How to Tell if We are Infected by Flashback and Its Removal

Yesterday we mentioned in this post that Flashback, a trojan that exploited a vulnerability in Java, had infected many computers (600,000) Mac To avoid this problem might occur had left a security patch for Java also discussed yesterday. In the comments I wrote more about how to tell if your Mac was affected by Flashback and how to fix it , but I think it best to clarify in an additional entry. Also at the end of the post we see what does and what steps is Flashback.

After the jump see what steps to take both for detection and to remove the Trojan happy and functioning.

• 1. Run the following command in Terminal:

defaults read / Applications / Safari.app / Contents / Info LSEnvironment

• 2. We look at the result of that command, specifically DYLD_INSERT_LIBRARIES

• 3. If we get the following error message we go to step 8: “The domain / default pair of (/ Applications / Safari.app / Contents / Info, LSEnvironment) does not exist”

• 4. Otherwise, run the following command in Terminal:

grep-a-o ‘ LDPATH [- ~] * ‘ path_obtained_in_step2

• 5. We look at the value next to ” LDPATH “

• 6. Execute the following commands in Terminal (first make sure that there is only one entry, in step 2):

sudo defaults delete / Applications / Safari.app / Contents / Info sudo chmod 644 LSEnvironment / Applications / Safari.app / Contents / Info.plist

• 7. We delete the files that we obtained in steps 2 and 5

• 8. Run the following command in Terminal:

defaults read ~ / .MacOSX / environment DYLD_INSERT_LIBRARIES

• 9. We look at the result. The system is clean of this variant if we get an error message like the following. If you get an error like this, there is nothing to worry about and ended up here. We do nothing more.

“The domain / default pair of (/ Users / joe / .MacOSX / environment, DYLD_INSERT_LIBRARIES) does not exist”

• 10. Otherwise, run the following command in Terminal:

grep-a-o ‘ LDPATH [- ~] * ‘ path_obtained_in_step9

• 11. We look at the value that follows ” LDPATH “

• 12. Execute the following commands in Terminal:

defaults delete ~ / .MacOSX / environment DYLD_INSERT_LIBRARIES launchctl unsetenv DYLD_INSERT_LIBRARIES

• 13. Finally, delete the files generated in steps 9 and 11.

 How does Flashback?

On page F-Secure mentioned above can also see more information about Flashback acts. How all the Trojans, the first thing it does is try to get administrator rights, for which we ask our administrator username and password. If we give the malware makes a series of checks in our system to be installed. Its purpose, modify the content of some web pages in your browser. This could for example redirecting to a page similar and display the information to get our username and password at sites.

The funny part is that if we have certain programs installed on your Mac, malware is simply removed and disappears without a trace. This is the case of Little Snitch, XCode, and some antivirus packages. If successful, it will notify the url: http :/ / 95.215.63.38/stat_d / and otherwise, to this one: http :/ / 95.215.63.38/stat_n /

If we do not give our user password, do some more tests, such as seeing if we have installed Word, Office 2008, Office 2011 or Skype, it must be because they are incompatible in some way with the steps that will then attempt to infect it binary files and communicate their success to this web address: http: / / 95.215.63.38/stat_u /.

If you have done the above steps and your Mac has not been affected, remember that you must install the security update or upgrade Java to prevent it.

Shortlink:

Posted by Paracha on April 6, 2012. Filed under Articles, IT, Software. You can follow any responses to this entry through the RSS 2.0. You can leave a response or trackback to this entry