so many Macs have been infected, many without user error, you should check your Mac to make sure you are not infected. To do so follow the simple instructions in this post. […]

  21. ceeli says:

    relieved to know i don’t have it!
    bookmarked this site.
    thanks.

  22. Regulas says:

    Thanks guys, mine is clean, good to know since I do my banking on it.

  23. adam says:

    Thanks for the tips,
    @BBQ Bob
    yes, its true !

  24. BBQ Bob says:

    Ever notice the only trojans for Mac are coming to us from crappy third parties? Protect yourself:

    * Disable Java

    * Uninstall Flash

    * Uninstall Adobe Acrobat Reader

    Those are basically the only three attack vectors to the Mac platform, avoid those and there is practically no threat potential.

    • john says:

      @BBQ Bob
      Can you give steps to do the things you listed please? Thank You!

    • Bob Scott says:

      All be it true regarding the current method for trojan delivery (via java, flash, or reader) to a MacIntosh computer… I would hardly say that Java, Flash and Adobe Acrobat Reader are as you say “crappy” third parties. Indeed, protect yourself from the hackers that use these products to deliver their malware. Don’t blame the the software developers, blame the PC hackers that write the the Trojans, Viruses, and Malware! Adobe, for example has been an integral software pioneer for almost 30 years. The internet would not be what it is today without Java, Flash, and Reader!

Leave a Reply

 

Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks

News

iPhone / iPad

Mac

Troubleshooting

Shop on Amazon to help support this site