Column Archives Tim's Ebooks Building Tips Products I use and recommend Online Store Multimedia Media Info Ask Tim Carter
Ask Tim Carter

April 5, 2012

Apple Macs Infected by Flashback Trojan Bot

A peer of mine just notified me that Apple computers are possibly infected with a trojan virus.

You can read about it on ars technica for the details.

But more importantly, here's how you check your Mac to see if you are infected. Luckily I'm not.

The first step is to open your Applications icon. And then click Utilities at the bottom of the list. See in the next column Terminal? You need to click and open that. See image below.

When you open Terminal you're going to see a window that looks like what computers looked like back in 1984. There were no fancy graphics back then. It was just text on the screen and talk about intimidating! You had to enter in text commands to get the machine to do something. No mouses!

At the bottom of this post is an image of what the Terminal window should look like on your Mac. See it below the image of the Applications window screen shot?

Now, follow these exact instructions:

Copy and paste the below line into the Terminal window behind the cursor block, then press the "Enter" key:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

Hopefully, it will output the following line:


"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"


Next copy and past the below line into the Terminal window behind the cursor block, then press the "Enter" key:


defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES


Hopefully, it will output the following line:

"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"

If you do not get those exact output lines, you probably have an infection.

Go here for some help. Let's hope you're clean like I was.

Here are the screen shots of what I'm talking about:

applications.jpg

Here's what you should see when you click the Terminal application:

terminal.jpg

Posted by Tim Carter at April 5, 2012 2:43 PM


Comments

Paste it where?

Posted by: Marty at April 5, 2012 4:45 PM

Tim, thanks for the warning, however, I need to raise a little concern.
Virus / Trojan threats aplicable to Mac OS, is not a typical email I would expect to receive from you. Given this, I never click on any link, until I know where the link goes. The email sent from you, but via aweber.com include links that appear to have nothing to do with your blog. I realize they are likely redirects back to your blog, but it certainly can raise additional suspicion that the email did not come from you, but was spoofed.

Instead of clicking on any of the links, I did as I always do, did a google search for Ask Tim the Builder blog (in this case), then looked for the alert. Thanks again for posting the alert.

Posted by: Tom Anderson at April 5, 2012 5:07 PM

Thanks for the heads up! Good thing I'm clean.

Posted by: Rick Jimenez at April 5, 2012 5:25 PM

Lo & Behold: just as I read this Apple is (finally) pushing out a Java update which fixes the hole the the trojan uses to get in.

Thanks for the heads up

Posted by: JetSet at April 5, 2012 6:01 PM

Tim:

Please remember a lot of people don't know computers like you do. Think about this relative to somebody not as up to speed like you are.

"Copy and paste the below line, then press the "enter" key:" Where does one paste this after they have copied it? I'm guessing in the Terminal window....not sure.

Posted by: Loren at April 5, 2012 6:06 PM

Thanks Tim, not infected!

Posted by: Gregg at April 5, 2012 10:45 PM

I checked my Apple out and everything is OK. Thanks for the heads up. I appreciate this kind of information just as much as the other information that you provide. Thank you.

Posted by: Gil at April 5, 2012 11:29 PM

I have been an Apple/Mac user since the Performa 600CD and
I can't figure out these directions.
I "clicked" on TERMINAL in the second column and an image
of a monitor appeared in column three.

On the monitor face upper left was a > then and underline _

SO, NOW what the hell am I supposed to do ????????

Posted by: Jim Lynde at April 6, 2012 12:01 AM

I also checked out my Apple and I am clean. To echo a previous comment, "I appreciate this kind of information just as much as the other information that you provide. Thank you."

Keep up the good work.

Posted by: Rush at April 6, 2012 10:24 AM

Jim, you had to double-click to open the terminal. You only clicked it once.

Me, I got the message "-bash: efaults: command not found
Barry-Stewarts-Mac-Pro:~ " on the second copy-paste.

As this is not exactly what Time wrote: "The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"... I have a virus?

I hope not.

Posted by: Barry Stewart at April 6, 2012 11:40 AM

I copied and pasted both lines into the Terminal window and in both cases nothing was outputted. What do I do next? Does this mean my computer is infected? I clicked on "Go here" for help and it sounds like I should not attempt to do a manual removal. If I need it, where do I get professional technical assistance?

Posted by: roy viskupic at April 6, 2012 4:26 PM

I put the first line in and it gave me exactly what you said it should.

When I put the second line in it gave me /Users/(my name)/,etc. instead of /Users/joe/

Am I OK or in trouble??

Posted by: mark at April 7, 2012 11:25 AM

Thanks for the info. The directions couldn't have been easier.

Posted by: Ded at April 8, 2012 9:17 AM

This is the text I got.

The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist.

Does that mean I'm infected?

Posted by: Charles at April 8, 2012 11:15 PM

I was researching this and found an easier way to check it out. Thanks for alerting us to this. It was forwarded to me by a friend.

https://github.com/jils/FlashbackChecker/wiki

Posted by: Michael at April 10, 2012 11:50 AM
Post a comment









Remember personal info?









Email Tim Carter