Determine how the Flashback trojan infected the machine despite disabling Java

javamalware

Apple's update on April 17, 2012 detected and deactivated the Flashback trojan.

Yet two weeks ago I had following the instructions here. After concluding that my Mac is not infected, I disabled Java.

I don't understand how Flashback could have sneaked in, especially after my guard has been up after an Arstechnica article, but that no longer matters.

How do I find out what kind of damage might have already been done? Will one of the log files contain a trace of what has happened?

Best Answer

I'd be surprised if the logs told you anything useful.

If you're concerned, you could install one of the free AV products for the Mac. Do a full system scan to ensure that all traces of the trojan have been removed.

Related Solutions

Did the Java 1.6.0_31 update fix the Flashback trojan problem

It fixes the vulnerability that Flashback used to install itself; this Gizmodo article gives some more info to check:

1. Run the following command in Terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

2. Take note of the value, DYLD_INSERT_LIBRARIES
3. Proceed to step 8 if you got the following error message:

"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

If you don't get that error message, well, time to head to F-Secure for your fix. If you're clean so far, you can move on to step eight:

8. Run the following command in Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:

"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"

If you don't have any anti-virus protection enabled, you might want to check out the excellent (and free) Sophos Home Edition

Is the Mac infected with the Flashback trojan

You can follow these instructions from F-Secure to uninstall/remove the malware:

Run the following command in Terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

Take note of the value, DYLD_INSERT_LIBRARIES

Proceed to step 8 if you got the following error message:

"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

Otherwise, run the following command in Terminal:

grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2%

Take note of the value after "__ldpath__"

Run the following commands in Terminal (first make sure there is only one entry, from step 2):

sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment`

sudo chmod 644 /Applications/Safari.app/Contents/Info.plist`

Delete the files obtained in steps 2 and 5

Run the following command in Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:
```
"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"
```

Otherwise, run the following command in Terminal:

grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%

Take note of the value after "__ldpath__"

Run the following commands in Terminal:

defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

launchctl unsetenv DYLD_INSERT_LIBRARIES

Finally, delete the files obtained in steps 9 and 11.

Update:

Apple has released an official tool for uninstalling the malware. Read about it and download it on this Apple KB page.

F-Secure has also released a removal tool, which you can download here.

Best Answer

Related Solutions

Did the Java 1.6.0_31 update fix the Flashback trojan problem

Is the Mac infected with the Flashback trojan

Update:

Related Question