How to Check for the Flashback Trojan in Mac OS X
Update: Apple has released a Java software update that includes automatic detection and Flashback removal ability. Go to “Software Update” from the Apple menu to download that update and automatically remove the trojan if you happen to have it on your Mac.
Trojans and viruses are generally something Mac users don’t have to worry about, but there’s a lot of hubub about the so-called Flashback trojan that has apparently infected a several hundred thousand Macs worldwide. The trojan takes advantage of a vulnerability in an older version of Java that allows it to download malware which then “modifies targeted webpages displayed in the web browser.” As we mentioned yesterday on Twitter, the vulnerability has already been patched by Apple and if you haven’t downloaded the latest version of Java for OS X yet you should do so now. Go to Software Update and install the Java for OS X Lion 2012-001 or Java for Mac OS X 10.6 Update 7, depending on your version of Mac OS. That will prevent future infections from occurring, but you’ll also want to review if a Mac is infected.
We haven’t heard of or seen a single case of the Flashback infection on a Mac, but for the sake of optimal security we’re going to cover how to quickly check if a Mac is afflicted by Flashback trojan:
- Launch Terminal (found in /Applications/Utilities/) and enter the following commands:
- If you see a message like “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist” than so far so good, no infection, proceed to the next defaults write command to confirm further:
- If you see a message similar to “The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist” then the Mac is NOT infected.
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
What if you see something different in the Terminal? If the defaults read commands show actual values rather than the “does not exist” response, you may have the trojan, though this does seem to be extraordinarily rare. In the event you run into a Mac with the problem follow the guide on f-secure to remove the Flashback trojan, it’s just a matter of copying and pasting a few commands into the Terminal.
All in all this is nothing to freak out about, but it does serve as another reminder as to why it’s important to update system software as part of a general maintenance routine. If you want to take some extra security precautions and preventative measures, don’t miss our article on simple tips to prevent Mac virus infections, malware, and trojans.
What if I seedefaults read /Applications/Safari.app/Contents/Info LSEnvironmentdefaults read /Applications/Safari.app/Contents/Info LSEnvironment
2015-04-01 [Defalts 595:30915]
[…] If you need to use Java, installing the Java Runtime Environment (JRE) in OS X Mountain Lion is necessary even if you had Java previously installed in OS X Lion or Snow Leopard and just performed an upgrade to 10.8. That’s because Mountain Lion uninstalls Java during the upgrade process, this is to insure the newest version of the runtime is installed on the Mac for those who need it and leaving it out for those who don’t, theoretically preventing some potential security problems with Java like the old Flashback trojan. […]
[…] who don’t, theoretically preventing some potential security problems with Java like the old Flashback […]
I ran these commands and the “does not exist” message. Then I ran the Apple OSX Java update 2012-003 and it said I did have the Flashback virus. Not sure which to believe. I have also been running ESET Antivirus for months and that did not detect this trojan.
[…] new Java security update that automatically removes the most frequently occurring variations of the Flashback trojan malware. The software update is recommended for all Mac users to install, even if they have […]
Thanks for the easy instructions for us non-geeks!
Have a vivacious, virus-free day.
Thank you for this easy to follow instruction that helped me confirm I am safe.
[…] less tech savvy people for checking their Macs, though if you follow us you probably already checked for the Flashback trojan using the manual Terminal method. This new app-based detection method is very nontechnical and is […]
What about a java update for users of older systems such as the oh-so-ancient Leopard???
If you are still running MacOS 10.5 Leopard, or earlier,
then the version of Java packaged with your system is very old and missing MANY security updates.
It’s totally unsafe to leave Java applets enabled, in the case you are using the old versions of Java in those OSes. I would recommend you open each of your browsers and edit the preferences to DISABLE Java applets, in the case of Safari.
Or in the Case of Firefox, go to Tools > Addons
Plugins and disable the Java 1.5 plugin.
Repeat with each browser.
If you require the ability to run Java applets, then you will want to upgrade from MacOS 10.5 to a newer version that has a more recent Java runtime available.
Thanks for the advice James.
[…] recent outbreak of the Flashback trojan has brought a lot of attention to potential viruses and trojans hitting the Mac platform. Most of […]
its not a trojan its a virus or malware.cos you can get it without installing an app, trojan is malware that hides in software that is installed with other name, i guess people will not be able to sleep due to this..check kaspersky blog and you will see this virus is installed with no user intervention and get some xanax
I think it’s great that there is a quick and easy way to detect this trojan and remove it, but I couldn’t help but notice that the 1st command you give is only related to Safari.app.
Does that mean this trojan only effects Safari users? If not, how do I check with relation to my other browsers (Firefox, Chrome, Opera)?
Checked all my macs, and two friends macs, nary a sign of the virus. Granted this is a very small sample, but I have a feeling this whole flashback thing is being overblown.
I run the first command and I got this. Does this mean I am infected?
Last login: Fri Apr 6 08:30:55 on ttys000
defaults read/Applications/Safari.app/Contents/InfoLSEnvironment
Command line interface to a user’s defaults.
Syntax:
‘defaults’ [-currentHost | -host ] followed by one of the following:
read shows all defaults
read shows defaults for given domain
read shows defaults for given domain, key
read-type shows the type for the given domain, key
write writes domain (overwrites existing)
write writes key for domain
rename renames old_key to new_key
delete deletes domain
delete deletes key in domain
domains lists all domains
find lists all entries containing word
help print this help
is ( | -app | -globalDomain )
or a path to a file omitting the ‘.plist’ extension
is one of:
-string
-data
-int[eger]
-float
-bool[ean] (true | false | yes | no)
-date
-array …
-array-add …
-dict …
-dict-add …
No, but you didn’t enter the command properly, you need a spaces between certain characters:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
You are right, I missed a space, thank you, I’m not infected.
Thanks again.
Alex,
Just copy paste the command, when you typed it you left out a critical blank space [‘ ‘] between /Info and LSEnvironment
I get this for the first code does it meen I’m infected
2012-04-06 08:41:25.983 defaults[1223:707]
The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist
Nothing to worry about. The “does not exist” implies the directory doesn’t, as it says, exist, and thus neither does the trojan if the other terminal command gives the “does not exist” message too.
[…] – to offset our friends at PC Magazine – try OSX Daily …. who write : We haven’t heard of or seen a single case of the Flashback infection on a […]
I was infected… :(
Me too :(
Me too :(
We want your internet service to be safe and secure, so we would like to let you know we’ve received a report from a trusted third party indicating that a computer accessing your BigPond account may have been infected with Malware. This means that one or more computers using your BigPond service to access the web could have a virus.
The report included:
IP Issue Timestamp
124.185.230.32 Trojan (Flashback) 2012-05-14 08:55:05 AEST
So here’s what you need to do for each computer:
make sure you’ve installed all the latest updates for your operating system.
make sure your anti-virus and anti-spyware software is up-to-date – then close all your other applications and run a manual scan for viruses and spyware.
make sure your Firewall is operating correctly.
If you already have security software installed please contact the vendor directly for technical support.
consider better protection against viruses, malware, spyware, phishing attacks, identity theft and other threats – such as BigPond Security.
[…] on how to check if your Mac has been infected: How to Check for the Flashback Trojan in Mac OS X Reply With Quote + Reply to Thread « Previous Thread […]
I think they are overplaying this trojan – but any way thanks for steps – I don’t think it is major issue.
Doing Update as I type.
thank-you for these simple steps, your article was so comforting, which cant be said for the “over the top” hype of papers in my country claiming mac users were ‘brought to their knees’ by this trojan.
thank you
[…] #1. Check to See if Your Mac is Infected: Since so many Macs have been infected, many without user error, you should check your Mac to make sure you are not infected. To do so follow the simple instructions in this post. […]
relieved to know i don’t have it!
bookmarked this site.
thanks.
Thanks guys, mine is clean, good to know since I do my banking on it.
Thanks for the tips,
@BBQ Bob
yes, its true !
Ever notice the only trojans for Mac are coming to us from crappy third parties? Protect yourself:
* Disable Java
* Uninstall Flash
* Uninstall Adobe Acrobat Reader
Those are basically the only three attack vectors to the Mac platform, avoid those and there is practically no threat potential.
@BBQ Bob
Can you give steps to do the things you listed please? Thank You!
All be it true regarding the current method for trojan delivery (via java, flash, or reader) to a MacIntosh computer… I would hardly say that Java, Flash and Adobe Acrobat Reader are as you say “crappy” third parties. Indeed, protect yourself from the hackers that use these products to deliver their malware. Don’t blame the the software developers, blame the PC hackers that write the the Trojans, Viruses, and Malware! Adobe, for example has been an integral software pioneer for almost 30 years. The internet would not be what it is today without Java, Flash, and Reader!