Flashback trojan reportedly controls half a million Macs and counting

Dogbreath · Apr 6, 2012

Thanks Doug...Sorry, but I did freakout...but for good reason...although results showed I'm healthy and clean. I have the skills to remedy an infection, I just didn't want to deal with the hassle and I have a lot to lose if someone were to gain access to what's in the box that Carroll Meryl is holding.

RavingMac · Apr 6, 2012

Well, my MBP is clean . . . now to test the others.

Chuckoir · Apr 6, 2012

I'm clean!

So is my Mac!

dtravis7 · Apr 6, 2012

All MAC here clean!

RavingMac · Apr 6, 2012

Three for three . . . all clean.

Doug b · Apr 6, 2012

Well, Dogbreath.. (I really like calling someone that) the thing is that I don't think anyone has actually seen or experienced the consequences of said "infection", so one shouldn't assume what the outcome would be. That said, everyone and their mom should be backing up their data (not just via Time Machine) redundantly, and on a regular basis.

Which reminds me, I need to buy a new external!

Doug

RavingMac · Apr 6, 2012

Doug b said:
Well, Dogbreath.. (I really like calling someone that) the thing is that I don't think anyone has actually seen or experienced the consequences of said "infection", so one shouldn't assume what the outcome would be. That said, everyone and their mom should be backing up their data (not just via Time Machine) redundantly, and on a regular basis.

Which reminds me, I need to buy a new external!

Doug

I was just going to post the question, "Has anybody on this Forum seen the infection, or even know someone who has?"

Just curious now.

Stretch · Apr 6, 2012

I did the check, just for the heck of it. Didn't really need to since I have Little Snitch installed. Came back clean.

McBie · Apr 7, 2012

Razormac said:
I was just going to post the question, "Has anybody on this Forum seen the infection, or even know someone who has?"

Just curious now.

That is why I posted earlier on that the results of the malware are not clear and as far as I can tell, there are no results.
That is why I called this a proof of concept ... a step by step approach and see how far they can get.
That is also why the articles in the press and magazines made me smile ..... 600000 infections ... right .... what does that mean then ..... how many of those actually yielded any results .... and where does the 600000 comes from ?
Is someone counting numbers ?

In my mind, there is not so much to worry about, only that people now understand that the OS X platform is not only on the radar, it is now also a chosen target.

A few simple behaviors will keep the risk level actually low. ( The vulnerabilities are outside of our control )

Cheers ... McBie

ursus262 · Apr 7, 2012

I'm clean

mattg3 · Apr 7, 2012

Im clean.Just told me files do not exist but did not say anything like domain/default pair of does not exist

vansmith · Apr 7, 2012

I think I may have noticed a flaw in the F-Secure article (here). I noticed that in the Ars article (here) covering the malware, they check the Safari and Firefox app bundles which made me think that this malware modifies the app bundle for the browser used by the user and not necessarily Safari itself. I never use Safari so I imagine that checking the Safari app bundle is utterly useless if this is the case.

Does anyone know if the malware modifies Safari and/or Firefox regardless or does it modify the browser used when the malware was installed on the machine?

RavingMac · Apr 7, 2012

Okay, I just checked Firefox on all three Macs (my browser of choice) and still clean.

mattg3 · Apr 7, 2012

Did you type in a different command in terminal to check firefox or just the two that have already been listed in this thread?

alexsd123 · Apr 7, 2012

I am clean, but I have to now check up on the less wary Mac users that I know. I have a feeling I know someone who caught this--same person that caught the Mac Defender or whatever it was called.

vansmith · Apr 7, 2012

mattg3 said:
Did you type in a different command in terminal to check firefox or just the two that have already been listed in this thread?

Replace:

Code:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

in the steps above to check your machine with the following:

Code:

defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

mattg3 · Apr 7, 2012

thanks,Firefox is clean

Semanon · Apr 8, 2012

All the comments I am sure make sense to sophisticated MAC users. I am a new MACBookPro user. There is no way I can make sense of any of the comments above. How will I know if my MACBook has been infected? I have no idea how to use the terminal or what not.

Many of us are not expert MAC users.

Semanon · Apr 8, 2012

Terminal

How does one use the terminal? I opened it up, and it says:

Last login: Sun Apr 8 01:44:07 on ttys000
MYName-MacBook-Pro:~ mynames$ ..

Now what do I do?

I also see members writing that they checked their browsers, ie Firefox. How would I do that?

Do you think it might be better for me to call Apple and talk to a tech?

madwolfe · Apr 8, 2012

Semanon said:
All the comments I am sure make sense to sophisticated MAC users. I am a new MACBookPro user. There is no way I can make sense of any of the comments above. How will I know if my MACBook has been infected? I have no idea how to use the terminal or what not.

Many of us are not expert MAC users.

It is kind of like one of those make your own adventure books, if you follow the article here
To run commands in Terminal, open up Terminal (Applications/Utilities or a Spotlight search) and then it is merely a case of copying and pasting. So first we run

Code:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

by using cmd+c and then cmd+v into Terminal.
If you get an error message, you can skip straight to step 8 (Hope that you get one).
All you have to do is follow the instructions on the websitr linked.

I use Terminal all the time but I must admit to you that I understand very little.

You should be clean if you don't willy-nilly put in the admin password for everything that asks for it however if you do find you are infected, ask here for a walkthrough if you need.

Flashback trojan reportedly controls half a million Macs and counting

Dogbreath

RavingMac

Well-known member

Chuckoir

dtravis7

RavingMac

Well-known member

Doug b

RavingMac

Well-known member

Stretch

McBie

ursus262

mattg3

vansmith

Senior Member

RavingMac

Well-known member

mattg3

alexsd123

vansmith

Senior Member

mattg3

Semanon

Semanon

madwolfe

Shop Amazon