April 5, 2012
Apple Macs Infected by Flashback Trojan Bot
A peer of mine just notified me that Apple computers are possibly infected with a trojan virus.
You can read about it on ars technica for the details.
But more importantly, here's how you check your Mac to see if you are infected. Luckily I'm not.
The first step is to open your Applications icon. And then click Utilities at the bottom of the list. See in the next column Terminal? You need to click and open that. See image below.
When you open Terminal you're going to see a window that looks like what computers looked like back in 1984. There were no fancy graphics back then. It was just text on the screen and talk about intimidating! You had to enter in text commands to get the machine to do something. No mouses!
At the bottom of this post is an image of what the Terminal window should look like on your Mac. See it below the image of the Applications window screen shot?
Now, follow these exact instructions:
Copy and paste the below line into the Terminal window behind the cursor block, then press the "Enter" key:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
Hopefully, it will output the following line:
"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"
Next copy and past the below line into the Terminal window behind the cursor block, then press the "Enter" key:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
Hopefully, it will output the following line:
"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"
If you do not get those exact output lines, you probably have an infection.
Go here for some help. Let's hope you're clean like I was.
Here are the screen shots of what I'm talking about:
Here's what you should see when you click the Terminal application:
Posted by Tim Carter at April 5, 2012 2:43 PM
Tim, thanks for the warning, however, I need to raise a little concern.
Virus / Trojan threats aplicable to Mac OS, is not a typical email I would expect to receive from you. Given this, I never click on any link, until I know where the link goes. The email sent from you, but via aweber.com include links that appear to have nothing to do with your blog. I realize they are likely redirects back to your blog, but it certainly can raise additional suspicion that the email did not come from you, but was spoofed.
Instead of clicking on any of the links, I did as I always do, did a google search for Ask Tim the Builder blog (in this case), then looked for the alert. Thanks again for posting the alert.
Thanks for the heads up! Good thing I'm clean.
Lo & Behold: just as I read this Apple is (finally) pushing out a Java update which fixes the hole the the trojan uses to get in.
Thanks for the heads up
Please remember a lot of people don't know computers like you do. Think about this relative to somebody not as up to speed like you are.
"Copy and paste the below line, then press the "enter" key:" Where does one paste this after they have copied it? I'm guessing in the Terminal window....not sure.
Thanks Tim, not infected!
I checked my Apple out and everything is OK. Thanks for the heads up. I appreciate this kind of information just as much as the other information that you provide. Thank you.
I have been an Apple/Mac user since the Performa 600CD and
I can't figure out these directions.
I "clicked" on TERMINAL in the second column and an image
of a monitor appeared in column three.
On the monitor face upper left was a > then and underline _
SO, NOW what the hell am I supposed to do ????????
I also checked out my Apple and I am clean. To echo a previous comment, "I appreciate this kind of information just as much as the other information that you provide. Thank you."
Keep up the good work.
Jim, you had to double-click to open the terminal. You only clicked it once.
Me, I got the message "-bash: efaults: command not found
Barry-Stewarts-Mac-Pro:~ " on the second copy-paste.
As this is not exactly what Time wrote: "The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"... I have a virus?
I hope not.
I copied and pasted both lines into the Terminal window and in both cases nothing was outputted. What do I do next? Does this mean my computer is infected? I clicked on "Go here" for help and it sounds like I should not attempt to do a manual removal. If I need it, where do I get professional technical assistance?
I put the first line in and it gave me exactly what you said it should.
When I put the second line in it gave me /Users/(my name)/,etc. instead of /Users/joe/
Am I OK or in trouble??
Thanks for the info. The directions couldn't have been easier.
This is the text I got.
The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist.
Does that mean I'm infected?