Finding the Flashback Trojan for Macintosh

Posted on

Macintosh computers have had an issue: the version of Java that has been developed for the Mac by Apple has a serious flaw, which has been taken advantage of by the Flashback trojan horse.  The trojan, if you visit an infected site, will install without prompting onto your Mac, grab your login credentials, and pass them on to a remote server.  It's been estimated that upwards to 600,000 Macs have been infected without the user's knowing.It's scary, as the majority of Macintosh users have been very lax when it comes to security for their Macs, as the Macintosh is generally a very secure platform.  Be that as it may, it's a concern as to what you can do about this issue.  PC Magazine has an article on what to do to take care of your computer.  Something else you can do is run a little shell script to check for and eliminate the malware, which is found here:#!/bin/sh# ================================================================================# check-for-osx-flashback.K.sh## Script to check system for any signs of OSX/Flashback.K trojan# Checks are based on information from F-Secure's website:# http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml## Hannes Juutilainen, hjuutilainen@mac.com## History:# - 2012-04-03, Hannes Juutilainen, first version# ================================================================================# Check for rootif [[ $EUID -ne 0 ]]; thenecho "This script must be run as root" 2>&1exit 1fi# ================================================================================echo "Checking /Applications/Safari.app/Contents/Info.plist for LSEnvironment key"# ================================================================================defaults read /Applications/Safari.app/Contents/Info LSEnvironment > /dev/null 2>&1if [[ $? -eq 0 ]]; thenprintf "%b\n\n" "===> WARNING: Found LSEnvironment in Safari Info.plist"elseprintf "%b\n\n" "---> Not found"fi# ================================================================================echo "Checking if /Users/Shared/.libgmalloc.dylib exists"# ================================================================================if [[ -f /Users/Shared/.libgmalloc.dylib ]]; thenprintf "%b\n\n" "===> WARNING: Found /Users/Shared/.libgmalloc.dylib"elseprintf "%b\n\n" "---> Not found"fi# ================================================================================echo "Checking /Users/*/.MacOSX/environment"# ================================================================================shopt -s nullglobUSER_HOMES=/Users/*for f in $USER_HOMESdoecho "---> Checking $f/.MacOSX/environment.plist"if [[ -f $f/.MacOSX/environment.plist ]]; thendefaults read $f/.MacOSX/environment DYLD_INSERT_LIBRARIES > /dev/null 2>&1if [[ $? -eq 0 ]]; thenprintf "%b\n" "===> WARNING: Found DYLD_INSERT_LIBRARIES key in $f/.MacOSX/environment"fifidoneshopt -u nullglobprintf "%b\n\n" "---> Done"exit 0But the best way to take care of your computer is to download and install the free Sophos Home version of their anti-virus software for the Mac, which will eliminate the malware from your computer once it finishes it's sweep.And if you haven't already, download the new update to Java for the Mac.  It's free if you use your Software Update (Apple menu -> Software Update).  That patches the hole and takes care of the issue.  Then change your password for your login.So what lesson should we take from this?  Well, Macs, now that they are taking a more prominent view in the computer market, are becoming a target for software hackers.  Make sure you take appropriate measures to secure your computer.