How to Check for the Flashback Trojan in Mac OS X
Update: Apple has released a Java software update that includes automatic detection and Flashback removal ability. Go to “Software Update” from the  Apple menu to download that update and automatically remove the trojan if you happen to have it on your Mac.
Trojans and viruses are generally something Mac users don’t have to worry about, but there’s a lot of hubub about the so-called Flashback trojan that has apparently infected a several hundred thousand Macs worldwide. The trojan takes advantage of a vulnerability in an older version of Java that allows it to download malware which then “modifies targeted webpages displayed in the web browser.” As we mentioned yesterday on Twitter, the vulnerability has already been patched by Apple and if you haven’t downloaded the latest version of Java for OS X yet you should do so now. Go to Software Update and install the Java for OS X Lion 2012-001 or Java for Mac OS X 10.6 Update 7, depending on your version of Mac OS. That will prevent future infections from occurring, but you’ll also want to review if a Mac is infected.
We haven’t heard of or seen a single case of the Flashback infection on a Mac, but for the sake of optimal security we’re going to cover how to quickly check if a Mac is afflicted by Flashback trojan:
- Launch Terminal (found in /Applications/Utilities/) and enter the following commands:
- If you see a message like “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist” than so far so good, no infection, proceed to the next defaults write command to confirm further:
- If you see a message similar to “The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist” then the Mac is NOT infected.
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
What if you see something different in the Terminal? If the defaults read commands show actual values rather than the “does not exist” response, you may have the trojan, though this does seem to be extraordinarily rare. In the event you run into a Mac with the problem follow the guide on f-secure to remove the Flashback trojan, it’s just a matter of copying and pasting a few commands into the Terminal.
All in all this is nothing to freak out about, but it does serve as another reminder as to why it’s important to update system software as part of a general maintenance routine. If you want to take some extra security precautions and preventative measures, don’t miss our article on simple tips to prevent Mac virus infections, malware, and trojans.