Yesterday we mentioned in this post that Flashback, a trojan that exploited a vulnerability in Java, had infected many computers (600,000) Mac To avoid this problem might occur had left a security patch for Java also discussed yesterday. In the comments I wrote more about how to tell if your Mac was affected by Flashback and how to fix it , but I think it best to clarify in an additional entry. Also at the end of the post we see what does and what steps is Flashback.
After the jump see what steps to take both for detection and to remove the Trojan happy and functioning.
defaults read / Applications / Safari.app / Contents / Info LSEnvironment
grep-a-o ‘ LDPATH [- ~] * ‘ path_obtained_in_step2
sudo defaults delete / Applications / Safari.app / Contents / Info sudo chmod 644 LSEnvironment / Applications / Safari.app / Contents / Info.plist
defaults read ~ / .MacOSX / environment DYLD_INSERT_LIBRARIES
“The domain / default pair of (/ Users / joe / .MacOSX / environment, DYLD_INSERT_LIBRARIES) does not exist”
grep-a-o ‘ LDPATH [- ~] * ‘ path_obtained_in_step9
defaults delete ~ / .MacOSX / environment DYLD_INSERT_LIBRARIES launchctl unsetenv DYLD_INSERT_LIBRARIES
How does Flashback?
On page F-Secure mentioned above can also see more information about Flashback acts. How all the Trojans, the first thing it does is try to get administrator rights, for which we ask our administrator username and password. If we give the malware makes a series of checks in our system to be installed. Its purpose, modify the content of some web pages in your browser. This could for example redirecting to a page similar and display the information to get our username and password at sites.
The funny part is that if we have certain programs installed on your Mac, malware is simply removed and disappears without a trace. This is the case of Little Snitch, XCode, and some antivirus packages. If successful, it will notify the url: http :/ / 184.108.40.206/stat_d / and otherwise, to this one: http :/ / 220.127.116.11/stat_n /
If we do not give our user password, do some more tests, such as seeing if we have installed Word, Office 2008, Office 2011 or Skype, it must be because they are incompatible in some way with the steps that will then attempt to infect it binary files and communicate their success to this web address: http: / / 18.104.22.168/stat_u /.
If you have done the above steps and your Mac has not been affected, remember that you must install the security update or upgrade Java to prevent it.