Mac Users! Beware Flashback OSX Trojan!

April 7, 201

By Michele Yamazaki,

Yes, you read that right! A virus on the Mac. The last time I remember a big virus was Melissa in 1999.

This is new Trojan Horse called Flashback. Last night my computer was acting up so I ran Disk First Aid, only to find that there was a strange mounted item that I did not have mounted – decryptedFile.dmg with the Adobe Flash Player installer. This is not really Adobe Flash Player Installer but a cleverly disguised virus.

Go launch Disk First Aid and see if it pops up for you. If it does, you are infected. Also, here is a script to check to see if you’re infected.

This is scary stuff!

As CNET blogger Topher Kessler explains, simply visiting a malicious Web site containing Flashback on an OS X system with Java installed will result in one of two installation routes. The malware will request an administrator password, and if one is supplied, it will install its package of code into the Applications folder. If a password is not offered, the malware will install to the user accounts where it can run in a more global manner.

What I did was trash the file and then update my system software. There’s a Java update/patch that you need. F-Secure has instructions on removial of the virus through Terminal.

Here are a few articles on it.

Click here for original article and updates…



Update: April 8, 2012


Apple’s Mac platform has long been promoted as safer than the competition, but as Mac sales and market share grow, it’s become a bigger target.

Nowhere is that clearer than with the Flashback Trojan, a gnarly piece of malware designed to steal personal information by masquerading as very mainstream browser plug-ins. Yesterday Russian antivirus company Dr. Web said that an estimated 600,000 Macs are now infected as a result of users unknowingly installing the software.

So here’s a quick FAQ on the Flashback Trojan, including information on what it is, how to tell if you have it, and steps you can take to get rid of it.

What exactly is Flashback?
Flashback is a form of malware designed to grab passwords and other information from users through their Web browser and other applications such as Skype. A user typically mistakes it for a legitimate browser plug-in while visiting a malicious Web site. At that point, the software installs code designed to gather personal information and send it back to remote servers. In its most recent incarnations, the software can install itself without user interaction.

An earlier version of the Flashback Trojan's installer. An earlier version of the Flashback Trojan’s installer.(Credit: Intego)

When did it first appear?
Flashback as we know it now appeared near the end of September last year, pretending to be an installer for Adobe’s Flash, a widely used plug-in for streaming video and interactive applications that Apple no longer ships on its computers. The malware evolved to target the Java runtime on OS X, where users visiting malicious sites would then be prompted to install it on their machine in order to view Web content. More advanced versions would install quietly in the background with no password needed.

How did it infect so many computers?
The simple answer is that the software was designed to do exactly that. In its initial incarnation, the malware looked very similar to Adobe’s Flash installer. It didn’t help that Apple hasn’t shipped Flash on its computers for well over a year, arguably creating a pool of users more likely to run the installer in order to view popular Web sites that run on Flash. In its newer Java-related variants, the software could install itself without the user having to click on anything or provide it with a password.

What also didn’t help is the way that Apple deals with Java. Instead of simply using Java’s current public release, the company creates and maintains its own versions. As it turns out, the malware writers exploited one particular vulnerability that Oracle patched in February. Apple didn’t get around to fixing its own Java version until last week.

What has Apple done about it?
Apple has its own malware scanner built into OS X called XProtect. Since Flashback’s launch, the security tool has been updated — two times now — to identify and protect against a handful of Flashback variants.

A more recent version of the malware, however, got around XProtect by executing its files through Java. Apple closed off the malware’s main entry point with a Java update on April 3.

Of note, the Java security fixes are only available on Mac OS X 10.6.8 and later, so if you’re running OS X 10.5 or earlier, you will still be vulnerable. Apple has stopped supplying software updates for these operating systems.

How do I tell if I have it?
Right now the easiest way to tell if your computer has been infected is to go to Dr. Web’s online Web utility. It cross-checks your Mac’s unique hardware with its own database of machines that have been compromised. If it doesn’t find your machine, you’re in the clear.

Alternately, you can run a trio of commands in Terminal, a piece of software you’ll find in the Utilities folder in your Mac’s Applications folder. If you want to find it without digging, just do a Spotlight search for “Terminal.”

Once there, copy and paste each one of the code strings below into the terminal window. The command will run automatically:

defaults read /Applications/ LSEnvironment
defaults read /Applications/ LSEnvironment
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If your system is clean, the commands will tell you that those domain/default pairs “does not exist.” If you’re infected, it will spit up the patch for where that malware has installed itself on your system.

Uh oh, I have it. How do I remove it?
CNET’s Topher Kessler provides a step-by-step guide on how to remove Flashback from your Mac. This process also requires hopping into Terminal and running those commands, then tracking down where the infected files are stored, then manually deleting them.

Security firm F-Secure has also posted a similar Flashback-removal walkthrough. There are also likely be removal tools built into Mac antivirus/malware programs in the near future.

For good measure, it’s also a good idea to change your online passwords at financial institutions and other secure services that you may have used while your computer was compromised. It’s unclear if this data was being targeted, logged and sent as part of the attack, but it’s a smart preventative behavior that’s worth doing on a regular basis.

So now that fixes are here, am I safe?
In a word, no. The Flashback authors have already shown themselves inclined to keep altering the malware to sidestep new security fixes.

CNET’s advice is primarily to download any software only from trusted sources. That includes the sites of known and trusted software makers, as well secured repositories such as CNET’s Also, as another rule of thumb, it’s a good idea to keep third-party add-ons as up to date as possible so as to stay current with any security updates. If you want to stay even safer, stay away from Java and other system add-ons unless they’re needed by trusted piece of software or a Web service.

CNET blogger Topher Kessler contributed to this report.

Updated at 1:40 p.m. PT with updated removal instructions. Updated again on April 6 at 7:44 a.m. PT with info on a second update from Apple. Updated once more on April 6 at 1:55 p.m. PT with information about Dr. Web’s Web-based detection utility.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.