Did the Java 1.6.0_31 update fix the Flashback trojan problem

javamalware

Is the recent Java update of OSX (Java for OS X Lion 2012-002) to 1.6.0_31 also a bug fix for the Flashback malware?

The update is described here as:

Multiple vulnerabilities exist in Java 1.6.0_29, the most serious of
which may allow an untrusted Java applet to execute arbitrary code
outside the Java sandbox. Visiting a web page containing a maliciously
crafted untrusted Java applet may lead to arbitrary code execution
with the privileges of the current user. These issues are addressed by
updating to Java version 1.6.0_31. Further information is available
via the Java website at
http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html

Best Answer

It fixes the vulnerability that Flashback used to install itself; this Gizmodo article gives some more info to check:

1. Run the following command in Terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

2. Take note of the value, DYLD_INSERT_LIBRARIES
3. Proceed to step 8 if you got the following error message:

"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

If you don't get that error message, well, time to head to F-Secure for your fix. If you're clean so far, you can move on to step eight:

8. Run the following command in Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:

"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"

If you don't have any anti-virus protection enabled, you might want to check out the excellent (and free) Sophos Home Edition

Related Solutions

How to fix broken Java header files

Try re-installing Java using this update. It is the Java Update for Snow Leopard. Hopefully that will fix the problems your seeing here.

Let us know if that works, if not we can do some more troubleshooting and help you out.

Security – How to Detect and Remove Flashback Trojan on Mac

You can follow these instructions from F-Secure to uninstall/remove the malware:

Run the following command in Terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

Take note of the value, DYLD_INSERT_LIBRARIES

Proceed to step 8 if you got the following error message:

"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

Otherwise, run the following command in Terminal:

grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2%

Take note of the value after "__ldpath__"

Run the following commands in Terminal (first make sure there is only one entry, from step 2):

sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment`

sudo chmod 644 /Applications/Safari.app/Contents/Info.plist`

Delete the files obtained in steps 2 and 5

Run the following command in Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:
```
"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"
```

Otherwise, run the following command in Terminal:

grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%

Take note of the value after "__ldpath__"

Run the following commands in Terminal:

defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

launchctl unsetenv DYLD_INSERT_LIBRARIES

Finally, delete the files obtained in steps 9 and 11.

Update:

Apple has released an official tool for uninstalling the malware. Read about it and download it on this Apple KB page.

F-Secure has also released a removal tool, which you can download here.

Best Answer

Related Solutions

How to fix broken Java header files

Security – How to Detect and Remove Flashback Trojan on Mac

Update:

Related Question